Discussion:
Weird Malware Like Behaviour
(too old to reply)
Java Jive
2023-07-26 10:36:29 UTC
Permalink
This is the run key from the registry of one of my W7 PCs ...


www.macfh.co.uk/Temp/RunKey.jpg


... and by way of confirmation here's an export of it ...


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EEventManager"="\"C:\\Program Files (x86)\\Epson Software\\Event
Manager\\EEventManager.exe\""


... however ...


9:50:31 D:\Temp>reg query
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ETDCtrl REG_EXPAND_SZ C:\Program
Files\Elantech\ETDCtrl.exe
IgfxTray REG_SZ C:\Windows\system32\igfxtray.exe
HotKeysCmds REG_SZ C:\Windows\system32\hkcmd.exe
Persistence REG_SZ C:\Windows\system32\igfxpers.exe
Malwarebytes TrayApp REG_SZ C:\PROGRAMS\MALWAREBYTES
ANTIMALWARE\mbamtray.exe
SynTPEnh REG_SZ C:\Program
Files\Synaptics\SynTP\SynTPEnh.exe
nwiz REG_SZ C:\Program Files\NVIDIA
Corporation\nview\nwiz.exe /installquiet


... so WTF is going on? A rootkit? But a scan by MalwareBytes finds
only a false positive uninstaller file (so a file only loaded into
memory and run when uninstalling the relevant program, which would
delete itself anyway) ...


Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 7/26/23
Scan Time: 10:32 AM
Log File: 6642e258-2b97-11ee-8208-001c2346ddc2.json

-Software Information-
Version: 4.5.32.271
Components Version: 1.0.2051
Update Package Version: 1.0.72995
License: Free

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Charles-P1\Cruachan

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 248688
Threats Detected: 2
Threats Quarantined: 0
Time Elapsed: 4 min, 9 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled <-- Note this!
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 1
Adware.DotDo,
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FLAC,
No Action By User, 5824, 924227, , , , , ,

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Adware.DotDo, C:\PROGRAM FILES (X86)\FLAC\UNINSTALL.EXE, No Action
By User, 5824, 924227, 1.0.72995, , ame, ,
B7E822162FE81D4A8F2025B9329D425C,
F3DA78D3670C50DE2D71C32FAD129484F8672FFE11ADAB980757E72B3E3497CD

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)


... however that file is genuine, it's the uninstall program for a FLAC
encoder/decoder which allows Windows Media Player to play FLAC files,
has been on my builds since 2k/XP days, more than a decade, and is a
false positive ...



https://www.virustotal.com/gui/file/f3da78d3670c50de2d71c32fad129484f8672ffe11adab980757e72b3e3497cd


Any suggestions as to why the REG command line program finds a different
set of run keys from those actually listed in the registry? I do
recognise most or all of the 'spurious' keys found, nearly all of them
relate to hardware in some way, and may have existed at some time, but
long since were deleted:


ETDCtrl Touchpad driver listed in TaskMgr as running
IgfxTray Graphics driver and ...
HotKeysCmds ... Hotkey switcher and ...
Persistence ... graphics driver for a *different* PC
(I think all three previously deleted)
Malwarebytes No explanation needed
(also I think previously deleted, because I have
other runtime protection and tend to use MB only as
a back up scanner when there is a specific problem,
as now.)
SynTPEnh Touchpad driver and ...
nwiz ... graphics driver for a third PC
(again I think both previously deleted)
--
Fake news kills!

I may be contacted via the contact address given on my website:
www.macfh.co.uk
Java Jive
2023-07-26 10:40:58 UTC
Permalink
Oh, and I meant to mention also ...
    Registry Key: 1
    Adware.DotDo,
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FLAC,
No Action By User, 5824, 924227, , , , , ,
... that this key also is not visible in Regedit!
--
Fake news kills!

I may be contacted via the contact address given on my website:
www.macfh.co.uk
Brian Gregory
2023-07-26 20:17:38 UTC
Permalink
Post by Java Jive
Oh, and I meant to mention also ...
     Registry Key: 1
     Adware.DotDo,
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FLAC, No Action By User, 5824, 924227, , , , , ,
... that this key also is not visible in Regedit!
Maybe try with MalwareBytes uninstalled or disabled. Disconnect from the
net first if it makes you feel safer.

I gave up on MalwareBytes some time ago because it made too many bizarre
things happen each time they updated it.
--
Brian Gregory (in England).
Ken Blake
2023-07-27 16:53:39 UTC
Permalink
On Wed, 26 Jul 2023 21:17:38 +0100, Brian Gregory
Post by Brian Gregory
Post by Java Jive
Oh, and I meant to mention also ...
     Registry Key: 1
     Adware.DotDo,
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FLAC, No Action By User, 5824, 924227, , , , , ,
... that this key also is not visible in Regedit!
Maybe try with MalwareBytes uninstalled or disabled. Disconnect from the
net first if it makes you feel safer.
I gave up on MalwareBytes some time ago because it made too many bizarre
things happen each time they updated it.
I still run MalwareBytes AntiMalware. I don't remember its ever
causing a bizarre thing.

Do I need MalwareBytes AntiMalware in addition to Defender? No, I know
it's probably overkill. But as far as I'm concerned, there's no
downside to using it, so just in case...
wasbit
2023-07-28 09:25:57 UTC
Permalink
snip <
I still run MalwareBytes AntiMalware. I don't remember its ever
causing a bizarre thing.
Do I need MalwareBytes AntiMalware in addition to Defender? No, I know
it's probably overkill. But as far as I'm concerned, there's no
downside to using it, so just in case...
Not enough information Ken.
Is it the paid for version which takes over from Defender as the
'resident' protection.
The free version did this for 1 month then reverted to being an 'on
demand' scanner - but often failed to allow Defender to change back to
being the 'resident' protection.
--
Regards
wasbit
Ken Blake
2023-07-28 15:22:28 UTC
Permalink
Post by wasbit
snip <
I still run MalwareBytes AntiMalware. I don't remember its ever
causing a bizarre thing.
Do I need MalwareBytes AntiMalware in addition to Defender? No, I know
it's probably overkill. But as far as I'm concerned, there's no
downside to using it, so just in case...
Not enough information Ken.
Is it the paid for version which takes over from Defender as the
'resident' protection.
Both, at different periods.
Post by wasbit
The free version did this for 1 month then reverted to being an 'on
demand' scanner - but often failed to allow Defender to change back to
being the 'resident' protection.
Ralph Fox
2023-07-27 06:13:50 UTC
Permalink
Post by Java Jive
This is the run key from the registry of one of my W7 PCs ...
www.macfh.co.uk/Temp/RunKey.jpg
... and by way of confirmation here's an export of it ...
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EEventManager"="\"C:\\Program Files (x86)\\Epson Software\\Event
Manager\\EEventManager.exe\""
... however ...
9:50:31 D:\Temp>reg query
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ETDCtrl REG_EXPAND_SZ C:\Program
Files\Elantech\ETDCtrl.exe
IgfxTray REG_SZ C:\Windows\system32\igfxtray.exe
HotKeysCmds REG_SZ C:\Windows\system32\hkcmd.exe
Persistence REG_SZ C:\Windows\system32\igfxpers.exe
Malwarebytes TrayApp REG_SZ C:\PROGRAMS\MALWAREBYTES
ANTIMALWARE\mbamtray.exe
SynTPEnh REG_SZ C:\Program
Files\Synaptics\SynTP\SynTPEnh.exe
nwiz REG_SZ C:\Program Files\NVIDIA
Corporation\nview\nwiz.exe /installquiet
... so WTF is going on?
On 64-bit Windows, 32-bit applications get different parts of the
registry to 64-bit applications.

The above sounds like it may be a 64-bit application vs. 32-bit
application thing.


Try these tests:

1. Using the 64-bit version of the registry editor (regedit.exe),
check both of these registry keys:

1a) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

1b) [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run]

Registry key 1a is the one where 64-bit applications go.

Registry key 1b is the one where 32-bit applications actually go
when they ask the registry for 1a.


2. From a 64-bit command prompt window, run these two commands:

2a) C:\Windows\System32\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

2b) C:\Windows\SysWOW64\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Command 2a is the 64-bit version of reg.exe.

Command 2b is the 32-bit version of reg.exe. Even though the path
has '64' in it, 'WOW64' means Windows-32 On a Windows-64 system.
The 32-bit version will actually get the registry settings from
key 1b above.


REFERENCES

<https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/view-system-registry-with-64-bit-windows>
<https://learn.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry>
Post by Java Jive
A rootkit? But a scan by MalwareBytes finds
only a false positive uninstaller file (so a file only loaded into
memory and run when uninstalling the relevant program, which would
delete itself anyway) ...
Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 7/26/23
Scan Time: 10:32 AM
Log File: 6642e258-2b97-11ee-8208-001c2346ddc2.json
-Software Information-
Version: 4.5.32.271
Components Version: 1.0.2051
Update Package Version: 1.0.72995
License: Free
-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Charles-P1\Cruachan
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 248688
Threats Detected: 2
Threats Quarantined: 0
Time Elapsed: 4 min, 9 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled <-- Note this!
Heuristics: Enabled
PUP: Detect
PUM: Detect
-Scan Details-
Process: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registry Key: 1
Adware.DotDo,
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FLAC,
No Action By User, 5824, 924227, , , , , ,
Registry Value: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 0
(No malicious items detected)
File: 1
Adware.DotDo, C:\PROGRAM FILES (X86)\FLAC\UNINSTALL.EXE, No Action
By User, 5824, 924227, 1.0.72995, , ame, ,
B7E822162FE81D4A8F2025B9329D425C,
F3DA78D3670C50DE2D71C32FAD129484F8672FFE11ADAB980757E72B3E3497CD
Physical Sector: 0
(No malicious items detected)
WMI: 0
(No malicious items detected)
(end)
... however that file is genuine, it's the uninstall program for a FLAC
encoder/decoder which allows Windows Media Player to play FLAC files,
has been on my builds since 2k/XP days, more than a decade, and is a
false positive ...
https://www.virustotal.com/gui/file/f3da78d3670c50de2d71c32fad129484f8672ffe11adab980757e72b3e3497cd
Any suggestions as to why the REG command line program finds a different
set of run keys from those actually listed in the registry? I do
recognise most or all of the 'spurious' keys found, nearly all of them
relate to hardware in some way, and may have existed at some time, but
ETDCtrl Touchpad driver listed in TaskMgr as running
IgfxTray Graphics driver and ...
HotKeysCmds ... Hotkey switcher and ...
Persistence ... graphics driver for a *different* PC
(I think all three previously deleted)
Malwarebytes No explanation needed
(also I think previously deleted, because I have
other runtime protection and tend to use MB only as
a back up scanner when there is a specific problem,
as now.)
SynTPEnh Touchpad driver and ...
nwiz ... graphics driver for a third PC
(again I think both previously deleted)
--
Kind regards
Ralph

ζητεῖτε καὶ εὑρήσετε
Java Jive
2023-07-27 16:32:04 UTC
Permalink
Post by Ralph Fox
Post by Java Jive
This is the run key from the registry of one of my W7 PCs ...
www.macfh.co.uk/Temp/RunKey.jpg
... and by way of confirmation here's an export of it ...
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EEventManager"="\"C:\\Program Files (x86)\\Epson Software\\Event
Manager\\EEventManager.exe\""
... however ...
9:50:31 D:\Temp>reg query
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ETDCtrl REG_EXPAND_SZ C:\Program
Files\Elantech\ETDCtrl.exe
IgfxTray REG_SZ C:\Windows\system32\igfxtray.exe
HotKeysCmds REG_SZ C:\Windows\system32\hkcmd.exe
Persistence REG_SZ C:\Windows\system32\igfxpers.exe
Malwarebytes TrayApp REG_SZ C:\PROGRAMS\MALWAREBYTES
ANTIMALWARE\mbamtray.exe
SynTPEnh REG_SZ C:\Program
Files\Synaptics\SynTP\SynTPEnh.exe
nwiz REG_SZ C:\Program Files\NVIDIA
Corporation\nview\nwiz.exe /installquiet
... so WTF is going on?
On 64-bit Windows, 32-bit applications get different parts of the
registry to 64-bit applications.
The above sounds like it may be a 64-bit application vs. 32-bit
application thing.
1. Using the 64-bit version of the registry editor (regedit.exe),
1a) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
1b) [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run]
Registry key 1a is the one where 64-bit applications go.
Registry key 1b is the one where 32-bit applications actually go
when they ask the registry for 1a.
You've hit the mark, for which many thanks. Besides all the copies in
packages in C:\Windows\winsxs, I seem to have two workable copies of
Regedit ...

1) C:\Windows\regedit.exe, 417 KB

... is the 64-bit version and seems to find the extra entries I couldn't
see before, and ...

2) C:\Windows\SysWOW64\regedit.exe, 389 KB

... was the one being launched by my shortcut, and is the 32-bit.
Post by Ralph Fox
2a) C:\Windows\System32\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
2b) C:\Windows\SysWOW64\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Command 2a is the 64-bit version of reg.exe.
Command 2b is the 32-bit version of reg.exe. Even though the path
has '64' in it, 'WOW64' means Windows-32 On a Windows-64 system.
The 32-bit version will actually get the registry settings from
key 1b above.
Yes, point proven and mystery explained. I've now changed the shortcut
to launch (1) and have tidied up the spurious extra entries, many thanks
for your accurate help.
Post by Ralph Fox
REFERENCES
<https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/view-system-registry-with-64-bit-windows>
<https://learn.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry>
--
Fake news kills!

I may be contacted via the contact address given on my website:
www.macfh.co.uk
Loading...