Registry Keys Infected

By Manjit ยท 72 replies
Jan 17, 2009
  1. In recent days I have noticed my laptop has been performing rather poorly. Having run Malwarebytes it found two Registry Keys Infected is this what has been causing problems?

    Also recently I have switched from IE to Firefox, does this mean I need to do anything with IE or is it fine to leave it on the system?

    Thanks in advance.

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    It appears that you were previously helped with this same malware on thread

    Most of the same entries were suppose to be removed. It seems you finished the malware cleaning, but now it's all back again. That thread was from Oct. 2008. It looks like you posted 2 final logs on Reply Old 10-28-2008 but they were never picked up. So is this current thread an extenuation of the previous thread in October?

    Several people assisted yo u it does not appear that problem was ever resolved

    You were asked to disable TeaTimer during the cleaning, but it is running on the current log.
    Please disable Teatimer temporarily while we're cleaning:
    You were also old to remove these same entries:
    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

    So bottom line is this the same problem from October? You als ran ComboFit and some of the entries were removed?
    Or is it a recurrence of the same problem?

    Did you try using any additional security in the two months between the problem?
  3. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    It's essentially the same problem from October, I've noticed myself that some of the things that should have been delated in October have come back. Plus I noticed the FakeTrogan alerts when I ran Malwarebytes.

    I'm rather confused as to what your asking me to do in your instructions. Do you want to run my computer in safe mode, then run HiJackThis and remove the entries you said? Rather confused.

    Thank in advance or to anybody else who could be of assistance.
  4. rev_olie

    rev_olie TS Guru Posts: 560

    No just load Hijackthis as you did when you first produced the logs. But instead press scan only and then in the list that appears place a tick in the box next to the entries listed above by Bobbeye.
  5. adweston

    adweston Banned Posts: 242

    Just a note, you're going to have trouble with the Winlogon notify entries. The reason you're reinfected is because these entries still exist from October (as evidenced in your October logs) and they're rootkits/trojans, inviting further infections into your computer.

    Those entries are protected and will simply not go away trying to delete them with HijackThis. Even if a rescan posts clean, a reboot will bring them right back. Incidentally, the same holds true for any infections using the Appinit DLL loading point.

    The last time you ran Combofix, it may not have been able to deal with them. It's probably worthwhile running the latest version of it, then redoing the Hijackthis scan to see if the Winlogon entries say "file missing" at the end. Once it says that, Hijackthis will be able to remove them.

    If that fails, then you'll have to boot into a Recovery Console, navigate to the C:\Windows directory ("cd c:\windows" at the prompt) and manually delete the file (del fin42u.* and del tuvVPfeE.*). Then you'll be able to boot back into normal mode and use Hijackthis to delete the entries. Finally, run CCleaner using the registry fix portion of the program. It will look for all other entry points for those bugs in your registry. Just make sure you back up your registry before you click "fix checked".

    EDIT: Bear in mind, there's probably going to be more problems that aren't highlighted in the logs. Those types of infections are *usually* "monitored" by other infectious files and quite often the standard scans can miss them. They're a real pain in the tush unless you know exactly what you're looking for, or are highly skilled enough to walk someone through it piece by piece. You're probably going to end up having to do a very thorough scrounging on your hard drive, and maybe even a scan for rootkits, before you get everything.
  6. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Thanks rev_olie and adweston.

    I try and run Combofix and try an deleate the Winlogan files that way.
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    My apology for the 'Safe Mode' confusion. Thanks you rev_olie for clarifying that. Usually after checking the HijackThis entries, we have you boot into Safe Mode to do further work. But this was not the case here. I just forgot to delete the last part of the sentence.

    It is most likely that the malware infections was not completely removed in October. You will need to repeat the current scans with TeaTimer disabled- that is Malwarebytes and SuperAntispyware, followed by a new HijackThis scan. We can't get a true picture until scan are run with Real Time protection disabled.

    If you have already run ComboFix, be sure you uninstalled the previous version and downloaded the updated version. Please include all the new logs in your next post.

    We will go from there.
  8. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Here are the various logs that were requested. Including the log from ComboFix.

    Thanks in advance.

    Attached Files:

    • log.txt
      File size:
      37.2 KB
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    I have asked momok, the member who assisted you in October to take a look t this recurring problem. You can do the following, but unless we find the source, it's going to happen again:

    Please download the Norton Removal Tool HERE and Save to your desktop.

    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

    Open Internet Explorer> Tools> Manage Add-ons> find the processes below> click to highlight each> Disable:
    Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK any Symantec or Norton processes> Apply> OK> Reboot> NOTE: you will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.

    Run the Norton Removal Tool:

    Follow momok's instructions for removing these files using CFScript.txt HERE
    O20 - Winlogon Notify: fin42u - C:\WINDOWS\
    O20 - Winlogon Notify: tuvVPfeE - C:\WINDOWS\
  10. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Am I meant to run the Norton Rmoval Tool in 'selective startup' and by that u mean 'safe mode'.
    Also when I follow momok's instructions with the CFScript.txt does that need to be done in 'safe mode' or 'normal mode'?

    Thanks in advance
  11. momok

    momok TS Rookie Posts: 2,265


    Kindly use this for the cfscript.txt instead. Do it in safe mode if you are unable to run it in normal mode.
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Thank you momok. I should have waited.
  13. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Here is the log from ComboFix after i did the fix the cfscript.txt.

    I've also attached a fresh HJT log.

    Attached Files:

    • log.txt
      File size:
      9.6 KB
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Well, this is a mystery! It's last October all over again!
    Now- still, after numerous removals in HijackThis, Combofix and CTFix- still showing>

    - - - - ORPHANS REMOVED - - - -Now
    ComboFix, Oct. 2008:
    momok, what do you think about running Rootkittkit Reveal here:

    Manjit, hold on this until we hear from momok.
  15. momok

    momok TS Rookie Posts: 2,265

    Good thinking. Do proceed and run it and lets see what it shows.
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Okay Manjit, let go with this:

    Please Go to this TechNet page and carefully read the instructions for running the Rootkit Revealer:

    There are steps laid out here as well as screen shots that will help you>
    Start here for the program: Using RootkitRevealer
    The download link is at the bottom of the page. I've move the download to here because the instructions are laid out for you.

    Follow this carefully, then follow the additional directions:
    When you have finished, please run a new scan with HijackThis and include the new log.
  17. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Here are the logs requested. In the HJT log the problem is not showing, but it normally only shows up when I restart the laptop. So I'll do another scan having re-started the laptop.

    Attached Files:

  18. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +184

    I'd also suggest running Autoruns. Can be a big help to find the true "parent" that restarts new children if you find and kill its old ones.

    Install Autoruns. Then run the file named: autoruns.exe As it starts running notice its status in lower left corner of window
    • Hit ESC key (your upper left on keyboard) to stop scanning
    • Click Options Check Verify Code Signatures. Other options should be unchecked
    • Click File->Refresh to start scanning
    • Wait for status in lower left says Done.Then click File->Save As, save to a text file and attach back here
  19. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Here are the scans after I restarted the computer. As you can see from HJT the problem files we thought we had removed eariler have reappeared.

    I will run Autoruns now.
  20. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    I did the scan, but when the scan finished the status said Ready rather than Done not sure if the scan was still going on? It seemed to have finished.

    Also when I tried to save I was unable to save it as a text file.
  21. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +184

    You're correct (my typo). it will say Ready and not Done.

    File->Save As, default file name should be Autoruns.txt save it on your desktop.

    If you can't, you'll need be more specifc as to what happens/error message/etc
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    I'm not sure you're following what you have been asked to do:

    TeaTimer is running. It needs to be disabled while scanning. Please do this:
    You were also asked to run the Norton Removal Tool, but the entries persist. Please do this:
    When the above has been done, run SDFix:

    * Download SDFix from HERE and save it to your Desktop.
    * Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Boot into Safe Mode
    * Restart your computer and start pressing the F8 key on your keyboard.
    * Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run SDFix
    After running SDFix, rescan with HijackThis in Normal Mode. Please be sure to disable TeaTimer first and run the Norton Removal Tool. Attach report from SDFix and new log from HijackThis.
  23. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Here's the autorun log.

    Attached Files:

  24. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Attached are the logs requested.

    I hope I've done everything correctly. Once again thanks for all your help.

    I've used the Norton Removal tool a couple of times now and I think it should have got rid of the entries. If not I must be doing something seriously wrong.
  25. jazz01

    jazz01 TS Rookie

    my computer shuts down automatically while I was watching a movie.Restarting the computer, shows no sign on the screen but CPU fan is working as usual and loading of DVD drive and booting doesnot occur while PC LED is on. In other words just CPU fan works while rest is almost dead. The power led on the CDRom is also off. Yesreday, I also can't no longer shut down my computer using power buttom on the front panel, the switch on the back of power supply was the only option. While I can log off or go to sleep mode but shut down function did not work. I also checked all the connections and cleared BIOS but no use. Immeditely after its automatic shutting down, I restarted and on the screen it was stated that CPU speed was changed and I was asked to press esc or F1 to continue, i pressed F1 and therafter, i could do nothing, no matter even i cleared BIOS. I cannot figure out the reason. any suggestions?
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...