Go Back   Technibble Forums > Technical Discussions > Security, Viruses and Trojans

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 06-29-2012, 03:00 PM
ZPR's Avatar
ZPR ZPR is offline
 
Join Date: Jul 2008
Location: Western Kentucky
Posts: 79
ZPR is an unknown quantity at this point
Default Can the software hive really become infected (Win32:Tiny-ADU), only Avast detects?

I'm begging to think this is a false positive as it's been over a week ago that avast tagged the software registry hive as a virus. It even deleted several of the hive backups in system restore and when uploaded to virus total the only one that says anything is Avast.

I've already used D7 and a few other tools and found nothing. Avast keeps saying it is Win32:Tiny-ADU [Trj]. I also cannot find very much information online about this particular infection.

Has anyone else dealt with this to know if it's safe to say it's a false positive.

It started on the 20th Avast just opened up on and my customer clicked to move it to the "virus chest" which made the PC unbootable.

Even going into regedit and exporting the software hive into a new file still gets picked up by Avast.

It's Win XP SP3.
Reply With Quote
  #2  
Old 06-29-2012, 03:08 PM
Encrypted Existence Encrypted Existence is offline
 
Join Date: Aug 2011
Posts: 1,239
Encrypted Existence is on a distinguished road
Default

Have a look on the Avast! forum or contact their support team.
Reply With Quote
  #3  
Old 06-29-2012, 06:35 PM
jbartlett323 jbartlett323 is online now
 
Join Date: Apr 2011
Posts: 460
jbartlett323 will become famous soon enough
Default

Think ya better try google again, cause for a virus without much info, the first page of google is covered in info about it infecting registry hives and restore points.... And this thread is there to!!

Anyway, 2 seconds and it looks pretty legit to me... and as an Avast! user, they dont seem to FP very often...
Reply With Quote
  #4  
Old 06-29-2012, 07:29 PM
ZPR's Avatar
ZPR ZPR is offline
 
Join Date: Jul 2008
Location: Western Kentucky
Posts: 79
ZPR is an unknown quantity at this point
Default

Yea, just got back with Avast! and it's not a false positive. There's an exe embedded inside the hive. Once I opened it inside a hex editor I saw the exe embedded about half way inside both the original hive, and if you export it as a new hive it's still there.

What's the best way to remove this exe stub from the Registry Hive?

I did Google and that's what I mostly came across was reports of infecting the hives in the system restore. Plus, I would want to learn more about how it did that vs just running HitMan Pro or ComboFix. Which I may end up having to do if there's no other way.

The weird part is now Avast on the customer computer isn't showing anything now after a full scan. The exe is still embedded in the hive, so I'm not sure what to think of that.

But if I knew just how big it was then I could just zero that part of the file out. Which it is funny that it still has the "This program cannot be run in DOS mode" stub at the start of the actual exe.

Edit: Would it not be possible to just remove the exe header along with the import sections and the start of the actual programming rendering the exe part corrupt? Or would it just cause issues down the road with the windows registry?

Last edited by ZPR; 06-29-2012 at 07:57 PM. Reason: Brainstorming Ideas
Reply With Quote
  #5  
Old 06-29-2012, 07:58 PM
ComputerRepairTech's Avatar
ComputerRepairTech ComputerRepairTech is offline
 
Join Date: Oct 2010
Location: Columbia, SC
Posts: 2,057
ComputerRepairTech is a jewel in the roughComputerRepairTech is a jewel in the roughComputerRepairTech is a jewel in the rough
Default

i've never heard of that one anyway you can submit it to virus total or something and see if some other names come up. maybe theres a specific cleaner for it.

otherwise my first idea would be to find a way to export the data from the hive (obviously not using a utility that just backs up the hive files themselves) then boot into a another system with a boot disc where I already have the registry backed up so I can import the backed up data to this system save the hive file (so I now have a clean hive file to later use) and restore the backup on this other system so that it continues to run fine.

*shrug* thats all i got.
__________________
Computer Repair Tech
Reply With Quote
  #6  
Old 06-29-2012, 08:05 PM
ZPR's Avatar
ZPR ZPR is offline
 
Join Date: Jul 2008
Location: Western Kentucky
Posts: 79
ZPR is an unknown quantity at this point
Default

Quote:
Originally Posted by ComputerRepairTech View Post
i've never heard of that one anyway you can submit it to virus total or something and see if some other names come up. maybe theres a specific cleaner for it.

otherwise my first idea would be to find a way to export the data from the hive (obviously not using a utility that just backs up the hive files themselves) then boot into a another system with a boot disc where I already have the registry backed up so I can import the backed up data to this system save the hive file (so I now have a clean hive file to later use) and restore the backup on this other system so that it continues to run fine.

*shrug* thats all i got.
As I said in my first post, I already uploaded to Virus Total, Avast only one that shows up and I booted to BartPE and exported a registry hive that way. Still had the exe embedded. I'm at lost on how to remove the embed exe. But I do know that I can edit the actual headers and disable it from running, but I'm not sure how long term stable it is.
Reply With Quote
  #7  
Old 06-29-2012, 08:49 PM
FoolishTech's Avatar
FoolishTech FoolishTech is online now
 
Join Date: Aug 2010
Location: Manteo, NC (USA)
Posts: 2,756
FoolishTech is a jewel in the roughFoolishTech is a jewel in the roughFoolishTech is a jewel in the rough
Default

You might try a massive reg export / import.

Utilize a clean registry software hive from a fresh install, in a VM... yeah... that might be the easiest way. First export the entire HKLM\Software branch from your infected install, boot to the VM with a clean install and import the resulting .reg file. Then make a copy of the new software hive on the VM to a flash drive, load your infected system with a live disk, and replace the software hive. *shrug*
__________________


Author of d7 & d7II, and TONS of other FREE PC technician's tools. www.FoolishIT.com

Author of CryptoPrevent - Crypto/Malware prevention for any OS.

Latest free tool: dBug - Neutralize malware preventing you from running removal tools.

NEW d7II single technician pricing!
Reply With Quote
  #8  
Old 06-29-2012, 10:04 PM
ZPR's Avatar
ZPR ZPR is offline
 
Join Date: Jul 2008
Location: Western Kentucky
Posts: 79
ZPR is an unknown quantity at this point
Default

Quote:
Originally Posted by FoolishTech View Post
You might try a massive reg export / import.

Utilize a clean registry software hive from a fresh install, in a VM... yeah... that might be the easiest way. First export the entire HKLM\Software branch from your infected install, boot to the VM with a clean install and import the resulting .reg file. Then make a copy of the new software hive on the VM to a flash drive, load your infected system with a live disk, and replace the software hive. *shrug*
would that mess the permissions up? but its worth a shot I supose. but it does make me wonder how the reg isn't corrupted. ill give it a go in the morning and see how it goes.

edit: d7 have a permission fixer, wouldn't that fix the permissions.

Last edited by ZPR; 06-29-2012 at 10:17 PM. Reason: added question about d7
Reply With Quote
  #9  
Old 06-30-2012, 01:00 PM
FoolishTech's Avatar
FoolishTech FoolishTech is online now
 
Join Date: Aug 2010
Location: Manteo, NC (USA)
Posts: 2,756
FoolishTech is a jewel in the roughFoolishTech is a jewel in the roughFoolishTech is a jewel in the rough
Default

Quote:
Originally Posted by ZPR View Post
would that mess the permissions up? but its worth a shot I supose. but it does make me wonder how the reg isn't corrupted. ill give it a go in the morning and see how it goes.

edit: d7 have a permission fixer, wouldn't that fix the permissions.
It should...........

Since you bring up permissions I completely forgot about them!!!!

When you fire up REGEDIT to export HKLM\Software, you probably should run regedit with SYSTEM access to get around any permissions issues with exporting everything. Since you know about D7, fire it up and go to the RUN menu, then run regedit from there with system access.
__________________


Author of d7 & d7II, and TONS of other FREE PC technician's tools. www.FoolishIT.com

Author of CryptoPrevent - Crypto/Malware prevention for any OS.

Latest free tool: dBug - Neutralize malware preventing you from running removal tools.

NEW d7II single technician pricing!
Reply With Quote
  #10  
Old 06-30-2012, 02:04 PM
ZPR's Avatar
ZPR ZPR is offline
 
Join Date: Jul 2008
Location: Western Kentucky
Posts: 79
ZPR is an unknown quantity at this point
Default

I just tried the export to reg file and imported a few times, then I made a completely empty hive and imported the reg backup, but it is still there.

All I know of to do is just scroll through the .reg file till something comes up. Attached you can see the exe header perfectly fine through a hex editor.

So can D7 run in BartPE?

Edit: I found it, it was hiding under Classes\U29G08004 with the name of AD0, N0AD0, U29G08004 searching for 4D,5A and there it was. I guess I now know how it became infected. But I still wonder how you would even execute it.

Edit 2: Part of it is gone, going to do some more searching to find out where the other part is.

Edit 3: After exporting the software hive into a new hive the exe header wasn't found. I will do a few more checks but that seamed to work. Thanks for the Guidance Foolish Tech, if I didn't do the mass registry export I could still be looking for it right now.
Attached Thumbnails
Click image for larger version

Name:	Screenshot-software_new - GHex.gif
Views:	52
Size:	27.7 KB
ID:	2429  

Last edited by ZPR; 06-30-2012 at 03:10 PM. Reason: found it
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 07:59 PM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.