XP: Registry Keys, Malware

[Guest Scott]

What role do registry keys play in malware? Is a registry key sufficient or

does there need to be a malware program on my computer?

 

Details.

 

I run Ad-Aware 2008 Free every week and on Aug 5 if found Virtumonde.

According to Lavasoft, this is in the top 5 of threats going around now.

 

File name: yacscom.dll in C:\Program Files\Yahoo!\Messenger

 

My notes do not mention that I checked to see if Ad-Aware also found

registry keys.

 

Before removing it, I tested AVG-Free, Spybot, and Yahoo Anti Spy and they

did not find Virtumonde. Microsoft Malicious Software Removal Tool did not

find anything with the July and August updates

 

Yahoo Anti Spy, however, did find 4 registry keys it identified as

hijackers.

 

One is ISTbar from a company called Internet Search Technologies:

 

hkey_local_machine \software\microsoft\windows\currentversion\internet

settings\zonemap\domains\contentmatch.net

 

Three were from Mirar. They had the exact form above but with different

domain names at the end: mirarseach.com, netnucleus.com, getmirar.com

 

Thanks for any info

 

Scott

 

Los Angeles

[Guest David H. Lipman]

Re: XP: Registry Keys, Malware

 

From: "Scott" <scott@adelphia.net>

 

| What role do registry keys play in malware? Is a registry key sufficient or

| does there need to be a malware program on my computer?

 

| Details.

 

| I run Ad-Aware 2008 Free every week and on Aug 5 if found Virtumonde.

| According to Lavasoft, this is in the top 5 of threats going around now.

 

| File name: yacscom.dll in C:\Program Files\Yahoo!\Messenger

 

| My notes do not mention that I checked to see if Ad-Aware also found

| registry keys.

 

| Before removing it, I tested AVG-Free, Spybot, and Yahoo Anti Spy and they

| did not find Virtumonde. Microsoft Malicious Software Removal Tool did not

| find anything with the July and August updates

 

| Yahoo Anti Spy, however, did find 4 registry keys it identified as

| hijackers.

 

| One is ISTbar from a company called Internet Search Technologies:

 

| hkey_local_machine \software\microsoft\windows\currentversion\internet

| settings\zonemap\domains\contentmatch.net

 

| Three were from Mirar. They had the exact form above but with different

| domain names at the end: mirarseach.com, netnucleus.com, getmirar.com

 

| Thanks for any info

 

| Scott

 

| Los Angeles

 

 

 

Questions like this SHOULD be asked in an anti malware news group such as;

microsoft.public.security.virus

 

The Registry loads software as well as provides information as how software should run,

its parameters and settings and a myriad of other pertinent information.

 

Example:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

 

Relates to how Internet Explorer handles specifice Internet Domain sites such as; MSN.COM

 

Malware will modify such settings to allow it maximum exposure and security capabilities

to allow it to do what it wants.

 

Some keys such as;

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 

Will load software entered into its keys.

 

Other locations like...

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

 

Will load DLL files into the Winlogon process.

Others will load into the Windows Explorer process (explorer.exe)

 

Now if a key loads a file and that file does not exist, it can load the payload.

Additionally, if a file needs a registry point tyo load and that registry point does not

exist in the registry then that file can't be loaded into the OS.

 

Thus the the registry plays an integral part of integrating malware into the OS.

 

A simple piece of malware mys jus run an EXE file from...

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 

or a DLL via RUNDLL32 from the same location.

 

A more complex piece of malware may have many entries in the registry as in the following

example URL

http://vil.nai.com/vil/Content/v_143470.htm

 

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest Stephen Harris]

Re: XP: Registry Keys, Malware

 

Scott wrote:

> What role do registry keys play in malware? Is a registry key sufficient or

> does there need to be a malware program on my computer?

>

> Details.

>

> I run Ad-Aware 2008 Free every week and on Aug 5 if found Virtumonde.

> According to Lavasoft, this is in the top 5 of threats going around now.

>

> File name: yacscom.dll in C:\Program Files\Yahoo!\Messenger

>

> My notes do not mention that I checked to see if Ad-Aware also found

> registry keys.

>

> Before removing it, I tested AVG-Free, Spybot, and Yahoo Anti Spy and they

> did not find Virtumonde. Microsoft Malicious Software Removal Tool did not

> find anything with the July and August updates

>

> Yahoo Anti Spy, however, did find 4 registry keys it identified as

> hijackers.

>

> One is ISTbar from a company called Internet Search Technologies:

>

> hkey_local_machine \software\microsoft\windows\currentversion\internet

> settings\zonemap\domains\contentmatch.net

>

> Three were from Mirar. They had the exact form above but with different

> domain names at the end: mirarseach.com, netnucleus.com, getmirar.com

>

> Thanks for any info

>

> Scott

>

> Los Angeles

>

>

 

Virtumonde is dangerous because some infestations manifest as a rootkit.

I had it removed except for one file which kept saying "access denied"

when I tried to remove it, even in safe mode. Some of these files need

to be removed from the Dos command prompt, C:\, before their process

starts, by booting into Recovery Console with the XP install CD. If

anyone doesn't have that (like just recovery disks) the workaround is,

 

http://aumha.net/viewtopic.php?f=62&t=31844 by an MS-MVP

[read the whole thing and do the registry fixes]

 

Remember to turn off System Restore before deleting this stuff, or

the malware will get replenished from files Windows backs up with.

I use more than one anti-spyware for running scans, but not the

active system protections for each one because they can conflict,

and also present hard to understand choices like Spybot's TeaTimer

for example. Firefox has Adblock Plus and NoScript, but none of

these programs provide very intelligent automatic protection.

Spyware Doctor seems to work fairly well, but slows the system.

Remember to turn on System Restore afterward. Before deleting

registry entries they warn you to backup the registry because in

some cases removing malware cripples the system.

 

Use ERUNT for full registry backups, Windows is not comprehensive.

http://www.winxptutor.com/regback.htm

I use mbrfix for backing up the mbr but BootitNG of Terabytes

has two good free programs.

 

I also like Acronis for doing complete backups, if you have a

large disk for a hidden backup partition. More than 4 DVDs is too

complex. A great way is too clone your hard drive to another

hard drive in the computer just after all the apps are installed

and it is pristine at about 12-16GB. That guards against hard disk

failure, you have another disk ready to go. I keep my data cable

unplugged rather than do incrementals to it. Email backups and

favorites/bookmarks I backup periodically to cds. For pictures

DVD data disks is fine.

 

Since May of last year Malware problems have gone up 407% and my

success rate and cleaning malware has gone from 85% success, to

about 20% success, mainly because much malware now have rootkits.

 

After a person loses his hard drive twice, it really brings home

the old adage, an ounce of prevention is worth a pound of cure.

 

Stephen

[Guest Scott]

Re: XP: Registry Keys, Malware

 

Thanks for the info and the links. I was not aware that there was another

group for this topic.

 

Scott

Los Angeles.

 

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:%23qkNQXMBJHA.1628@TK2MSFTNGP02.phx.gbl...

> From: "Scott" <scott@adelphia.net>

>

> | What role do registry keys play in malware? Is a registry key sufficient

> or

> | does there need to be a malware program on my computer?

>

> | Details.

>

> | I run Ad-Aware 2008 Free every week and on Aug 5 if found Virtumonde.

> | According to Lavasoft, this is in the top 5 of threats going around now.

>

> | File name: yacscom.dll in C:\Program Files\Yahoo!\Messenger

>

> | My notes do not mention that I checked to see if Ad-Aware also found

> | registry keys.

>

> | Before removing it, I tested AVG-Free, Spybot, and Yahoo Anti Spy and

> they

> | did not find Virtumonde. Microsoft Malicious Software Removal Tool did

> not

> | find anything with the July and August updates

>

> | Yahoo Anti Spy, however, did find 4 registry keys it identified as

> | hijackers.

>

> | One is ISTbar from a company called Internet Search Technologies:

>

> | hkey_local_machine \software\microsoft\windows\currentversion\internet

> | settings\zonemap\domains\contentmatch.net

>

> | Three were from Mirar. They had the exact form above but with different

> | domain names at the end: mirarseach.com, netnucleus.com, getmirar.com

>

> | Thanks for any info

>

> | Scott

>

> | Los Angeles

>

>

>

> Questions like this SHOULD be asked in an anti malware news group such as;

> microsoft.public.security.virus

>

> The Registry loads software as well as provides information as how

> software should run,

> its parameters and settings and a myriad of other pertinent information.

>

> Example:

> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

>

> Relates to how Internet Explorer handles specifice Internet Domain sites

> such as; MSN.COM

>

> Malware will modify such settings to allow it maximum exposure and

> security capabilities

> to allow it to do what it wants.

>

> Some keys such as;

> HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

>

> Will load software entered into its keys.

>

> Other locations like...

> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

>

> Will load DLL files into the Winlogon process.

> Others will load into the Windows Explorer process (explorer.exe)

>

> Now if a key loads a file and that file does not exist, it can load the

> payload.

> Additionally, if a file needs a registry point tyo load and that registry

> point does not

> exist in the registry then that file can't be loaded into the OS.

>

> Thus the the registry plays an integral part of integrating malware into

> the OS.

>

> A simple piece of malware mys jus run an EXE file from...

> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

>

> or a DLL via RUNDLL32 from the same location.

>

> A more complex piece of malware may have many entries in the registry as

> in the following

> example URL

> http://vil.nai.com/vil/Content/v_143470.htm

>

>

> --

> Dave

> http://www.claymania.com/removal-trojan-adware.html

> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

>

>

[Guest Scott]

Re: XP: Registry Keys, Malware

 

Thanks for the info and the links. Ad-Aware has not detected an re-infection

so I trust I am clean. That's bad news malware is using rootkits now.

 

Scott

Los Angeles

 

"Stephen Harris" <cyberguard-1048@yahoo.com> wrote in message

news:YCOrk.37587$ZE5.11422@nlpi061.nbdc.sbc.com...

> Scott wrote:

>> What role do registry keys play in malware? Is a registry key sufficient

>> or does there need to be a malware program on my computer?

>>

>> Details.

>>

>> I run Ad-Aware 2008 Free every week and on Aug 5 if found Virtumonde.

>> According to Lavasoft, this is in the top 5 of threats going around now.

>>

>> File name: yacscom.dll in C:\Program Files\Yahoo!\Messenger

>>

>> My notes do not mention that I checked to see if Ad-Aware also found

>> registry keys.

>>

>> Before removing it, I tested AVG-Free, Spybot, and Yahoo Anti Spy and

>> they did not find Virtumonde. Microsoft Malicious Software Removal Tool

>> did not find anything with the July and August updates

>>

>> Yahoo Anti Spy, however, did find 4 registry keys it identified as

>> hijackers.

>>

>> One is ISTbar from a company called Internet Search Technologies:

>>

>> hkey_local_machine \software\microsoft\windows\currentversion\internet

>> settings\zonemap\domains\contentmatch.net

>>

>> Three were from Mirar. They had the exact form above but with different

>> domain names at the end: mirarseach.com, netnucleus.com, getmirar.com

>>

>> Thanks for any info

>>

>> Scott

>>

>> Los Angeles

>>

>>

>

> Virtumonde is dangerous because some infestations manifest as a rootkit.

> I had it removed except for one file which kept saying "access denied"

> when I tried to remove it, even in safe mode. Some of these files need

> to be removed from the Dos command prompt, C:\, before their process

> starts, by booting into Recovery Console with the XP install CD. If

> anyone doesn't have that (like just recovery disks) the workaround is,

>

> http://aumha.net/viewtopic.php?f=62&t=31844 by an MS-MVP

> [read the whole thing and do the registry fixes]

>

> Remember to turn off System Restore before deleting this stuff, or

> the malware will get replenished from files Windows backs up with.

> I use more than one anti-spyware for running scans, but not the

> active system protections for each one because they can conflict,

> and also present hard to understand choices like Spybot's TeaTimer

> for example. Firefox has Adblock Plus and NoScript, but none of

> these programs provide very intelligent automatic protection.

> Spyware Doctor seems to work fairly well, but slows the system.

> Remember to turn on System Restore afterward. Before deleting

> registry entries they warn you to backup the registry because in

> some cases removing malware cripples the system.

>

> Use ERUNT for full registry backups, Windows is not comprehensive.

> http://www.winxptutor.com/regback.htm

> I use mbrfix for backing up the mbr but BootitNG of Terabytes

> has two good free programs.

>

> I also like Acronis for doing complete backups, if you have a

> large disk for a hidden backup partition. More than 4 DVDs is too complex.

> A great way is too clone your hard drive to another

> hard drive in the computer just after all the apps are installed

> and it is pristine at about 12-16GB. That guards against hard disk

> failure, you have another disk ready to go. I keep my data cable

> unplugged rather than do incrementals to it. Email backups and

> favorites/bookmarks I backup periodically to cds. For pictures

> DVD data disks is fine.

>

> Since May of last year Malware problems have gone up 407% and my

> success rate and cleaning malware has gone from 85% success, to

> about 20% success, mainly because much malware now have rootkits.

>

> After a person loses his hard drive twice, it really brings home

> the old adage, an ounce of prevention is worth a pound of cure.

>

> Stephen

>

>

[Guest David H. Lipman]

Re: XP: Registry Keys, Malware

 

From: "Scott" <scott@adelphia.net>

 

| Thanks for the info and the links. I was not aware that there was another

| group for this topic.

 

| Scott

| Los Angeles.

 

No problem Scott.

 

Note that there are also anti virus groups in the alt.* hierarchy as well.

 

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest Plato]

Re: XP: Registry Keys, Malware

 

Scott wrote:

>

> What role do registry keys play in malware? Is a registry key sufficient or

> does there need to be a malware program on my computer?

 

Malware can create registry keys, it's almost impossible to find a

program to remove them. Best bet in the future is NOT to install malware

of any sort.

 

--

http://www.bootdisk.com/

[Guest Plato]

Re: XP: Registry Keys, Malware

 

David H. Lipman wrote:

>

> | What role do registry keys play in malware? Is a registry key sufficient or

> | does there need to be a malware program on my computer?

>

> Questions like this SHOULD be asked in an anti malware news group such as;

> microsoft.public.security.virus

 

Malware is not a virus. Since you are new to PC use here is the defn. of

a virus...

 

http://www.bootdisk.com/txtfiles/virus.txt

 

--

http://www.bootdisk.com/

[Guest David H. Lipman]

Re: XP: Registry Keys, Malware

 

From: "Plato" <|@|.|>

 

| David H. Lipman wrote:

>> | What role do registry keys play in malware? Is a registry key sufficient or

>> | does there need to be a malware program on my computer?

>> Questions like this SHOULD be asked in an anti malware news group such as;

>> microsoft.public.security.virus

 

| Malware is not a virus. Since you are new to PC use here is the defn. of

| a virus...

 

Actually, all viruses are malware.

 

There are NO "malware" news groups. The word malware was only added as a real word to the

dictionary this year.

When the original IBM PC was made, there were really only viruses. All the other

sub-catgerories of malware came later.

 

I certainly am on "new to PC", that's for sure!

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest Scott]

Re: XP: Registry Keys, Malware

 

Thanks for replying.

 

Yahoo Anti Spy found these registry keys and removed them. I don't know,

however, if they are associated with Virtumonde. I ran Yahoo Anti-Spy for

the first time when Ad Aware found Virtumonde.

 

I did not install anything that I thought was malware. The only two programs

I downloaded in recent months were the new Real Player, and The Weather

Channel desktop application provided a major update.

 

Scott

Los Angeles

 

"Plato" <|@|.|> wrote in message

news:48b4dc7d$0$4633$bb4e3ad8@newscene.com...

> Scott wrote:

>>

>> What role do registry keys play in malware? Is a registry key sufficient

>> or

>> does there need to be a malware program on my computer?

>

> Malware can create registry keys, it's almost impossible to find a

> program to remove them. Best bet in the future is NOT to install malware

> of any sort.

>

> --

> http://www.bootdisk.com/

[Guest David H. Lipman]

Re: XP: Registry Keys, Malware

 

From: "Plato" <|@|.|>

 

| David H. Lipman wrote:

>> | What role do registry keys play in malware? Is a registry key sufficient or

>> | does there need to be a malware program on my computer?

>> Questions like this SHOULD be asked in an anti malware news group such as;

>> microsoft.public.security.virus

 

| Malware is not a virus. Since you are new to PC use here is the defn. of

| a virus...

 

| http://www.bootdisk.com/txtfiles/virus.txt

 

I don't understand this line...

 

"#4 is necessary to distinguish between viruses and worms, which do not require a host."

 

A worm is a virus that self replicates through network protocols such as NNTP, SMTP,

NetBIOS over IP, RPC, etc. and does require a host. The host is used to generate the

network activity to spread. For example a RBot may use TCP port 135 to send out packets

to another PC's TCP port 135 to exploit a vulnerability in RPC, RPCSS/DCOM and if so

infect that PC and if successful, the infected that PC to will also generate packets

attempting to explot other PCs who have this vulnerability.

 

I will also state that you contradicted youself in the reply of the post...

"Re: win32/adware.virtumonde and win32.privacyremover.m64"

 

Message:

"System restore does not get rid of viruses. Best bet in the future is

NOT to install the virus in the first place."

 

The person was NOT infected with a virus. The person was infected with a Zlob/FakeAlert

type Trojan.

 

I will state that a virus news group is the *best* place to discuss malware.

 

It was early this AM when I , in a haze of Morning, should have replied...

"I certainly am not "new to PC", that's for sure!"

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest Gary S. Terhune]

Re: XP: Registry Keys, Malware

 

Hey, newbie! Malware may not necessarily be a virus, but a virus is malware,

by definition.

 

http://www.techterms.com/definition/malware

http://en.wikipedia.org/wiki/Malware

http://www.google.com/search?num=100&hl=en&newwindow=1&safe=off&defl=en&q=define:Malware&sa=X&oi=glossary_definition&ct=title

 

Here's the TinyURL in case your newsreader breaks that last URL and you

can't figure out how to put it back together again.

http://tinyurl.com/5ncdxp

 

If you're having problems with the concept of a newsgroup with the word

"virus" in the name being more broadly devoted to discussing malware in

general, then you need professional help of one kind or another. Remedial

English? Psychological counseling? Maybe just a good brawl at your local bar

to get your head straightened up.

 

--

Gary S. Terhune

MS-MVP Shell/User

http://grystmill.com

 

"Plato" <|@|.|> wrote in message

news:48b4dd63$0$4633$bb4e3ad8@newscene.com...

> David H. Lipman wrote:

>>

>> | What role do registry keys play in malware? Is a registry key

>> sufficient or

>> | does there need to be a malware program on my computer?

>>

>> Questions like this SHOULD be asked in an anti malware news group such

>> as;

>> microsoft.public.security.virus

>

> Malware is not a virus. Since you are new to PC use here is the defn. of

> a virus...

>

> http://www.bootdisk.com/txtfiles/virus.txt

>

> --

> http://www.bootdisk.com/