Registry Keys Infected

Status
Not open for further replies.

Manjit

Posts: 82   +0
In recent days I have noticed my laptop has been performing rather poorly. Having run Malwarebytes it found two Registry Keys Infected is this what has been causing problems?

Also recently I have switched from IE to Firefox, does this mean I need to do anything with IE or is it fine to leave it on the system?

Thanks in advance.
 

Attachments

  • mbam-log-2009-01-17 (19-09-19).txt
    1.2 KB · Views: 5
It appears that you were previously helped with this same malware on thread https://www.techspot.com/vb/topic114173.html

Most of the same entries were suppose to be removed. It seems you finished the malware cleaning, but now it's all back again. That thread was from Oct. 2008. It looks like you posted 2 final logs on Reply Old 10-28-2008 but they were never picked up. So is this current thread an extenuation of the previous thread in October?

Several people assisted yo u it does not appear that problem was ever resolved

You were asked to disable TeaTimer during the cleaning, but it is running on the current log.
Please disable Teatimer temporarily while we're cleaning:
Disable Teatimer:
* Right click the Image (Spybot -SD Resident Icon) located in your system tray
* This will bring up the spybot options menu, uncheck Resident Protectio
* Launch Spybot S&D Program
* Click on Mode at the top and make sure that Advanced is checked
* Expand the Tools tab in the left pane
* Single click on the Resident Icon also in the left pane
* Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
* Close spybot
You were also old to remove these same entries:
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O2 - BHO: (no name) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - (fragment left from Trend Micro ActiveX Scan Agent 6.5)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - (fragment left from Symantec Download Manage
O20 - Winlogon Notify: fin42u - C:\WINDOWS\
O20 - Winlogon Notify: tuvVPfeE - C:\WINDOWS\
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

So bottom line is this the same problem from October? You als ran ComboFit and some of the entries were removed?
Or is it a recurrence of the same problem?

Did you try using any additional security in the two months between the problem?
 
It's essentially the same problem from October, I've noticed myself that some of the things that should have been delated in October have come back. Plus I noticed the FakeTrogan alerts when I ran Malwarebytes.

I'm rather confused as to what your asking me to do in your instructions. Do you want to run my computer in safe mode, then run HiJackThis and remove the entries you said? Rather confused.

Thank in advance or to anybody else who could be of assistance.
 
No just load Hijackthis as you did when you first produced the logs. But instead press scan only and then in the list that appears place a tick in the box next to the entries listed above by Bobbeye.
 
Just a note, you're going to have trouble with the Winlogon notify entries. The reason you're reinfected is because these entries still exist from October (as evidenced in your October logs) and they're rootkits/trojans, inviting further infections into your computer.

Those entries are protected and will simply not go away trying to delete them with HijackThis. Even if a rescan posts clean, a reboot will bring them right back. Incidentally, the same holds true for any infections using the Appinit DLL loading point.

The last time you ran Combofix, it may not have been able to deal with them. It's probably worthwhile running the latest version of it, then redoing the Hijackthis scan to see if the Winlogon entries say "file missing" at the end. Once it says that, Hijackthis will be able to remove them.

If that fails, then you'll have to boot into a Recovery Console, navigate to the C:\Windows directory ("cd c:\windows" at the prompt) and manually delete the file (del fin42u.* and del tuvVPfeE.*). Then you'll be able to boot back into normal mode and use Hijackthis to delete the entries. Finally, run CCleaner using the registry fix portion of the program. It will look for all other entry points for those bugs in your registry. Just make sure you back up your registry before you click "fix checked".

EDIT: Bear in mind, there's probably going to be more problems that aren't highlighted in the logs. Those types of infections are *usually* "monitored" by other infectious files and quite often the standard scans can miss them. They're a real pain in the tush unless you know exactly what you're looking for, or are highly skilled enough to walk someone through it piece by piece. You're probably going to end up having to do a very thorough scrounging on your hard drive, and maybe even a scan for rootkits, before you get everything.
 
Thanks rev_olie and adweston.

I try and run Combofix and try an deleate the Winlogan files that way.
 
My apology for the 'Safe Mode' confusion. Thanks you rev_olie for clarifying that. Usually after checking the HijackThis entries, we have you boot into Safe Mode to do further work. But this was not the case here. I just forgot to delete the last part of the sentence.

It is most likely that the malware infections was not completely removed in October. You will need to repeat the current scans with TeaTimer disabled- that is Malwarebytes and SuperAntispyware, followed by a new HijackThis scan. We can't get a true picture until scan are run with Real Time protection disabled.

If you have already run ComboFix, be sure you uninstalled the previous version and downloaded the updated version. Please include all the new logs in your next post.

We will go from there.
 
Here are the various logs that were requested. Including the log from ComboFix.

Thanks in advance.
 

Attachments

  • log.txt
    37.2 KB · Views: 6
I have asked momok, the member who assisted you in October to take a look t this recurring problem. You can do the following, but unless we find the source, it's going to happen again:

Please download the Norton Removal Tool HERE and Save to your desktop.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O2 - BHO: (no name) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)>>> (Symantec Intrusion Prevention)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} ->>>> HouseCall ActiveX control in Internet Explorer>> Vulnerability reported.
Kill {215B8138-A3CF-44c5-803F-8226143CFC0A}
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - >>>(Symantec Download Manager)
O20 - Winlogon Notify: fin42u - C:\WINDOWS\
O20 - Winlogon Notify: tuvVPfeE - C:\WINDOWS\
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Open Internet Explorer> Tools> Manage Add-ons> find the processes below> click to highlight each> Disable:
symdlmgr (Symantec Download Manager)
IPSBHO.DLL (Symantec Intrusion Protector)
hcImpl.cab (Trend Micro Housecall)
Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK any Symantec or Norton processes> Apply> OK> Reboot> NOTE: you will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.

Run the Norton Removal Tool:

Follow momok's instructions for removing these files using CFScript.txt HERE
O20 - Winlogon Notify: fin42u - C:\WINDOWS\
O20 - Winlogon Notify: tuvVPfeE - C:\WINDOWS\
 
Am I meant to run the Norton Rmoval Tool in 'selective startup' and by that u mean 'safe mode'.
Also when I follow momok's instructions with the CFScript.txt does that need to be done in 'safe mode' or 'normal mode'?

Thanks in advance
 
Hi,

Kindly use this for the cfscript.txt instead. Do it in safe mode if you are unable to run it in normal mode.
File::
C:\WINDOWS\SYSTEM32\tuvVPfeE.dll
C:\WINDOWS\SYSTEM32\fin42u.dll
Folder::
c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fin42u]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvVPfeE]
 
Here is the log from ComboFix after I did the fix the cfscript.txt.

I've also attached a fresh HJT log.
 

Attachments

  • log.txt
    9.6 KB · Views: 8
Well, this is a mystery! It's last October all over again!
Now- still, after numerous removals in HijackThis, Combofix and CTFix- still showing>

O2 - BHO: (no name) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
O2 - BHO: (no name) - {F742E03D-8892-42AE-8049-CB5A51BE5B14} - (no file)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} -
O20 - Winlogon Notify: fin42u - C:\WINDOWS\
O20 - Winlogon Notify: tuvVPfeE - C:\WINDOWS\
ComboFix:
- - - - ORPHANS REMOVED - - - -Now
HKLM-Run-msnappau - C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-gb\msnappau.exe
HKLM-Run-POINTER - point32.exe
Notify-!SASWinLogon - (no file)
Notify-fin42u - (no file)
Notify-tuvVPfeE - (no file)
ComboFix, Oct. 2008:
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fin42u]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvVPfeE]

There is only one other instance of these 2 winlogons on the internet and it wasn't taken out to a resolution.
[BU]

momok, what do you think about running Rootkittkit Reveal here:
https://www.techspot.com/vb/topic34006.ht

Manjit, hold on this until we hear from momok.
 
Okay Manjit, let go with this:

Please Go to this TechNet page and carefully read the instructions for running the Rootkit Revealer:
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

There are steps laid out here as well as screen shots that will help you>
Start here for the program: Using RootkitRevealer
The download link is at the bottom of the page. I've move the download to here because the instructions are laid out for you.

Follow this carefully, then follow the additional directions:
Using RootkitRevealer
1. Please study the RKR web page carefully. (TechNet/Systernals link above)

2. Don't use your computer while RKR is scanning.
Start RKR, wait about 10 seconds, click Scan, then leave computer untouched until it completes. An idle machine will minimise the possibility of false positive reports caused by changes to the system during the scan. Background processes may still make intermittent changes, but resulting discrepancies tend to be obvious from their registry or filesystem branch; on a re-scan many may not recur.

3. Save the discrepancy list to text file as needed.
Using the File->Save dialog, select "My Computer" and work down to a suitable folder. The "My Documents" and "Desktop" buttons point to a System user's folders.

4. Use the search feature in the RKR forums.
For questionable discrepancies, search using a distinctive part of the registry key or path name. Very frequently the same item has appeared before and been commented upon. Often they turn out to be innocuous.

5. Search Google.
Googling a distinctive part of the registry key, especially the CLSID, can often lead to forum reports of the application responsible. Similarly, googling filenames may lead to removal advice if malicious. If using long strings copied from posts, ensure that no extra blanks have become embedded in the search string.

6. When posting a log, ATTACH either the full text log or a representative subsection if it's too large.
When you have finished, please run a new scan with HijackThis and include the new log.
 
Here are the logs requested. In the HJT log the problem is not showing, but it normally only shows up when I restart the laptop. So I'll do another scan having re-started the laptop.
 

Attachments

  • RootkitReveal.txt
    936 bytes · Views: 6
I'd also suggest running Autoruns. Can be a big help to find the true "parent" that restarts new children if you find and kill its old ones.

Install Autoruns. Then run the file named: autoruns.exe As it starts running notice its status in lower left corner of window
  • Hit ESC key (your upper left on keyboard) to stop scanning
  • Click Options Check Verify Code Signatures. Other options should be unchecked
  • Click File->Refresh to start scanning
  • Wait for status in lower left says Done.Then click File->Save As, save to a text file and attach back here
 
Here are the scans after I restarted the computer. As you can see from HJT the problem files we thought we had removed eariler have reappeared.

I will run Autoruns now.
 
I did the scan, but when the scan finished the status said Ready rather than Done not sure if the scan was still going on? It seemed to have finished.

Also when I tried to save I was unable to save it as a text file.
 
You're correct (my typo). it will say Ready and not Done.

File->Save As, default file name should be Autoruns.txt save it on your desktop.

If you can't, you'll need be more specifc as to what happens/error message/etc
 
I'm not sure you're following what you have been asked to do:

TeaTimer is running. It needs to be disabled while scanning. Please do this:
SPYBOT TEATIMER
* Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
* On the left hand side, click on Tools, then click on the Resident Icon in the list.
* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
* Click on the "System Startup" icon in the List
* Uncheck the "TeaTimer" box and "OK" any prompts.
* If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
* Exit Spybot S&D when done.
* (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]
You were also asked to run the Norton Removal Tool, but the entries persist. Please do this:
Post #9. Download and run

When the above has been done, run SDFix:

* Download SDFix from HERE and save it to your Desktop.
* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Boot into Safe Mode
* Restart your computer and start pressing the F8 key on your keyboard.
* Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run SDFix
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
* Attach Report.txt back here

After running SDFix, rescan with HijackThis in Normal Mode. Please be sure to disable TeaTimer first and run the Norton Removal Tool. Attach report from SDFix and new log from HijackThis.
 
Attached are the logs requested.

I hope I've done everything correctly. Once again thanks for all your help.

I've used the Norton Removal tool a couple of times now and I think it should have got rid of the entries. If not I must be doing something seriously wrong.
 
my computer shuts down automatically while I was watching a movie.Restarting the computer, shows no sign on the screen but CPU fan is working as usual and loading of DVD drive and booting doesnot occur while PC LED is on. In other words just CPU fan works while rest is almost dead. The power led on the CDRom is also off. Yesreday, I also can't no longer shut down my computer using power buttom on the front panel, the switch on the back of power supply was the only option. While I can log off or go to sleep mode but shut down function did not work. I also checked all the connections and cleared BIOS but no use. Immeditely after its automatic shutting down, I restarted and on the screen it was stated that CPU speed was changed and I was asked to press esc or F1 to continue, i pressed F1 and therafter, i could do nothing, no matter even i cleared BIOS. I cannot figure out the reason. any suggestions?
 
Status
Not open for further replies.
Back