Are these Registry Keys normal or are they malicious?

Hi all, I've been struggling with a rootkit for a couple of days now.  I've searched for these specific Reg entries on EE, but I can only see them as a smaller part of people's scan logs where they are not addressed specifically.

ComboFix detects the rootkit and the entire computer freezes up.  So I downloaded and ran GMER 1.0.15.15641.  On my first scan, the Rootkit/Malware tab showed the following entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout   SZ   15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota   DWORD   00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler   SZ   yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk   SZ  
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout   SZ   90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota   DWORD   00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs   SZ  

It didn't say that what the problem was with them if any.  I went to the registry and noticed that HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows was denying me (Administrator) access to the key.  So I took ownership and gave Administrators permissions.

After granting the permissions to the key, I ran a scan with GMER again and it found a bunch of Temporary Internet files that are infected, but it no longer mentioned those registry keys.

My question:  Was GMER complaining simply because it didn't have access to those keys?  Or are these keys that I should be backing up/deleting?  Obviously I don't want to do anything to cause me a BSOD here.

Thanks!
LVL 1
mmichaels1970Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kent DyerIT Security Analyst SeniorCommented:
Yes, these are legitimate entries..

What you can do is do an export of the registry on the affected machine and an export from a known good machine and run WinMerge to compare entries, keys, etc.

HTH,

Kent
0
rpggamergirlCommented:
Those are normal keys, I have exactly the same registry values under that key - type and data except for the "swapdisk" I don't have that.

"Was GMER complaining simply because it didn't have access to those keys?"

It's very likely.

So combofix can't run? how about TDSSKiller?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mmichaels1970Author Commented:
I tried TDSSKiller and nothing happens after a double click.  I'll redownload and try again.

For now, I have a dual-boot xpsp3 os here, so I'm going to try ComboFix again from the alternate OS.  I'm not sure if it's going to find the rootkit that way though.

I think the rootkit is somehow embedded in explorer.exe.  Might explain why combofix eventually freezes comletely....explorer goes down, nothing clicks, ctrl-alt-del doesn't work, etc.  I tried waiting it out for about 8 hours and the computer remained totally frozen.

I tried copying a legit copy of explorer.exe overtop of the one I suspect to be infected, but combofix.

MBAM, Avira, Fprot come up clean.

Let me give TDSSKiller another try.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

mmichaels1970Author Commented:
Redownloaded TDSSKiller from http://www.bleepingcomputer.com/download/anti-virus/tdsskiller and it still won't run.  Double-click, no process even looks like it is trying to start.

Tried running it on a legit computer running Vista and it runs fine.  Doesn't run at all on my XP SP3 computer though.
 
0
rpggamergirlCommented:
C:\Windows\3337897741:4072147769.exe

Is there any random process running similar to the above? If so, it could be ZeroAccess rootkit.

Also try this, download inherit.exe and then drag the combofix.exe icon and drop it over the inherit.exe and see if combofix runs successfully.
http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe
0
mmichaels1970Author Commented:
All processes appear "normal".
taskmgr.exe
svchost.exe
explorer.exe
lsass.exe
etc.

  But ComboFix DID mention ZeroAccess about 10 tries ago now that you mention it.  My apologies for forgetting.  Now combofix simply says that a rootkit has been detected but doesn't mention what it is.

I'll see if I can find something that specifically targets ZeroAccess.
0
mmichaels1970Author Commented:
Darn....tried the ZeroAccess Removal Tool from http://www.malwarecity.com/community/index.php?app=downloads&showfile=34 and it is behaving the same way as tdsskiller.  Double Click/Nothing Happens.
0
rpggamergirlCommented:
You can try these but I think Combofix and TDSSKiller are also good if we could make them run.

Antizeroaccess:
http://www.malwarecity.com/community/index.php?app=downloads&showfile=43

EsetSirefefremover.exe
http://download.eset.com/special/encyclopaedia/ESETSirefefRemover.exe
Source here:
http://kb.eset.com/esetkb/index?page=content&id=SOLN2895

Also open Disk Management and look at the partitions to check if there is any suspicious hidden partition(not the hidden Recovery partition), some unallocated hidden partition.
No joy running combofix with inherit.exe?
Try aswMbr, if you're using another antivirus just click No when prompted to download Avast.
http://public.avast.com/~gmerek/aswMBR.exe
0
mmichaels1970Author Commented:
Just tried antizeroaccess.  It ran (HURRAY), but came back clean.  "Your system is not infected by ZeroAccess/Max++ Rootkit!"

I'll give EsetSirefefremover a try and your other recommendations.
0
rpggamergirlCommented:
That's good to know yeah...
Have you tried a new download of combofix, and running it using inherit.exe?
0
mmichaels1970Author Commented:
esetsirefefremover came back clean.

just noticed my administrative tools folder is empty...yikes.  Guess I'm going to have to reapply sp3 if I end up saving the system.

ran diskmgmt.msc and something might be fishy here.

The Disk1 StoreNGo is my USB drive.

Disk0 has a 55mb fat, 3.30gb fat32, and a 2mb partion with no file system.   I wonder if you're onto something there.  I've attached a screenshot of my diskmgmt.msc.

I'll try combofix with inherit to see how it goes.  I'll also plug around to try to figure out what those partitions may be up to. diskmgmt.msc
0
mmichaels1970Author Commented:
betcha it's in that 55mb and/or 2mb partition eh?

If so, any ideas on how to attack while being sure I'm not wiping out some sort of recovery partition?
0
mmichaels1970Author Commented:
Just downloaded EASEUS Partition Master and was able to explore the partitions.  They just look like a bunch of Dell files.

The 55MB has folders Dell and Diags
The 3.29GB partition has folders BIN, BAT, IMG, SRC1, SRC2, SRC3, SRC4, and SRC5 folders.  Folders have files like himem.sys, mouse.com, recover.exe, dell.bmp, welcome.txt, srclient.exe.

So I don't think I have a partition problem.

Still running combofix over inherit.exe and so far so good.  It did detect zeroaccess again (even though the others antizero's did not).  It has made it much farther and is rebooting the machine...never made it this far.  Fingers crossed.
0
rpggamergirlCommented:
I don't mean that you may have a partition problem.
I wanted to check if there is any suspicious partition, though you may not be able to see it properly within windows which is the boot partition.

New variant of TDL4/ZeroAccess/Alureon rootkits modifies the partition table so that it points to the active malicious partition. And with Gparted or other liveCD, you can see if the malicious partition has the "boot" flag, if it is then you would need to change that so your OS is the one that has have the "boot" flag.

Let's see if combofix will find ZeroAccess infection.
0
mmichaels1970Author Commented:
Gotcha.  The boot partition seems ok.

However, I'm still holding my breath as combofix used with inherit seems to be humming right along.  Deteceted Zero Access, rebooted, and is still running.

I don't want to celebrate too soon, but things are looking up with combofix right now.  Last try of the night.
0
rpggamergirlCommented:
If so, any ideas on how to attack while being sure I'm not wiping out some sort of recovery partition?

No that's not what you want to do....you need to delete the malicious one not your recovery or OS partition. Though some careless tech did convince me to delete my recovery partition, so never again would I trust any tech if my instinct tells me not to :).

You don't even have to delete the malicious partition so long as the boot flag is changed to the proper partition, the malicious partition will be harmless.

If combofix is able to delete the zeroaccess folder and files then that's great.... though you might still have permission problems(zeroaccess modifies ACL permisisons and tools can't restore them back) but that can be fixed also, so fingers crossed.
0
mmichaels1970Author Commented:
Combofix has made it to Completed Stage_4.  So it is looking good.  I may not be up late enough to see it finish tonight, but with a little luck I'll be thanking you profusely in a few hours.
0
rpggamergirlCommented:
Only stage 4?, goes to 50 something, :) usually doesn't take long 10 to 20 minutes depending on the system.

just noticed my administrative tools folder is empty...yikes

Check my other article, there's a zip file you can download to restore admin tools.
http://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_6209-Windows-XP-Vista-Recovery-rogue-Desktop-icons-missing-Empty-program-files.html
0
mmichaels1970Author Commented:
Just finished Stage 5....no wait 6...6A...7...Guess I'm not going to bed for another 30 minutes...8...9.

Lol.  Wife is going to kill me if I stay up much later....11, 12, 13, 14, 15, 16.

Up to 22 now....no 23.  Will post back in a few.  Looking very good now!

25
0
rpggamergirlCommented:
You're not working on that same PC are you? I asked because even a mouseclick could make combofix scan to stall that's all, :)
0
mmichaels1970Author Commented:
No.  I'm on a different PC.  Infected computer has been sitting on "creating log file don't run anything until combofix finishes"  but the mouse doesn't work and CAPS Lock doesn't light up the keyboard.

I've been running combofix unimpeded except for occasionally sliding the mouse or testing the keyboard via caps lock.

I'm just going to let it sit, call it a night, and pick it back up tomorrow.  Thanks for all of your help.  I'll post back tomorrow.
0
mmichaels1970Author Commented:
Combofix froze again.  Oh well.  I'll keep looking to see if I can find some other rootkit removal software.  Combofix never let me down before.

Probably time to start thinking about backing up and figuring out how to recover the factory image.

I'll try a couple more things today before giving up completely.
0
mmichaels1970Author Commented:
I think this one has defeated me and Combofix.  I'm just going to back up his document folders and run a factory restore.  Thanks for all the help.  I'll award points and wrap this one up tonight.
0
rpggamergirlCommented:
This could be a different variant since combofix is able to remove ZeroAccess in the past.
One more to try aswMbr and see if this run, this is also have been updated for the new ZeroAccess/TDL4.
http://public.avast.com/~gmerek/aswMBR.exe
0
mmichaels1970Author Commented:
I think I FIXED IT!  Quite by accident.  But I guess that's how I roll!

I think this thread can be of benefit to any who might come across this ridiculous rootkit, so I'm going to try to be as detailed as possible.

I had about given up.  I was going to back up my client's files and do a factory reset.  If he wasn't such a good friend, I'd have probably given up hours earlier.  I knew from my partitions that I had a dell system restore partition, but I couldn't get to it.  No matter what keys I hammered on startup, I just couldn't get it to pop into a factory restore option.  I suspected it was damaged by my rootkit.

I gave up on the zeroaccess rootkit and set about google to figure out how I could recover access to my pc restore partition.  I stumbled upon a program called DSRFix located here:

http://www.goodells.net/dellrestore/fixes.shtml

I created a boot cd and ran dsrfix.  Sure enough, it told me that my dell restore partition was inconsistent.  I ran it again with the repair option, rebooted, and I was magically able to get the factory reset option back.  Not sure what keys I pushed on startup because I was quickly running through them all as the computer booted.

Happily, I decided not to restore just yet and to reboot to start a fresh backup of his documents, pics, etc.  Once logged in, I decided on a hunch to run TDSSKiller again.  IT RAN!  You can see from my earlier posts that before DSRFix, it didn't do a darned thing when I double clicked it.  Now it was running!

I chose to DETECT TDLSS File system from the options..not sure why it wasn't selected as a default.  I ran a scan, and sure enough I ran into:

22:41:54.0078 2768      \Device\Harddisk0\DR0 ( TDSS File System ) - warning
22:41:54.0078 2768      \Device\Harddisk0\DR0 - detected TDSS File System (1)

After reboot, I reapplied SP3 and reinstalled IE8.  Ran TDSSKiller again and it came up clean.  I tested the internet by going to google, doing random searches and clicking on links to make sure I wasn't being redirected.  She ran like a champ!

I ran into a minor issue with System Restore.  The service wouldn't start and threw an "access denied" message when I tried to start it from services.msc.  I went to c:\win\inf and right-clicked/reinstalled sr.inf.  I rebooted and system restore was back.  And, by the way, my missing icons in Administrative Tools seemed to come back on their own.

Now I'm simply removing some of the 20 or so tools I installed during my previous attempts.  I'll windows update, defrag, and put this one to bed.

Thank you so much for your help.  I'm going to give kdyer 100 for posting a correct response to my original specific question.  I'm going to give rpggamergirl 400 for sticking with me and helping see this entire process through to a great end!  I wish I could give you 5000 points!  Sometimes I think I'm smart, then I get humbled by someone as smart as you and by some of the experts in this community.

IN SUMMARY:  DSRFIX was the key to this whole mess.  It fixed my boot record with the proper DELL-Oriented master boot record, and everything fell into place after that!

           
FirstRun-TDSSKiller.2.6.25.0-06..txt
CLEAN-TDSSKiller.2.6.25.0-06.01..txt
0
mmichaels1970Author Commented:
Great job!  Kdyer was quick to respond and specific.  Rpggamergirl was a genius and stuck with me all the way through to the end!  These experts are both great assets to the community!
0
rpggamergirlCommented:
"I knew from my partitions that I had a dell system restore partition, but I couldn't get to it.  No matter what keys I hammered on startup, I just couldn't get it to pop into a factory restore option.  I suspected it was damaged by my rootkit."

I haven't heard of reports of any rootkit that touches any recovery partition to date. I can only think that perhaps in the past you may have used "Fixmbr"command on that system and that would explain your losing access to your Dell recovery partition, but you did a great job of fixing it with DSRFix.

Well done!

Thank you for using Experts-Exchange! and thanks for the good feedback and kinds words, much appreciated :)
0
mmichaels1970Author Commented:
Just to add to this already resolved question, it does appear that a rootkit messed with my partitions.  After cleaing the computer, MSE was still detecting dos/alureon.E  but reported that it couldn't clean it.

Turns out, it was located on the 2MB partition that didn't appear to have any business existing.  I ran into another explanation in post#2 at:  http://forums.majorgeeks.com/showthread.php?t=250005 where it is suggested that the TDL4 rootkit created a similar partition.  The guy at the post seems to have a 1MB partition that was affecting him.

I deleted the partition and no longer get the alureon detection.



0
rpggamergirlCommented:
Sorry we weren't much help that you had to resort in finding solutions yourself. We have a similar thread where TDL4/ZeroAccess rootkit that modifies partition table and also creates hidden partition  here in EE. That's why I asked to look at the partitions in {http:#37385637}

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_27468316.html?cid=1131#a37225432
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_27484863.html

As I've already said, you did an excellent job in troubleshooting and fixing it yourself.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.