1

Like the title says, I need help with viewing hidden registry entries that are not normally accessible through the default windows regedit.

To start off, my friends son tried downloading a free game but was instead blasted with a Trojan.VBS.Autorun.ag, along with Trojan.Downloader.Generic, and some other various adware. There were no security warnings, popups, or indication of infection. The only reason I knew to look for something was because his son called me over to check his other game he was playing out. When he was done, he was on youtube and I noticed an online support tab in his browser which was a huge Adware red flag.

I found a few viruses, removed them, but after searching more, realized the same virus was reappearing in different locations located in the temp dir. Sometimes in the Temp, others in temp\is-H8O4M.tmp <---This is actually a folder not a .tmp file, the folder contained another copy of c11w.exe and cuii.exe both are Trojan.VBS.Autorun.ag

hkey_local_machine software microsoft windows currentversion run to see what reg entries were in the key, well there were absolutely no entries in here at all. Not even legit application entries. So my guess is the entries are being hidden from regedit.

My question is: What tools are useful for either extracting hidden keys and entries for later examination, or for opening the registry in such a way that the keys can be displayed? Are there any programs out there that can help me? Also, if I escalate privileges to system lvl when opening regedit will that help? Any push in the right direction is appreciated. Thanks in advance.

MountainSide Studios
  • 180
  • 1
  • 1
  • 6
JohnAnon
  • 21
  • 3
  • 1
    You should really review the thread on [malware - Best practices for handling computer viruses](https://security.stackexchange.com/questions/30091/best-practices-for-handling-computer-viruses) as it would be more applicable. – user2320464 Oct 28 '16 at 01:36
  • Thank you for the article, but I am not trying to remove the infection at this time. I am trying to figure out a way to see exactly what the virus itself created in the registry, what it has hidden, etc. This is more about learning detailed information about the methods of hiding regkeys and values, unhiding regkeys and values, then it is about virus removal. I will perform a full clean install once I am done learning as much as I can about this infection. – JohnAnon Oct 28 '16 at 01:50
  • I know there is probably multiple Trojans, Worms, or other infections on here, as one of the files I found was a Trojan Downloader. I am curious as how the previous Trojans are keeping the new infections from being detected, and what values are being written to the hidden reg keys. Also, I'd like to manually go through the registry and see what infections are present, I can not do this if the keys and or values are being hidden from me. This is more about learning than it is about removal. – JohnAnon Oct 28 '16 at 01:57
  • There is no standard way to prevent regedit from seeing entries, and if a rootkit is doing so only fixing the rootkit or nuking from orbit will work. But an easier cause is that HKLM\Software\Microsoft\Windows\CurrentVersion\Run is **only one of the places** things can be configured to run automatically; there are maybe a hundred other places in the registry plus some files and directories that aren't in the registry at all, and I don't think there's any single source on how to find all of them. – dave_thompson_085 Oct 28 '16 at 06:01

1 Answers1

1

I recently had a problem like this only yesterday (although the adware was transmitted to mine through a web server). A useful way to get rid of it and find it in the key, that I've personally found helpful, is to download an adware cleaner (like adWcleaner), as they show you where the viruses are being generated from, and also give you the option to remove them.

On a side note: if you want to find the IP of the server transmitting the virus (if the virus transmits data through a webserver), download Norton, as it will say An intrusion attempt by "website" was blocked, along with the IP which you can then Nmap, for the TCP server.

MountainSide Studios
  • 180
  • 1
  • 1
  • 6