Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Scans Show I'm Clean, But Something Is Making Registry Changes Affecting My Prefetch Folder


  • Please log in to reply
2 replies to this topic

#1 kathyj

kathyj

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 09 August 2010 - 09:38 AM

To try to make this (long story) short, I'm just going to post the details, clean-cut:

1) Saturday morning, my virus software (McAfee) popped up an alert that it blocked a Trojan. At the same time Spybot S&D popped up with the option to block a registry change (which I did).

2) I immediately disconnected from the internet and ran my full McAfee scan, followed by Malwarebytes, S&D, Adaware, and CCleaner.

3) Adaware showed some tracking cookies, which it took care of, and either Malwarebytes or S&D (I can't remmeber which) showed something (I'm pretty sure it said it was a Trojan Downloader but I was freaked out and didn't write it down). It required a restart to completely clean it, which I did.

4) While I was running Malwarebytes scan, I noticed that my CPU usage was holding steady at 100% (which it usually doesn't while it's scanning with Malwarebytes). At this time, I noticed that there were multiple msiexec.exe processes running in the Task Manager -- I remember reading before that that file should only be running when you're installing something.

5) I restarted the computer, as required, ran my scans again. Everything came up clean and seemed to be fine at this point.

6) The next morning, I woke up to find a pop up from McAfee asking whether I wanted to block or allow the following Registry change:

Process: C:\Documents And Settings\HP_Administrator\Local Settings\Temp
Setup.exe

Process Description: Wrapper Application

Process Publisher: Ask

Process Version: 1.8.0.0 HKEY_LOCAL_MACHINE\SOFTWARE\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}'HKEY_LOCAL_MACHINE\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\InProcServer32C:\Program Files\Ask.com\GenericAskToolbar.dll

7) I blocked it, but looked further, and saw that the change had been made every hour on the hour overnight.

8) I noticed that the multiple msiexec.exe files were running again so I searched my computer to see where these files were located. I found that this file had been modified overnight. MSIEXEC.EXE-330626DC.pf It stated that the file opens with iTunes.

9) The same thing happened last night overnight. I glanced in my Prefetch folder and the hour-on-the-hour registry changes seem to correspond with every item in my Prefetch folder being modified. They are all now set to iTunes as their default application.

I really, really would appreciate any help I can get. I've Googled 'til my fingers are about to fall off trying to find out what this could be, but I can't find any instances of anyone having such an issue before -- and I'm really afraid since all my prefetch data has been messed with. I really am at a loss because I don't want to leave the computer overnight again so more changes can be made to the registry, but I'm afraid if I shut down my computer for any reason, it won't start back up.

Right now, I am running Sophos Anti-Rootkit scanner which is showing quite a few hidden files.

BC AdBot (Login to Remove)

 


#2 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:01:17 AM

Posted 09 August 2010 - 09:41 AM

You haven't used any registry editor programs or anything like that, right?

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#3 kathyj

kathyj
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 09 August 2010 - 10:24 AM

I used CCleaner to scan the Registry, but did not opt to fix selected issues, because I didn't know if it would make more of a mess of things or not.

But that's all I've done even remotely connected to the registry.

So, no, no, registry editor programs.

(THANK YOU for responding!)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users