TechSpot

Registry Keys Infected

By Manjit
Jan 17, 2009
Topic Status:
Not open for further replies.
  1. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    jazz, you problem is completely different from this one. Please copy your information and paste into a new thread in the Windows OS Forum. You can title it 'Computer Shuts Down' if you want. Please include the specs for your system in that thread.

    Manjit, we haven't gotten any further than you did last October! ComboFit removes the Winlogon Notify entries, then they come back.
    O20 - Winlogon Notify: fin42u - C:\WINDOWS\
    O20 - Winlogon Notify: tuvVPfeE - C:\WINDOWS\

    The two 016 entries aren't malware, but Symantec is still loading:
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} ->> (Trend Micro ActiveX Scan Agent 6.
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - >> (Symantec Download Manager) -
    I went back to the October thread and read all the posts- we are basically repeating what was done then and unfortunately, getting the same result!

    Please hang tight- I'm going to see if I can find Blind Dragon to take a look.
     
  2. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,372   +167

    jazz01:
    You need to post your problem by starting a new thread if you'd like assistance

    Manjit
    (i see Bobbye just posted and noted these two as well)

    I had looked through Autoruns and just noticed your post. The Autoruns scan you did 8 hours ago did not show the two infections seen now in recent hijackthis log of
    Winlogon Notify: fin42u - C:\WINDOWS\
    Winlogon Notify: tuvVPfeE - C:\WINDOWS\

    Whatever is causing the re-infection is hiding itself well .. but we'll all keep digging.

    Question for the malware experts:
    C:\windows\system32\stec3.sys
    fyi: Trying to surf to find what this is will sometimes say OK tho more often say is not OK but haven't seen anything identify exactly what it is. Any info? Or something you could look at closely? (i'll add that i find certain things this file very suspicious)

    Also, manjittAre you familiar with these?
    + blueyonder Instant Support Tool.lnk
    + StarOpen c:\windows\system32\drivers\staropen.sys
     
  3. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    That file is fine => It's the SVKP driver for NT, by AntiCracking, it is a legitimate Windows service that prevents illegal CD copying

    ==============================================

    Do you need me to help removing the infected winlogon notify keys?
     
  4. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    - Blind Dragon: Your help would be much appreciated.

    - LookinAround: The blueyonder instant support tool relates to my ISP. To be perfectly honest i'm not familar with StarOpen.

    - Bobbye: Thanks for all your helps once again greatly appreciated.
     
  5. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Okay buddy,

    First of all, the entries were removed by combofix when running CFScript so I think the issue here is the fact that they re-appeared. Since you downloaded combofix over a week ago I am going to have you uninstall, then later we may download a fresh copy

    First:
    Uninstall combofix
    Uninstall combofix by going to Start -> Run -> type in combofix /u <-Note the space and hit enter

    You can also hold your windows key and press R to open the box.

    [​IMG]

    ========================================

    Second:
    disable Avast! Antivirus:

    • Right Click on the [​IMG] (Avast Antivirus Logo) in the system tray

    • This will bring up the Avast Antivirus options menu

    [​IMG]

    • Click once to highlight "Stop On-Access Protection"

    =========================================

    Third:
    [​IMG]
    Eset NOD32 scanner
    Go here to run an online scannner from ESET: » http://www.eset.eu/online-scanner
    Note: You will need to use Internet Explorer for this scan.

    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install (may have to click the yellow bar at the top)
    Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Checked, and the option "Scan unwanted applications" is also Checked.
    • Click Scan.
    • Wait for the scan to finish.
    • :!: Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Attach this log here

    ==========================================

    Fourth:
    DDS

    Please download from DDS by sUBs and save it to your Desktop.

    Vista users. Right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

    • Double click on dds to run it.
    • When done, DDS.txt will open.
    • You will receive another prompt after a while. Click Yes at the prompt. It will take another few minutes to scan.
    • When done, Attach.txt will open.
    • Please zip and attach the contents of DDS.txt and Attach.txt in your next reply.

    =====================================

    Attach here:
    1) ESET Scanner log
    2) DDS.txt
    3) Attach.txt
     
  6. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,372   +167

    - Blind Dragon:
    These items keep reappearing so part of the problem is finding out why / is there something hidden elsewhere regenerating the infection.

    Manjit
    1. Do you have any removable storage devices (e.g. a flash drive) you connect to your computer from time to time?
    2. Specifically, something you might have re-connected over that 8-10 hour period of cleaning the entries and now seeing them reappear?
    3. Do you have any external storage devices? (e.g. usb drives?)

    To all:
    I have the thought for an idea of maybe an alternate method to find the source of re-infection and welcome comment. In any case, would probably be a day or two before could provide setup instructions to try and do it.

    The idea being along the lines of
    - The malware files are being stored in C:\Windows directory
    - The idea is try and use Windows audit policy to report when there's a write access to C:\Windows directory and / or
    - Audit for any type of access to the malware files themselves (as i assume something must check properties for existence so maybe can be audited and logged)

    The audit record includes the process attempting access.
     
  7. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Here are the logs requested. Thanks for your help Blind Dragon.
     

    Attached Files:

    • DDS.txt
      File size:
      8.3 KB
      Views:
      6
  8. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    LookinAround:

    1.Yes I have a external hard drive that I connect to my laptop from time to time because my laptop hard drive is very small as I brought it many years ago. I also use USB pen drives to transfer files around.
    2. I've not used any external devices in terms of connecting them to my USB drive in the last 8-10 period.
    3. As I mentioned I have a couple of Sony USB pens drives that store data and a larger external usb hard drive.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thank you Blind Dragon for the assistance. This has been a tough one. Ah I see netsvcs- could this be the Conficker Worm?

    Description HERE.
     
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Good eye, but no - only if you saw a netsvcs registry value that was random characters

    --------------------------

    First
    Go to add/remove programs and uninstall the following:
    bhimpryoxz
    Java(TM) 6 Update 7


    --------------------------

    Step 2:
    OTMoveit3 by OldTimer
    Please download the OTMoveIt3 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes
      explorer.exe
      
      :Reg
      [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fin42u]
      [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvVPfeE]
      
      :Files
      C:\Program Files\bhimpryoxz
      C:\windows\system32\fin42u.exe
      C:\windows\system32\tuvVPfeE.exe
      C:\windows\system32\fin42u.dll
      C:\windows\system32\tuvVPfeE.dll
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    =======================================

    Step 3:
    I also want to take a look at your other winlogon entries:

    Open notepad and copy and paste next bold in it:

    regedit /e peek.txt "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify"
    type peek.txt >> look.txt
    del peek.txt
    start notepad look.txt


    Save this as look.bat , choose to save as *all files and place it on your desktop.

    It should look like this on your desktop: [​IMG]

    Doubleclick look.bat

    Notepad will open with some txt in it. Copy and paste the contents in your next reply.

    ---------------------------------------------------------------

    Step 4:
    'The Avenger by Swandog46'

    • Download The Avenger by Swandog46 from here.
    • Unzip/extract it to a folder on your desktop.
    • Double click on avenger.exe to run The Avenger.
    • Click OK.
    • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
    • Click the Execute button.
    • You will be asked No script has been entered. Do you want to execute a rootkit scan only?.
    • Click Yes.
    • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
    • Click Yes.
    • Your PC will now be rebooted.
    • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
    • Please post this log, along with a new HijackThis log in your next reply.


    Attach Here:
    1) OTMoveit! Log
    2) Look.txt
    3) avenger.txt
    4) Run a fresh hijackthis log after
     
  11. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Sorry it's taken so long to reply, only just noticed you posted the above instructions. Thanks for your help once again.

    Here are logs requested.
     
     
  12. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Also can I delete the look.bat file? Or does the file have to remain on my system as it's part of the fix.
     
  13. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    You can delete the bat file - the entries appear to be gone.

    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):

      O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.

    ==========================================

    I suggest you get yourself a firewall - sooner the better - here are some free ones

    Use a Firewall - It is very important that you use a Firewall on your computer. If you use the Windows Firewall you might think that's enough but it only controls inbound traffic. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most commonly used:
    Comodo (Vista Compatible)
    Kerio
    Online Armor
    Zonealarm (Vista Compatible)

    ==========================================

    OTCleanit! by Oldtimer
    • Launch OTMoveit!
    • Click the green CleanUp! button.
      • It will go thorugh the list and remove all of the tools it finds and then delete itself (requiring a reboot).

    Any other tools not removed can be removed manually

    ---------------------------------------------------------------------------

    Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
    1. Set correct settings for files
      • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
      • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
      • If unchecked please check Hide protected operating system files (Recommended)
      • If necessary check "Display content of system folders"
      • If necessary Uncheck Hide file extensions for known file types.
      • Click OK

      clear system restore points

      • This is a good time to clear your existing system restore points and establish a new clean restore point:
        • Go to Start > All Programs > Accessories > System Tools > System Restore
        • Select Create a restore point, and Ok it.
        • Next, go to Start > Run and type in cleanmgr
        • Select the More options tab
        • Choose the option to clean up system restore and OK it.
        This will remove all restore points except the new one you just created.
    2. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

      See this link for a listing of some online & their stand-alone antivirus programs:

      Virus, Spyware, and Malware Protection and Removal Resources

    3. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    4. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

      For a tutorial on Firewalls and a listing of some available ones see the link below:

      Understanding and Using Firewalls

    5. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.This is done in Vista through control panel -> windows updates.

    6. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:

      Using SpywareBlaster to protect your computer from Spyware and Malware

    7. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.

    here are some additional utilities that will enhance your safety

     
  14. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Thanks Blind Dragon for your help it was really appreciated. I took your advice and installed Online Armour, to go alongside Avast. Might slow things down a bit but much better to be safe.

    I took a fresh HJT scan this morning and I could scream. Because it appears all the files we spent ages trying to remove have reappeared.

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O20 - Winlogon Notify: fin42u - C:\WINDOWS\
    O20 - Winlogon Notify: tuvVPfeE - C:\WINDOWS\

    Is this a big a problem? Or am I still safe given the steps we went through.
     
  15. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Run CCleaner

    Click the registry icon in the left panel

    Scan for issues - select all - Fix all issues

    Run a fresh hijackthis and see if they are still there

    ============================================

    If they are still there...

    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please attach the C:\vundofix.txt and a new HiJackThis log.
    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
     
  16. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    I've did the CC Cleaner scan and it found huge number of problems I ran the fix. But HJT found the same files were still their.

    Running VundoFix did not find any problems.

    Attached are the logs requested.

    To remove VundoFix do I have to run a scan again? Or can I just deleate it the normal way from add/remove programs.
     
  17. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Also just a quick question, if i have avast and online armour installed. Do I still need to have spybot on my system?

    Avast keeps showing that I am being attacked by 'DCOM exploit' is this linked to that fact that some of the files have not been removed?

    Once again thanks for your assistance.
     
  18. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    No wonder this worm keeps coming back. What's the IP address of the DCOM attacks? Most likely it will resolve to your ISP because another user is infected and that user is attacking other accessible nodes, they probably don't even know they are infected.



    I don't know how much you know about Microsoft history but this vulnerability has been included with Windows since 98 - Just a little history lesson here so you can understand what is happening.

    Many years ago, Microsoft began modularizing Windows and their Windows applications by breaking them into functional components with well-defined, "version safe" interfaces. <- It's a great idea because it could allow pieces of Windows and applications to inter-operate.

    First it was known as OLE, then COM, the ActiveX, then became distributed with windows as DCOM (the D is for Distributed) - they did this just to be able to say windows has a distributed component system built in. <- This may appeal to you if you developed software - probably not - but maybe some developers

    The problem is that it attracts Internet worms and permits your system to be remotely compromised by malicious hackers. It's pointless, your system has already been compromised and though we have removed these files and registry entries they will continue to return -

    Avast has a NetworkShield that detects the worm attacks like Sasser, Blaster, ect. and that is what you are seeing.

    Solutions:
    1) you could reinstall windows and apply all updates
    2) you could try getting updates from Microsoft to patch the issue
    3) you could try getting a router if you are already up to date

    We can remove this but until the security vulnerability is resolved you will continue to be reinfected.
     
  19. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Thanks for your insightful response and your help blind dragon.

    Next time the attack appears I'll note the IP address, but having read what you've said i'm not sure that will make much difference.

    In terms of the solutions: in terms of gettings updates from Microsoft do you mean searching their website for a patch? Normally i've had automatic updates on for windows.

    Is getting a router big step?
     
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    1) I would try manually getting updates from www.update.microsoft.com

    2) I would install a router <- yes it's a big step

    3) After you have done that we should try removing those entries again to see if they re-appear

    4) If that doesn't work I would then consider backing up and reinstalling Windows.
     
  21. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,372   +167

    if i could add some info i think might help.... DCOM exploits take advantage of TCP port 135

    Is your computer on your own Local Area Network? Does it require Remote Procedure Calls (RPC) to any other computer or device you have on your LAN?
    1) I believe one solution is setting your firewall to block all incoming TCP/135 traffic

    2) If that's not practical, a good firewall should at least allow you to restrict incoming traffic by IP address. Thus you can try restricting incoming TCP/135 traffic on every computer on your LAN to only accept TCP/135 traffic from local computers with trusted IP addresses on your own LAN​
     
  22. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Blind Dragon
    I've had a look on the Micosoft site, this update seems to match what I have. Should I go ahead and download it?

    http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

    Or is that too simple, will their be a series of patches required?

    LookinAround:
    Erm my computer is not on my own LAN.

    Thanks for your help everybody.

    Actually this seems to be the one:
    http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx

    *Whilst on my laptop eariler today it crashed and I got blue screen with a page of writing telling me to restart the computer and pyschial memory dump was/had occured.
    This bit of technical information I noted: tcpip.sys_Address F429D949 base at F428F000 Datestamp 485699ad
    Is this linked to the DCOM exploit problem? Because today I've noticed I have had no attacks according to Avast. Thou the problem files are back according to HJT.
    At the time of this crash I was moving some files to an external Hard Drive.
     
  23. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    sorry for the delay

    We haven't removed the registry entries and files since you patched it.

    Before doing this - Try to update MBAM and run a scan with that let it remove anything it finds.

    Then post the log here along with the following

    RSIT
    Download random's system information tool (RSIT) by random/random from here and save it to your Desktop.

    • Double click on RSIT.exe to run.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open.
    • log.txt <will be maximized and info.txt <will be minimized
    • Please post the contents of both logs in the next reply.
     
  24. jobeard

    jobeard TS Ambassador Posts: 13,426   +317

    The suggestion of a ROUTER is very good. In the normal state from the manufacturer, no ports are forwarded, so attackes on the DCOM port 135 from the Internet become impossible.

    Inside your LAN (ie devices connected to a router; and yes, even if you only have one system, you should {imo} get a router),
    File/Print sharing use ports 138-139,445 and the firewall(s) need these to be ALLOWed. Port 135 can be allowed too.

    Under no circumstance should you ever port forward from the router ports 135-139,445.
     
  25. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Sorry it's taken a while to reply.

    Attached our the logs requested.

    Once again thanks for the assitance.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.