Prev: NIS 2010 Full system scan taking 6 hours
Next: Trojan-Spy.Win32.Agent.beaf
From: SnoBoy on 16 Mar 2010 13:58
In the aftermath of an infection, after deleting the file ave.exe from the
user's profile, I discovered that a registry key is different if I log in as
a different admin user than the one that was logged in when the infection
happened.

When logged in as the user who was logged in at the time of infection,
HKEY_CLASSES_ROOT\.exe had an additional \shell\open\command entry that
opened ave.exe every time you attenpted to run any program.

When loggin in as a different admin user, that key wasn't there and instead,
there was a different key - the expected key: PersistentHandler

It appears to me that this is far more than a simple fake antivirus malware
infection, so I am reformatting and reinstalling.

Question is, shouldn't the HKEY_CLASSES_ROOT hive be the same for all users
unless there is some sort of rootkit like behavior going on?

From: MEB on 16 Mar 2010 16:03
On 03/16/2010 01:58 PM, SnoBoy wrote:
> In the aftermath of an infection, after deleting the file ave.exe from the
> user's profile, I discovered that a registry key is different if I log in as
> a different admin user than the one that was logged in when the infection
> happened.
>
> When logged in as the user who was logged in at the time of infection,
> HKEY_CLASSES_ROOT\.exe had an additional \shell\open\command entry that
> opened ave.exe every time you attenpted to run any program.
>
> When loggin in as a different admin user, that key wasn't there and instead,
> there was a different key - the expected key: PersistentHandler
>
> It appears to me that this is far more than a simple fake antivirus malware
> infection, so I am reformatting and reinstalling.
>
> Question is, shouldn't the HKEY_CLASSES_ROOT hive be the same for all users
> unless there is some sort of rootkit like behavior going on?
>

Typical of this type of malicious activity, however it also protects
itself from discovery.

http://www.prevx.com/filenames/2108630271898590013-X1/AVE.EXE.html

Interestingly you can find sites that claim it is a safe file as the
name may be/has been used by supposedly legitimate programs. Of course
that is one method of hiding malware. Associated with Vista Total
Care/Vista Security Tool 2010 and several others.

Two other of the various keys affected also include:
HKEY_CURRENT_USER\Software\Classes\.exe
HKEY_CURRENT_USER\Software\Classes\secfile

Your present course of re-installing is the safest method. Make sure to
zero and re-format using the manufacturer's disk tools, if possible.

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
From: VanguardLH on 16 Mar 2010 16:39
SnoBoy wrote:

> In the aftermath of an infection, after deleting the file ave.exe from the
> user's profile, I discovered that a registry key is different if I log in as
> a different admin user than the one that was logged in when the infection
> happened.
>
> When logged in as the user who was logged in at the time of infection,
> HKEY_CLASSES_ROOT\.exe had an additional \shell\open\command entry that
> opened ave.exe every time you attenpted to run any program.
>
> When loggin in as a different admin user, that key wasn't there and instead,
> there was a different key - the expected key: PersistentHandler
>
> It appears to me that this is far more than a simple fake antivirus malware
> infection, so I am reformatting and reinstalling.
>
> Question is, shouldn't the HKEY_CLASSES_ROOT hive be the same for all users
> unless there is some sort of rootkit like behavior going on?

There are only 2 real registry hives:

HKEY_LOCAL_MACHINE
HKEY_USERS

All the others are pseudo-hives because they are compiled from entries under
these two real hives. If you look under HKEY_USERS, you will see there are
separate sub-branches for each Windows account (listed by the S-1-5-21 SID
number). The branch for your account gets melded into the pseudo-hives when
you login under that account.

There is a Classes branch under the global (machine) hive. There is a
Classes branch under each user account. HKEY_CLASSES_ROOT is a pseudo-hive
composed of the global and user (the one currently logged in) Classes
branches.

http://www.amazon.com/s/?url=search-alias%3Daps&field-keywords=windows+registry
You might find these at your local public library. If you're going to dig
into the registry, you need to know some about how it works.
 | 
Pages: 1
Prev: NIS 2010 Full system scan taking 6 hours
Next: Trojan-Spy.Win32.Agent.beaf