Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware, Virus etc Registry values/keywords


  • Please log in to reply
9 replies to this topic

#1 Gatorfan1

Gatorfan1

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft. Myers
  • Local time:10:46 AM

Posted 14 August 2014 - 02:36 PM

Hello everyone, I'm a PC tech at a computer company and I basically spend most of my days cleaning up PC's. Im new in the industry (virus/malware removal) so definitely still learning and I wanted to know if there was a place that had a list of registry values/keywords I can search when I'm manually looking for virus/malware that made entries in the registry. Currently I search for things like conduit and trovi but I know there has to be more.

 

Any information would be appreciated. Thanks!



BC AdBot (Login to Remove)

 


m

#2 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:02:46 AM

Posted 14 August 2014 - 08:42 PM

This should get you started?

http://www.team-cymru.org/Services/MHR/ | https://www.team-cymru.org/Services/MHR/WinMHR/ | https://www.nanog.org/meetings/nanog45/presentations/Monday/Gill_malware_N45.pdf
http://krebsonsecurity.com/2010/08/reintroducing-the-malware-hash-registry/

https://vicheck.ca/md5query.php

https://www.owasp.org/index.php/OWASP_File_Hash_Repository

http://www.opswat.com/blog/opswat-announces-millions-malware-hashes-available-metascan-online

http://www.virustotal.com/search.html

http://blog.emsisoft.com/2014/06/18/emsisoft-malware-library/

https://isc.sans.edu/tools/hashsearch.html

http://www.nsrl.nist.gov/
http://www.nsrl.nist.gov/Downloads.htm#isos

http://malwaredb.malekal.com/
http://malwaredb.malekal.com/daily.zip 7.4Gb zip file.

Edited by Crazy Cat, 14 August 2014 - 08:52 PM.

 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#3 Gatorfan1

Gatorfan1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft. Myers
  • Local time:10:46 AM

Posted 14 August 2014 - 09:02 PM

Wow, thank you for all the information. Many thanks.



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 PM

Posted 15 August 2014 - 07:04 AM

Take a look at Sysinternal's Autoruns.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Gatorfan1

Gatorfan1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft. Myers
  • Local time:10:46 AM

Posted 15 August 2014 - 08:31 AM

Take a look at Sysinternal's Autoruns.

Thank you, this really seems like a nice tool to use. While I think I was doing a good job on cleanups with the tools I have and use, after reading around here I have found that I am not nearly as thorough as possible.


Edited by Gatorfan1, 15 August 2014 - 08:33 AM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:46 AM

Posted 15 August 2014 - 06:09 PM

If you're interested in learning about malware removal and how to use specialized fix tools like DDS, RSIT, OTL, ComboFix, FRST, GMER, etc is something you are interested in, please read BleepingComputer's Malware Removal Training Program.

The above link explains how to apply and what is required. If there are no slots available, you will have to keep checking back at a later time. We are swamped with such requests and there are not enough instructors able to provide teaching so that limits the number of trainees we can accept.

Due to the self-paced structure of training and limited number of instructors here at BC, it is impossible to say with any accuracy when slots will open. New slots are opened up as our existing trainees complete the lower levels of study and move up toward more advanced levels. This is to prevent our volunteer staff being overwhelmed by an influx of new trainees. There is no notification system in place for when slots open so you need to keeping checking back if BC Study Hall is the school you prefer to enroll in. The logistics and management of such a notification system and the fact we have a worldwide membership negate the potential effectiveness and fairness one would expect from it.

If you don't want to wait for an opening here at BleepingComputer, please be aware that training in malware removal is conducted at various other online Unite Schools to include:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Gatorfan1

Gatorfan1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft. Myers
  • Local time:10:46 AM

Posted 15 August 2014 - 06:59 PM

If you're interested in learning about malware removal and how to use specialized fix tools like DDS, RSIT, OTL, ComboFix, FRST, GMER, etc is something you are interested in, please read BleepingComputer's Malware Removal Training Program.

The above link explains how to apply and what is required. If there are no slots available, you will have to keep checking back at a later time. We are swamped with such requests and there are not enough instructors able to provide teaching so that limits the number of trainees we can accept.

Due to the self-paced structure of training and limited number of instructors here at BC, it is impossible to say with any accuracy when slots will open. New slots are opened up as our existing trainees complete the lower levels of study and move up toward more advanced levels. This is to prevent our volunteer staff being overwhelmed by an influx of new trainees. There is no notification system in place for when slots open so you need to keeping checking back if BC Study Hall is the school you prefer to enroll in. The logistics and management of such a notification system and the fact we have a worldwide membership negate the potential effectiveness and fairness one would expect from it.

If you don't want to wait for an opening here at BleepingComputer, please be aware that training in malware removal is conducted at various other online Unite Schools to include:

 

Thank you for all the information and yes I do plan on trying to get enrolled in the Malware training program. For now I just try to read everything I can and read threads learning different fixes for different problems.



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:46 AM

Posted 15 August 2014 - 07:07 PM

You're welcome and good luck
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:02:46 AM

Posted 16 August 2014 - 08:04 PM

Wow, thank you for all the information. Many thanks.

As quietman7, so eloquently stated: "You're welcome and good luck"

Also have a look at this for file hashing. http://www.bleepingcomputer.com/forums/t/543174/how-do-i-transfer-data-from-an-infected-pc-to-an-external-hdd/#entry3441899
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#10 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:02:46 AM

Posted 27 August 2014 - 12:27 AM

This batch script "SCAN Malware via MD5.bat" allows you to create a MD5 hash (using fciv.exe by http://support.microsoft.com/kb/841290) of EXE files and search the database "malware.md5db".

The database "malware.md5db", is downloaded at http://virusshare.com/hashes.4n6 as 4.1Mb .md5 files, and combined into one malware.md5db file, using "combine md5 files.bat" The complete .md5 files downloaded and combined = 600+ Mb.

The "malware.md5db" in the RAR file is a sample ONLY.

Of coarse, you can modify the "SCAN Malware via MD5.bat" script to create MD5 hashes of DLL, SRC, DRV, COM,.... whatever.

File ID: 930724, File size: 14.1 MB SCAN_Malware_via_MD5.rar
Time to live: 7 days http://wikisend.com/download/930724/SCAN_Malware_via_MD5.rar
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users