Guest Scott Posted August 23, 2008 Posted August 23, 2008 What role do registry keys play in malware? Is a registry key sufficient or does there need to be a malware program on my computer? Details. I run Ad-Aware 2008 Free every week and on Aug 5 if found Virtumonde. According to Lavasoft, this is in the top 5 of threats going around now. File name: yacscom.dll in C:\Program Files\Yahoo!\Messenger My notes do not mention that I checked to see if Ad-Aware also found registry keys. Before removing it, I tested AVG-Free, Spybot, and Yahoo Anti Spy and they did not find Virtumonde. Microsoft Malicious Software Removal Tool did not find anything with the July and August updates Yahoo Anti Spy, however, did find 4 registry keys it identified as hijackers. One is ISTbar from a company called Internet Search Technologies: hkey_local_machine \software\microsoft\windows\currentversion\internet settings\zonemap\domains\contentmatch.net Three were from Mirar. They had the exact form above but with different domain names at the end: mirarseach.com, netnucleus.com, getmirar.com Thanks for any info Scott Los Angeles
Guest David H. Lipman Posted August 23, 2008 Posted August 23, 2008 Re: XP: Registry Keys, Malware From: "Scott" <scott@adelphia.net> | What role do registry keys play in malware? Is a registry key sufficient or | does there need to be a malware program on my computer? | Details. | I run Ad-Aware 2008 Free every week and on Aug 5 if found Virtumonde. | According to Lavasoft, this is in the top 5 of threats going around now. | File name: yacscom.dll in C:\Program Files\Yahoo!\Messenger | My notes do not mention that I checked to see if Ad-Aware also found | registry keys. | Before removing it, I tested AVG-Free, Spybot, and Yahoo Anti Spy and they | did not find Virtumonde. Microsoft Malicious Software Removal Tool did not | find anything with the July and August updates | Yahoo Anti Spy, however, did find 4 registry keys it identified as | hijackers. | One is ISTbar from a company called Internet Search Technologies: | hkey_local_machine \software\microsoft\windows\currentversion\internet | settings\zonemap\domains\contentmatch.net | Three were from Mirar. They had the exact form above but with different | domain names at the end: mirarseach.com, netnucleus.com, getmirar.com | Thanks for any info | Scott | Los Angeles Questions like this SHOULD be asked in an anti malware news group such as; microsoft.public.security.virus The Registry loads software as well as provides information as how software should run, its parameters and settings and a myriad of other pertinent information. Example: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Relates to how Internet Explorer handles specifice Internet Domain sites such as; MSN.COM Malware will modify such settings to allow it maximum exposure and security capabilities to allow it to do what it wants. Some keys such as; HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Will load software entered into its keys. Other locations like... HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify Will load DLL files into the Winlogon process. Others will load into the Windows Explorer process (explorer.exe) Now if a key loads a file and that file does not exist, it can load the payload. Additionally, if a file needs a registry point tyo load and that registry point does not exist in the registry then that file can't be loaded into the OS. Thus the the registry plays an integral part of integrating malware into the OS. A simple piece of malware mys jus run an EXE file from... HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or a DLL via RUNDLL32 from the same location. A more complex piece of malware may have many entries in the registry as in the following example URL http://vil.nai.com/vil/Content/v_143470.htm -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest Stephen Harris Posted August 23, 2008 Posted August 23, 2008 Re: XP: Registry Keys, Malware Scott wrote: > What role do registry keys play in malware? Is a registry key sufficient or > does there need to be a malware program on my computer? > > Details. > > I run Ad-Aware 2008 Free every week and on Aug 5 if found Virtumonde. > According to Lavasoft, this is in the top 5 of threats going around now. > > File name: yacscom.dll in C:\Program Files\Yahoo!\Messenger > > My notes do not mention that I checked to see if Ad-Aware also found > registry keys. > > Before removing it, I tested AVG-Free, Spybot, and Yahoo Anti Spy and they > did not find Virtumonde. Microsoft Malicious Software Removal Tool did not > find anything with the July and August updates > > Yahoo Anti Spy, however, did find 4 registry keys it identified as > hijackers. > > One is ISTbar from a company called Internet Search Technologies: > > hkey_local_machine \software\microsoft\windows\currentversion\internet > settings\zonemap\domains\contentmatch.net > > Three were from Mirar. They had the exact form above but with different > domain names at the end: mirarseach.com, netnucleus.com, getmirar.com > > Thanks for any info > > Scott > > Los Angeles > > Virtumonde is dangerous because some infestations manifest as a rootkit. I had it removed except for one file which kept saying "access denied" when I tried to remove it, even in safe mode. Some of these files need to be removed from the Dos command prompt, C:\, before their process starts, by booting into Recovery Console with the XP install CD. If anyone doesn't have that (like just recovery disks) the workaround is, http://aumha.net/viewtopic.php?f=62&t=31844 by an MS-MVP [read the whole thing and do the registry fixes] Remember to turn off System Restore before deleting this stuff, or the malware will get replenished from files Windows backs up with. I use more than one anti-spyware for running scans, but not the active system protections for each one because they can conflict, and also present hard to understand choices like Spybot's TeaTimer for example. Firefox has Adblock Plus and NoScript, but none of these programs provide very intelligent automatic protection. Spyware Doctor seems to work fairly well, but slows the system. Remember to turn on System Restore afterward. Before deleting registry entries they warn you to backup the registry because in some cases removing malware cripples the system. Use ERUNT for full registry backups, Windows is not comprehensive. http://www.winxptutor.com/regback.htm I use mbrfix for backing up the mbr but BootitNG of Terabytes has two good free programs. I also like Acronis for doing complete backups, if you have a large disk for a hidden backup partition. More than 4 DVDs is too complex. A great way is too clone your hard drive to another hard drive in the computer just after all the apps are installed and it is pristine at about 12-16GB. That guards against hard disk failure, you have another disk ready to go. I keep my data cable unplugged rather than do incrementals to it. Email backups and favorites/bookmarks I backup periodically to cds. For pictures DVD data disks is fine. Since May of last year Malware problems have gone up 407% and my success rate and cleaning malware has gone from 85% success, to about 20% success, mainly because much malware now have rootkits. After a person loses his hard drive twice, it really brings home the old adage, an ounce of prevention is worth a pound of cure. Stephen
Guest Scott Posted August 25, 2008 Posted August 25, 2008 Re: XP: Registry Keys, Malware Thanks for the info and the links. I was not aware that there was another group for this topic. Scott Los Angeles. "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:%23qkNQXMBJHA.1628@TK2MSFTNGP02.phx.gbl... > From: "Scott" <scott@adelphia.net> > > | What role do registry keys play in malware? Is a registry key sufficient > or > | does there need to be a malware program on my computer? > > | Details. > > | I run Ad-Aware 2008 Free every week and on Aug 5 if found Virtumonde. > | According to Lavasoft, this is in the top 5 of threats going around now. > > | File name: yacscom.dll in C:\Program Files\Yahoo!\Messenger > > | My notes do not mention that I checked to see if Ad-Aware also found > | registry keys. > > | Before removing it, I tested AVG-Free, Spybot, and Yahoo Anti Spy and > they > | did not find Virtumonde. Microsoft Malicious Software Removal Tool did > not > | find anything with the July and August updates > > | Yahoo Anti Spy, however, did find 4 registry keys it identified as > | hijackers. > > | One is ISTbar from a company called Internet Search Technologies: > > | hkey_local_machine \software\microsoft\windows\currentversion\internet > | settings\zonemap\domains\contentmatch.net > > | Three were from Mirar. They had the exact form above but with different > | domain names at the end: mirarseach.com, netnucleus.com, getmirar.com > > | Thanks for any info > > | Scott > > | Los Angeles > > > > Questions like this SHOULD be asked in an anti malware news group such as; > microsoft.public.security.virus > > The Registry loads software as well as provides information as how > software should run, > its parameters and settings and a myriad of other pertinent information. > > Example: > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap > > Relates to how Internet Explorer handles specifice Internet Domain sites > such as; MSN.COM > > Malware will modify such settings to allow it maximum exposure and > security capabilities > to allow it to do what it wants. > > Some keys such as; > HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run > > Will load software entered into its keys. > > Other locations like... > HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify > > Will load DLL files into the Winlogon process. > Others will load into the Windows Explorer process (explorer.exe) > > Now if a key loads a file and that file does not exist, it can load the > payload. > Additionally, if a file needs a registry point tyo load and that registry > point does not > exist in the registry then that file can't be loaded into the OS. > > Thus the the registry plays an integral part of integrating malware into > the OS. > > A simple piece of malware mys jus run an EXE file from... > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run > > or a DLL via RUNDLL32 from the same location. > > A more complex piece of malware may have many entries in the registry as > in the following > example URL > http://vil.nai.com/vil/Content/v_143470.htm > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > >
Guest Scott Posted August 25, 2008 Posted August 25, 2008 Re: XP: Registry Keys, Malware Thanks for the info and the links. Ad-Aware has not detected an re-infection so I trust I am clean. That's bad news malware is using rootkits now. Scott Los Angeles "Stephen Harris" <cyberguard-1048@yahoo.com> wrote in message news:YCOrk.37587$ZE5.11422@nlpi061.nbdc.sbc.com... > Scott wrote: >> What role do registry keys play in malware? Is a registry key sufficient >> or does there need to be a malware program on my computer? >> >> Details. >> >> I run Ad-Aware 2008 Free every week and on Aug 5 if found Virtumonde. >> According to Lavasoft, this is in the top 5 of threats going around now. >> >> File name: yacscom.dll in C:\Program Files\Yahoo!\Messenger >> >> My notes do not mention that I checked to see if Ad-Aware also found >> registry keys. >> >> Before removing it, I tested AVG-Free, Spybot, and Yahoo Anti Spy and >> they did not find Virtumonde. Microsoft Malicious Software Removal Tool >> did not find anything with the July and August updates >> >> Yahoo Anti Spy, however, did find 4 registry keys it identified as >> hijackers. >> >> One is ISTbar from a company called Internet Search Technologies: >> >> hkey_local_machine \software\microsoft\windows\currentversion\internet >> settings\zonemap\domains\contentmatch.net >> >> Three were from Mirar. They had the exact form above but with different >> domain names at the end: mirarseach.com, netnucleus.com, getmirar.com >> >> Thanks for any info >> >> Scott >> >> Los Angeles >> >> > > Virtumonde is dangerous because some infestations manifest as a rootkit. > I had it removed except for one file which kept saying "access denied" > when I tried to remove it, even in safe mode. Some of these files need > to be removed from the Dos command prompt, C:\, before their process > starts, by booting into Recovery Console with the XP install CD. If > anyone doesn't have that (like just recovery disks) the workaround is, > > http://aumha.net/viewtopic.php?f=62&t=31844 by an MS-MVP > [read the whole thing and do the registry fixes] > > Remember to turn off System Restore before deleting this stuff, or > the malware will get replenished from files Windows backs up with. > I use more than one anti-spyware for running scans, but not the > active system protections for each one because they can conflict, > and also present hard to understand choices like Spybot's TeaTimer > for example. Firefox has Adblock Plus and NoScript, but none of > these programs provide very intelligent automatic protection. > Spyware Doctor seems to work fairly well, but slows the system. > Remember to turn on System Restore afterward. Before deleting > registry entries they warn you to backup the registry because in > some cases removing malware cripples the system. > > Use ERUNT for full registry backups, Windows is not comprehensive. > http://www.winxptutor.com/regback.htm > I use mbrfix for backing up the mbr but BootitNG of Terabytes > has two good free programs. > > I also like Acronis for doing complete backups, if you have a > large disk for a hidden backup partition. More than 4 DVDs is too complex. > A great way is too clone your hard drive to another > hard drive in the computer just after all the apps are installed > and it is pristine at about 12-16GB. That guards against hard disk > failure, you have another disk ready to go. I keep my data cable > unplugged rather than do incrementals to it. Email backups and > favorites/bookmarks I backup periodically to cds. For pictures > DVD data disks is fine. > > Since May of last year Malware problems have gone up 407% and my > success rate and cleaning malware has gone from 85% success, to > about 20% success, mainly because much malware now have rootkits. > > After a person loses his hard drive twice, it really brings home > the old adage, an ounce of prevention is worth a pound of cure. > > Stephen > >
Guest David H. Lipman Posted August 25, 2008 Posted August 25, 2008 Re: XP: Registry Keys, Malware From: "Scott" <scott@adelphia.net> | Thanks for the info and the links. I was not aware that there was another | group for this topic. | Scott | Los Angeles. No problem Scott. Note that there are also anti virus groups in the alt.* hierarchy as well. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest Plato Posted August 27, 2008 Posted August 27, 2008 Re: XP: Registry Keys, Malware Scott wrote: > > What role do registry keys play in malware? Is a registry key sufficient or > does there need to be a malware program on my computer? Malware can create registry keys, it's almost impossible to find a program to remove them. Best bet in the future is NOT to install malware of any sort. -- http://www.bootdisk.com/
Guest Plato Posted August 27, 2008 Posted August 27, 2008 Re: XP: Registry Keys, Malware David H. Lipman wrote: > > | What role do registry keys play in malware? Is a registry key sufficient or > | does there need to be a malware program on my computer? > > Questions like this SHOULD be asked in an anti malware news group such as; > microsoft.public.security.virus Malware is not a virus. Since you are new to PC use here is the defn. of a virus... http://www.bootdisk.com/txtfiles/virus.txt -- http://www.bootdisk.com/
Guest David H. Lipman Posted August 27, 2008 Posted August 27, 2008 Re: XP: Registry Keys, Malware From: "Plato" <|@|.|> | David H. Lipman wrote: >> | What role do registry keys play in malware? Is a registry key sufficient or >> | does there need to be a malware program on my computer? >> Questions like this SHOULD be asked in an anti malware news group such as; >> microsoft.public.security.virus | Malware is not a virus. Since you are new to PC use here is the defn. of | a virus... Actually, all viruses are malware. There are NO "malware" news groups. The word malware was only added as a real word to the dictionary this year. When the original IBM PC was made, there were really only viruses. All the other sub-catgerories of malware came later. I certainly am on "new to PC", that's for sure! -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest Scott Posted August 27, 2008 Posted August 27, 2008 Re: XP: Registry Keys, Malware Thanks for replying. Yahoo Anti Spy found these registry keys and removed them. I don't know, however, if they are associated with Virtumonde. I ran Yahoo Anti-Spy for the first time when Ad Aware found Virtumonde. I did not install anything that I thought was malware. The only two programs I downloaded in recent months were the new Real Player, and The Weather Channel desktop application provided a major update. Scott Los Angeles "Plato" <|@|.|> wrote in message news:48b4dc7d$0$4633$bb4e3ad8@newscene.com... > Scott wrote: >> >> What role do registry keys play in malware? Is a registry key sufficient >> or >> does there need to be a malware program on my computer? > > Malware can create registry keys, it's almost impossible to find a > program to remove them. Best bet in the future is NOT to install malware > of any sort. > > -- > http://www.bootdisk.com/
Guest David H. Lipman Posted August 27, 2008 Posted August 27, 2008 Re: XP: Registry Keys, Malware From: "Plato" <|@|.|> | David H. Lipman wrote: >> | What role do registry keys play in malware? Is a registry key sufficient or >> | does there need to be a malware program on my computer? >> Questions like this SHOULD be asked in an anti malware news group such as; >> microsoft.public.security.virus | Malware is not a virus. Since you are new to PC use here is the defn. of | a virus... | http://www.bootdisk.com/txtfiles/virus.txt I don't understand this line... "#4 is necessary to distinguish between viruses and worms, which do not require a host." A worm is a virus that self replicates through network protocols such as NNTP, SMTP, NetBIOS over IP, RPC, etc. and does require a host. The host is used to generate the network activity to spread. For example a RBot may use TCP port 135 to send out packets to another PC's TCP port 135 to exploit a vulnerability in RPC, RPCSS/DCOM and if so infect that PC and if successful, the infected that PC to will also generate packets attempting to explot other PCs who have this vulnerability. I will also state that you contradicted youself in the reply of the post... "Re: win32/adware.virtumonde and win32.privacyremover.m64" Message: "System restore does not get rid of viruses. Best bet in the future is NOT to install the virus in the first place." The person was NOT infected with a virus. The person was infected with a Zlob/FakeAlert type Trojan. I will state that a virus news group is the *best* place to discuss malware. It was early this AM when I , in a haze of Morning, should have replied... "I certainly am not "new to PC", that's for sure!" -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest Gary S. Terhune Posted August 27, 2008 Posted August 27, 2008 Re: XP: Registry Keys, Malware Hey, newbie! Malware may not necessarily be a virus, but a virus is malware, by definition. http://www.techterms.com/definition/malware http://en.wikipedia.org/wiki/Malware http://www.google.com/search?num=100&hl=en&newwindow=1&safe=off&defl=en&q=define:Malware&sa=X&oi=glossary_definition&ct=title Here's the TinyURL in case your newsreader breaks that last URL and you can't figure out how to put it back together again. http://tinyurl.com/5ncdxp If you're having problems with the concept of a newsgroup with the word "virus" in the name being more broadly devoted to discussing malware in general, then you need professional help of one kind or another. Remedial English? Psychological counseling? Maybe just a good brawl at your local bar to get your head straightened up. -- Gary S. Terhune MS-MVP Shell/User http://grystmill.com "Plato" <|@|.|> wrote in message news:48b4dd63$0$4633$bb4e3ad8@newscene.com... > David H. Lipman wrote: >> >> | What role do registry keys play in malware? Is a registry key >> sufficient or >> | does there need to be a malware program on my computer? >> >> Questions like this SHOULD be asked in an anti malware news group such >> as; >> microsoft.public.security.virus > > Malware is not a virus. Since you are new to PC use here is the defn. of > a virus... > > http://www.bootdisk.com/txtfiles/virus.txt > > -- > http://www.bootdisk.com/
Recommended Posts