|
Unable to delete registry entry from malware |
Post Reply 
|
Page <123> |
| Author |
 Share Topic Printable Version Delicious Digg Facebook Furl Google MySpace Newsvine reddit StumbleUpon Translate Twitter Windows Live Yahoo Bookmarks Topic Search  Topic Options
|
||
jsmall 
Newbie 
Joined: 28 August 2008 Online Status: Offline Posts: 17 |
 Post Options
 Quote Reply
 Topic: Unable to delete registry entry from malwarePosted: 29 August 2008 at 2:42am |
||
|
Don't see any active handles for those. Uploaded one to virustotal which didn't find anything. Seems like system is OK.
Still not sure why I can't delete the registry keys on the first one. I did run a "deep" A/S scan which uncovered some more things - I'll try again when I get access again tomorrow.
Thanks,
--Jim
|
|||
 |
|||
|
jsmall
Newbie
Joined: 28 August 2008 Online Status: Offline Posts: 17 |
Post Options
Quote Reply
Posted: 29 August 2008 at 2:37am |
||
|
Good idea - will do.
net helpmsg 4006 - LOL
Thanks,
--Jim
|
|||
|
|||
|
molotov
Moderator Group 
Joined: 04 October 2006 Online Status: Offline Posts: 17492 |
Post Options
Quote Reply
Posted: 29 August 2008 at 2:17am |
||
|
As SystemPro indicated, the dump_* drivers are normal and expected.
Perhaps, use PE to check to see what's using the files that RootRepeal turned up.
|
|||
|
Daily affirmation:
net helpmsg 4006 |
|||
|
|||
|
SystemPro
Senior Member 
Joined: 26 April 2007 Location: Germany Online Status: Offline Posts: 504 |
Post Options
Quote Reply
Posted: 29 August 2008 at 1:47am |
||
Edited by SystemPro - 29 August 2008 at 1:57am |
|||
|
Concentrate on your strengths.
|
|||
|
|||
|
jsmall
Newbie
Joined: 28 August 2008 Online Status: Offline Posts: 17 |
Post Options
Quote Reply
Posted: 29 August 2008 at 1:43am |
||
|
OK - ran rootrepeal on 2 computers we have suspicions about:
The first one that I've been writing about came back good except for this:
c:\windows\system32\drivers\dump_iastor.sys is hidden. However, this seems like it could be a legitimate file.
On the other computer I that I thought was good, I got more:
These two which might also be OK:
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xF20DC000 Size: 98304 File Visible: No Status: - Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF7BFD000 Size: 8192 File Visible: No Status: - I also go this though which looks like it could be bad:
Path: C:\Documents and Settings\mdoran\Local Settings\Application Data\Microsoft\Messenger\mdoran@comtel.com\SharingMetadata\vanravenswaay@hotmail.com\DFSR\Staging\CS{2B2D3F53-4000-9513-521E-8C3AAB71F8C4}\01\10-{2B2D3F53-4000-9513-521E-8C3AAB71F8C4}-v1-{89E094B2-FA81-4471-BF6C-27313D64A536}-v10-Downloaded.frx
Status: Locked to the Windows API! Path: C:\Documents and Settings\mdoran\Local Settings\Application Data\Microsoft\Messenger\mdoran@comtel.com\SharingMetadata\vanravenswaay@hotmail.com\DFSR\Staging\CS{2B2D3F53-4000-9513-521E-8C3AAB71F8C4}\77\77-{698C8F66-BEBC-4EE9-85CF-C9928633F933}-v77-{698C8F66-BEBC-4EE9-85CF-C9928633F933}-v77-Downloaded.frx
Status: Locked to the Windows API! Path: C:\Documents and Settings\mdoran\Local Settings\Application Data\Microsoft\Messenger\mdoran@comtel.com\SharingMetadata\vanravenswaay@hotmail.com\DFSR\Staging\CS{2B2D3F53-4000-9513-521E-8C3AAB71F8C4}\78\78-{698C8F66-BEBC-4EE9-85CF-C9928633F933}-v78-{698C8F66-BEBC-4EE9-85CF-C9928633F933}-v78-Downloaded.frx
Status: Locked to the Windows API! Path: C:\Documents and Settings\mdoran\Application Data\Macromedia\Flash Player\#SharedObjects\YBUS3ZZ9\a332.g.akamai.net\f\332\936\12h\www.edmunds.com\media\1024hp:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API! Path: C:\Documents and Settings\mdoran\Application Data\Macromedia\Flash Player\#SharedObjects\YBUS3ZZ9\a332.g.akamai.net\f\332\936\12h\www.edmunds.com\media\1024hp:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API! Path: C:\Documents and Settings\mdoran\Application Data\Macromedia\Flash Player\#SharedObjects\YBUS3ZZ9\a332.g.akamai.net\f\332\936\12h\www.edmunds.com\media\1024hp:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API! Should I force delete those files?
Thanks,
--Jim
|
|||
|
|||
|
jsmall
Newbie
Joined: 28 August 2008 Online Status: Offline Posts: 17 |
Post Options
Quote Reply
Posted: 29 August 2008 at 1:25am |
||
|
You are correct of course. I should have said, I found null registry keys with rootkitrevealer (HKLM\SOFTWARE\Classes\CLSID\*) which I removed with regdelnull.
I did save a copy of the file/DLL. Just tried virustotal.com:
File upxgpqe.dll received on 08.29.2008 02:18:16 (CET)
Result: 1/34 (2.95%)
Antivirus Version Last Update Result
eSafe 7.0.17.0 2008.08.28 Suspicious File (The rest have a result of -) Additional information
File size: 105472 bytes MD5...: a380751f010643713b4a1d4883e7508f SHA1..: a104e3bc8724b8402685a64d7f03c81c93e228c2 SHA256: 1de6c3dd4db34086301322a07ebac395da09fda9648f21d594f01ed8dae054a7 SHA512: 508ee9af6501c6700d1b1d96d1b52667fca97340db45677474c4641d97ab9811 3916f27698c8203b06acf20df43e1e6cf0eb2f565b851b79a07816870a14baf3 PEiD..: - TrID..: File type identification Generic Win/DOS Executable (49.9%) DOS Executable Generic (49.8%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%) PEInfo: - Behavior observed with this dll:
Would hook into winlogin, explorer, iexplore, and office (outlook). Sometimes would start itself via rundll. Would especially cause lots of problems with outlook.
I have the dll if you're interested in it. I believe this forum stated no uploading viruses but I would be happy to submit if you provide me a location.
--Jim
|
|||
|
|||
|
molotov
Moderator Group
Joined: 04 October 2006 Online Status: Offline Posts: 17492 |
Post Options
Quote Reply
Posted: 29 August 2008 at 1:09am |
||
RKR will not remove items. It will report items that may warrant further exploration.
Did you happen to upload the file to a place such as virustotal.com?
|
|||
|
Daily affirmation:
net helpmsg 4006 |
|||
|
|||
|
SystemPro
Senior Member
Joined: 26 April 2007 Location: Germany Online Status: Offline Posts: 504 |
Post Options
Quote Reply
Posted: 29 August 2008 at 12:58am |
||
|
Google spits out not much except the first six chars and that looks bad and fits in my research activities:
Edited by SystemPro - 29 August 2008 at 12:58am |
|||
|
Concentrate on your strengths.
|
|||
|
|||
|
jsmall
Newbie
Joined: 28 August 2008 Online Status: Offline Posts: 17 |
Post Options
Quote Reply
Posted: 29 August 2008 at 12:25am |
||
|
Absolutely, here they are:
Winlogin hook:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rixqgeix
IE BHO Hook:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D90D1926-483A-4A96-A57A-F142F0B48653} I have not tried rootrepeal. I did run rootkitrevealer. It found about 8 Null Registry Key's which I had it remove. I will try rootrepeal.
The original DLL was upxgpqe.dll. There were many open handles to it. After booting into the command console and deleting the file, there are now no more open handles and I don't see anything else suspicious on the system. Of course the only sure way is to re-image, but that gets old when the user is remote and you must constantly do it. That's why I'm trying to dig more into the internals so I can just clean the systems when A/V+A/S fail.
I'll let you know what happens with rootrepeal.
Thanks,
--Jim
|
|||
|
|||
|
molotov
Moderator Group
Joined: 04 October 2006 Online Status: Offline Posts: 17492 |
Post Options
Quote Reply
Posted: 28 August 2008 at 11:26pm |
||
|
The stack looks about like what I'd expect.
Can you share the keys you're trying to remove?
Have you run a tool like RootRepeal?
|
|||
|
Daily affirmation:
net helpmsg 4006 |
|||
|
|||
|
Post Reply
|
Page <123> |
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
