AFter i updated Ewido anti-malware today, I ran a scan and it picked up 22 items that it called Trojan.small. I also ran a HJT log and discovered a new service listed on my PC: XMYRVEKG.exe. AFter I quarantined and finally deleted the 22 trojan items with Ewido, I ended that new service and deleted it using HJT Misc tools. Does anyone know what this might have been? My Ewido scan log follows:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:24:00 PM, 1/26/2006
+ Report-Checksum: 3905FF66

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges -> Trojan.Small : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\DisableTaskMgr -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoChangingWallPaper -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoAddingComponents -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoComponents -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoDeletingComponents -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoEditingComponents -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoCloseDragDropBands -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoMovingBands -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoHTMLWallPaper -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoActiveDesktop -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoSaveSettings -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoThemesTab -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMgr -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoDispAppearancePage -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoColorChoice -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoSizeChoice -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoDispBackgroundPage -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoDispScrSavPage -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoDispCPL -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoVisualStyleChoice -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoDispSettingsPage -> Trojan.Small : Cleaned with backup


::Report End

I think we might be seeing a False Positive here. My registry scan by Ewido using both ruleset 1686 and 1687 gave this. I restored these registries after finding the elements documented on the Microsoft site.


+ Created on: 3:12:51 AM, 1/27/2006
+ Report-Checksum: D008A0F4

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\NoDispBackgroundPage -> Trojan.Small : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\NoDispAppearancePage -> Trojan.Small : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\NoDispScrSavPage -> Trojan.Small : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\NoDispSettingsPage -> Trojan.Small : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\NoDispCPL -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-507921405-1644491937-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoActiveDesktop -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-507921405-1644491937-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoSaveSettings -> Trojan.Small : Cleaned with backup


::Report End

Where were these documented at Mircosoft? I would be concerned now that I deleted something that was supposed to be there, but I can find no information anywhere about any service named XMYRVEKG.EXE. It is strange that an unknown service would appear. It has never been in my HJT logs before. That suggests there is more to this.

These No* (NoDispBackgroundPage, NoDispSettingsPage,...) values are often misused by malware like trojans, spyware and also hijackers.

If you do a Google of NoDispBackgroundPage, NoDispAppearancePage, etc. (one at a time), you will find MS pages for these values.

The XMYRVEKG.EXE looks like something that RootkitRevealer set up..possibly.

Karl.ewido,

Are you saying these keys should NOT be in the registry? Or that their values may be incorrect? MS documents indicate a 0/1 value is normal and used.

http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/93253.asp

A 0 value is the default and allows the user to change the display as he/she wishes
A 1 value stops the user

Many of the recent ,malwares especially the smitfraud variants prevent the user changing desktop display etc so Ewido idf it detects the changes quite rightly restores to default of 0 or should do

are you saying that ewido deletes the entire key

Now there are occasions when a user will have set the value to 1 themselves to prevent for example children or other users on the computer changing the desktop display or an admin on a company computer might have done this but as a general rule if it's been changed then it's malware that has caused it

Ewido is removing the key...which I don't feel is the correct action.

{QUOTE-> Ewido is removing the key...which I don't feel is the correct action. <-QUOTE}

It shouldn't really in my view
it should change any values of (1)to (0)

BUT not having the key there is the same as a value of 0 and many computers who have never been infected won't have the keys at all ( I don't have them at all)
And when I am fixing computers with hidden problems or phishing attacks etc one of the keys we look at to see if the infection is present are these keys

It does absolutely NO harm to remove them

It's kinda a catch22 then for how Ewido handles them, eh? Beings no harm is done other than for the power user who wants them to be 1 (for whatever reason).

I'm just kinda curious why these suddenly show up in the Ewido ruleset. It sounds like a weak rule that is associating these keys with some other malicious component that is present on an infected system.

The only reason those keys would be found on an uninfected computer would normally be if you have installed a program to restict access to certain functions or you are using XP pro or w2K/2003 with restrictive policies enabled and that should only happen in a corporate environment

Those keys are NOT routinely installed on any Windows version and the only time I have seen them legitimately on computers is the above scenario or just possibly something like windows blinds or other display tweaking tools MIGHT install them so that only that tool can alter the display

Well, I'm not in agreement that "only happen in a corporate environment".

There's a lot of us beta testers who implement such things in order to get out of Beta messes without having to reformat and start fresh. For example I've found it invaluable to do what is shown here in order to maintain my sanity with Windows XP-SP2 HE.
http://www.dougknox.com/xp/tips/xp_home_sectab.htm

My point is these are valid keys that are provided for a purpose and use. They should not be removed just because they (free standing) "may" be part of a trojan or other malicious element. At worst case, they should be restored to the default value. There are just too many invalid(for the sake of a better word) registry changes/removals caused by false positives from security programs themselves. Sometimes I "scratch my head" as to how the normal computer user even operates after some of the calamity false positives I've seen posted on various forums. JMO.

This was in my scan result today.
--------------------------------------------------------
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:38:12, 27/01/2006
+ Report-Checksum: 5B194754

+ Scan result:

HKU\S-1-5-21-4165638892-1836235263-827478911-1007\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoSaveSettings -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4165638892-1836235263-827478911-1007\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoActiveDesktop -> Trojan.Small : Cleaned with backup


::Report End

{QUOTE-> If you do a Google of NoDispBackgroundPage, NoDispAppearancePage, etc. (one at a time), you will find MS pages for these values.

The XMYRVEKG.EXE looks like something that RootkitRevealer set up..possibly.

Karl.ewido,

Are you saying these keys should NOT be in the registry? Or that their values may be incorrect? MS documents indicate a 0/1 value is normal and used.

http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/93253.asp <-QUOTE}
This information has clarified the meaning of those registry keys for me, and hopefully this average home user has not damaged his PC! However, I cannot duplicate or recreate a service entry equivalent to XMYRVEKG.EXE. I ran RootkitRevealer - as an experiment - and no new randomly named service appeared in my HJT log after the scan was completed and program closed. IMO this leaves the origin of that service in doubt.

{QUOTE-> This information has clarified the meaning of those registry keys for me, and hopefully this average home user has not damaged his PC! However, I cannot duplicate or recreate a service entry equivalent to XMYRVEKG.EXE. I ran RootkitRevealer - as an experiment - and no new randomly named service appeared in my HJT log after the scan was completed and program closed. IMO this leaves the origin of that service in doubt. <-QUOTE}

I forgot to mention that when I ran RootkitRevealer today, Microsoft Antispyware did alert me to its automatically granting a new service, RMCCLH.EXE to be added. BUT, after the scan was completed and closed, I could not find that service still running using administrtive tools, task manager, Microsoft Antispyware tools, or Ewido's running processes. Therefore, I conclude that RootkiRevealed does add a new service, but it does not keep that service running after the scan is closed. The XMYRVEKG.EXE was not only present in my HJY log, it was started and I had to disable it before I could remove it. I don't know squat about most of this, but IMO that is a suspicious service that I would have never noticed if it had not been for Ewido's original alert to the Trojan.small items. I say Thanks to Ewido!

Ruleset 1689 no longer detects the 7 registry values I posted as malicious items in the registry.

OldRebel,

You might try restoring the registry entries from quarantine, download the latest ruleset and see which ones, if any, are still detected. Just a thought!

{QUOTE-> Ruleset 1689 no longer detects the 7 registry values I posted as malicious items in the registry.

OldRebel,

You might try restoring the registry entries from quarantine, download the latest ruleset and see which ones, if any, are still detected. Just a thought! <-QUOTE}
Ah so! Wish I could do that experiment. Too late. They are deleted. I guess I can survive without them.

Just for everyone's information, I want to share info that I got from the Microsoft Antispyware newsgroup about this. I am a home user, sole administrator, and use Windows XP SP2 Home Edition, so this info is pertinent to me. It indicates the changes Ewido detected could have been made by malware and concurs with opinions of others on this forum. They said, in part:
_______________________________________________________________
restore a backup with Ewido, Open the main menu and click Quarantine,
Left click the entry you wish to restore then press the Restore Button, I'm
really not sure if this is a false positive though, They are not active
trojan files but the values could of been added or changed by malware to make
it more difficult to clean up, If Ewido has reset the values to 0 then its
disabled them and if Ewido deletes the key values the system behaves as
though the value is 0 so it wouldnt cause you any problems.

The only reason those policy entries would exist is if you have XP
pro,w2K/2003 and have the restrictive policies enabled and disabling the
policy would also delete the values Ewido has removed, if some tweaking tool
or your Administrator has added restrictions that would explain it and in
that sense it could get frustrating if Ewido is removing the keys but they
were not protective, If they were set to enabled then you will lose alot of
functions and control and if they are disabled it would be the same as
deleting the values.

Here's a support page showing how to lock a pc using the policy values:

http://support.microsoft.com/?kbid=198771
_________________________________________________________________
I guess I'll consider this matter closed and leave well enough alone. Thanks again to Ewido for alerting me to this issue.

i also noticed that what ewido did in removing the keys was to restore the "defaults" ie no keys.. :)

{QUOTE-> AFter i updated Ewido anti-malware today, I ran a scan and it picked up 22 items that it called Trojan.small. I also ran a HJT log and discovered a new service listed on my PC: XMYRVEKG.exe. AFter I quarantined and finally deleted the 22 trojan items with Ewido, I ended that new service and deleted it using HJT Misc tools. Does anyone know what this might have been? <-QUOTE}
Aren't these service and executable related to a game you have installed recently? I have also a service named "XMPENSOGGNWRKK" together with another one "C-DillaCdaC11BA" since i installed "Conflict Vietnam" on my computer... I set them both on MANUAL.
Hope this helps.
Cheers

Just for the record, I still do not know what program used that executable file. It was not from a game, because I have not downloaded any games.

I did find out from an experiment someone else conducted that my default value for those registry keys (empty) had been changed to 0 by SmitRem when I ran it recently. Ewido simply changed the keys back to default (empty). SitRem changes them to 0 in case smitfraud or one of its variants had changed them to 1.