Just to be nasty, some HKEY_C_U malware will put the nasty executable into another user's profile. VIPRE has found some located in the cached "DOCs&Settings" folders of users who were nowhere near the place at the time indicated by the time/date stamp on the malware files.
Again, as I've mentioned at least a time or two on this thread, scans don't find downloaders in "HKEY_C_U" if the user with the corrupted registry is not the person logged in. (Sometimes one needs to start loading NTUSER.DAT files as registry hives and look through all those with local profiles - more fun!) -- Richard D. McClary Systems Administrator, Information Technology Group ASPCA® 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 richardmccl...@aspca.org P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 www.aspca.org The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals® (ASPCA ®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. John Hornbuckle <john.hornbuc...@taylor.k12.fl.us> wrote on 09/16/2010 05:22:14 AM: > Oh, it?s in the registry. :) In HKEY_CURRENT_USER under the Run > key, naturally, so it starts up automagically upon login. > > Actually, I believe that if the user who infected the machine has > admin rights, it may go under the Run key of HKEY_LOCAL_MACHINE > instead, so it impacts ANYONE who logs in. But in our case, all > users have limited rights, so the program can?t write to that key. > Instead, it?s limited to the current user. > > We?ve found that when the ?tool? is running, it breaks things like > regedit and Task Manager in an effort to keep you from killing it > and cleaning the machine. What we do is to log in with a different > account (one with admin rights, of course), run regedit, load the > hive of the infected user, then go into their Run key to look for > weirdness. We look at the key that calls the malware so that we know > what folder and files to delete, then delete those, then delete the > key from the registry. > > That?s all it takes?the next time the user logs in, everything is > clean. It?s not horribly painful, but it gets old doing it again and again. > > > > John Hornbuckle > MIS Department > Taylor County School District > www.taylor.k12.fl.us > > > > > > From: MMF [mailto:mmfree...@ameritech.net] > Sent: Wednesday, September 15, 2010 8:39 PM > To: NT System Admin Issues > Subject: RE: #*&$&% "Security Tools" Malware > > John is absolutely correct. My brother got this a couple of weeks > ago and asked me for help.I found it by going into task manager and > looking at all the processes. I noticed one with a very long name > and noted its location and it was exactly where John said it was > found. So we shut it down and rebooted, and it was back again, but > with a new name. Went to its location and this time deleted the > folder with the 2 executables. Deleted the folder and that solved > the problem. At least my brother hasn't called me back, and he > rebooted his machine a number of times to make sure that we had > cleansed his laptop. One question, has anyone found anything in the > registry relating to this? My brother was satisfied that his laptop > was clean, so we didn't look into the registry. > > Murray > > > From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] > Sent: Wednesday, September 15, 2010 12:56 PM > To: NT System Admin Issues > Subject: RE: #*&$&% "Security Tools" Malware > From what I?ve seen in digging into ?Security Tools,? the .exe?s > aren?t stored in the IT temp folder. I?m finding them elsewhere > under the user?s profile \application data\local settings. Some > random folder name? > > > > From: Roger Wright [mailto:rhw...@gmail.com] > Sent: Wednesday, September 15, 2010 12:30 PM > To: NT System Admin Issues > Subject: Re: #*&$&% "Security Tools" Malware > > An occasional one manages to slip past VIPRE but they're rare. We've > also found that they tend to appear after a reboot even when the > user is diligent and immediately kills iexplore.exe. > > We set a GP to automatically delete Temp Internet Files when IE is > closed - this eliminates those 123456457.exe downloads that are > called from registry entries. Since doing so we've have far fewer > infections. > > > Roger Wright > ___ > > When it's GOOD there ain't nothin' like it, and when it's BAD there > ain't nothin' like it! > > On Wed, Sep 15, 2010 at 12:20 PM, John Hornbuckle <john. > hornbuc...@taylor.k12.fl.us> wrote: > The ?Security Tools? malware is about to drive me insane. My users > keep managing to infect themselves with it, and we?re having trouble > stopping it. > > They don?t run with admin rights, so there?s no real damage done to > their systems and we can clean it up in about two minutes. But the > time adds up, and I?m tired of my technicians having to waste time on it. > > Our antimalware software is Microsoft?s Forefront Client Security, > and it?s having a tough time catching this. Every time I get > infected, I send the EXE to Microsoft and they update their > definitions?but the EXE?s used by the malware apparently change > rapidly, and seem to constantly be a step ahead of FCS?s definitions. > > I can think of a couple of options that I know would stop it, like > blocking all EXE?s at our web filter or using group policy to limit > the running of EXE?s?but this would also prevent users from doing > things like installing safe plug-ins from websites, so it?s not a > first resort. > > Suggestions? > > > > John Hornbuckle > MIS Department > Taylor County School District > www.taylor.k12.fl.us > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: http://lyris.sunbelt-software. > com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > NOTICE: Florida has a broad public records law. Most written > communications to or from this entity are public records that will > be disclosed to the public and the media upon request. E-mail > communications may be subject to public disclosure. > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: http://lyris.sunbelt-software. > com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: http://lyris.sunbelt-software. > com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > NOTICE: Florida has a broad public records law. Most written > communications to or from this entity are public records that will > be disclosed to the public and the media upon request. E-mail > communications may be subject to public disclosure. > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 9.0.851 / Virus Database: 271.1.1/3136 - Release Date: > 09/15/10 01:34:00 > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: http://lyris.sunbelt-software. > com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: http://lyris.sunbelt-software. > com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > NOTICE: Florida has a broad public records law. Most written > communications to or from this entity are public records that will > be disclosed to the public and the media upon request. E-mail > communications may be subject to public disclosure. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
