[Inactive] Trojan in registry software hive

Status
Not open for further replies.
G

gamc

Posts: 12   +0
Avast detected a trojan when exporting the registry Machine_software key as hive file using regedit.

The key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Y5IQNZ80Y look suspicious and after deleting this key from the registry avast reported that the exported hive file was clean.

However the software hive file in the system32\config folder was still infected.
To solve this problem I used Erunt to backup the resgrity hives and then Ntregopt to re-generate the registry hives (both tools written by Lars Hederer and highly recommended in other forums).

After re-boot a new registry backup with Erunt was scanned with avast and this was clean.

A previous thread for a similar problem was abruptly closed.
There may be people interested in a solution to this problem.
This is the only reason for me posting this.
 
you better use Hijackthis and send the log.
mostly in avast some unsuspicious file may listed as suspicious file.
i suggest to use AVG or ANTIVIR.
 
I used different tools and none found a problem in the resgistry nor the registry hive file (except avast)
The software hive is not scanned while the file is in use in windows and none of the
tools found a problem when scanning the System Volume Information folder (except avast)
The tools I used are:
HijackThis
Malwarebytes
SuperAntispyware
Adware
Hitman Pro
Dr Web
Kasrpersky Virus removal Tool
Spyware Doctor
SpyHunter
ComboFix

If you still wish to see the Hijackthis log let me know and I will post it.
The trojan infection detected by avast has now gone after using Ntregopt.
Before changing anything in the registry backups were created.
 
Broni

I have been monitoring my PC and so far no problems.
I will scan the infected file using other anti-virus software tomorrow and post the result.
This is just to see if only avast detects a trojan.

Thanks
 
Avast detected a trojan when exporting the registry Machine_software key as hive file using regedit.
Click to expand...

I am curious- what is Avast doing exporting the Registry?
Why are you using regedit?
Do you understand that you don't delete something- especially in the Registry- because it looks suspicious?

System Volume is where the restore point are kept. If the system is clean and a scan shows malware in System Volume, it is not a threat to you.

When we complete the cleaning of a system, we have the user drop all the old restore points and create a new, clean one. This was all explained to you previously.

A previous thread for a similar problem was abruptly closed.
There may be people interested in a solution to this problem.
This is the only reason for me posting this.
Edit/Delete Message
Click to expand...

Threads are not abruptly closed. The thread was closed because when your helper was trying to find and remove malware, you were making changes in the Registry. Any Registry changes will affect the system. That was explained to you.
 
I have scanned the file that avast reported had a trojan using McAfee (in another PC) and no infection was found.

So far I have not found any other tool that detects an infection.
It may be that avast is reporting a false positive.
I submitted the file to avast 10 days ago but had not received a reply.
I have not found a similar problem to the one that I had in my PC.
My PC is still clean. I will leave this thread open for one day and then close it

Some clarifications for Bobbye
Regedit exports the registry key as a reg file, as a text file or as a hive file (you can choose which)
Avast does not export registry keys only scans the files and the file in the hive format was reported to be infected with a trojan.

"suspicious" key is an entry that I could not track to anything that I installed, was not present in the registry of a my laptop and another PC, and no reference was found in the Internet.
Before deleting any key always backup (export the key as a reg file)

I have sufficient knowledge and experience to know what I am doing and always take precautions to "undo" possible mistakes.
 
After 5 days of monitoring the computer everything is working fine.
I consider that the problem has been solved.

Two questions remain that I have not been able to answer:
Was avast detecting a false positive?
Was the deleted registry HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Y5IQNZ80Y
related to malware/trojan/virus?
 
It's really impossible to know the answer just by looking at registry key.
I tell you what....

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Thanks Broni

I used ComboFix last week on the 4th of March 2010.
I could not find anything pointing to the initial problem that avast detected.
But I could have missed something.

If you like I can upload the ComboFix and HijackThis logs taken on the 4th of March.
I have also a text file of the registry key Y5IQNZ80Y which lists binary data.
I do not know if this is any use. I have no time to spare looking at it in detail.

Is it really worthwhile trying ComboFix again?
I am currently cleaning left overs of the tools that I have used to try to solve the initial problem.
That is deleting several folders (mostly empty) just with a log file and some drivers which
even after unsintalling the tools were left in the windows\system32\drivers folder.

I really appreciate your offer to help
 
Hi Broni,

Not been able to run ComboFix due to lack of time.
I have not been using the computer since Friday night except for a few minutes today
and got a HJT log.
I will be away for the next ten days.
 

Attachments

  • hijackthis9.log
    7.3 KB · Views: 0
Status
Not open for further replies.

Similar threads

L
Solved Unknown spyware/ Monitoring/ Hijacking of my devices
Replies
15
Views
3K
Broni
Broni
midian182
Ad for a cheap BMW was used as Trojan horse in Russian cyberattack on Ukrainian diplomats
Replies
1
Views
339
Jaabaaar
Jaabaaar
A
A clever trick turns antivirus software into unstoppable data wiping scourges
Replies
1
Views
601
johnhzzz16
J

Latest posts

Back