Trojan.small? XMYRVEKG.EXE? Anyone know what this is?

Discussion in 'ewido anti-spyware forum' started by OldRebel, Jan 27, 2006.

Thread Status:
Not open for further replies.
  1. OldRebel

    OldRebel Registered Member

    Joined:
    Jan 25, 2006
    Posts:
    153
    Location:
    South Carolina USA
    AFter i updated Ewido anti-malware today, I ran a scan and it picked up 22 items that it called Trojan.small. I also ran a HJT log and discovered a new service listed on my PC: XMYRVEKG.exe. AFter I quarantined and finally deleted the 22 trojan items with Ewido, I ended that new service and deleted it using HJT Misc tools. Does anyone know what this might have been? My Ewido scan log follows:

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 7:24:00 PM, 1/26/2006
    + Report-Checksum: 3905FF66

    + Scan result:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges -> Trojan.Small : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\DisableTaskMgr -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoChangingWallPaper -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoAddingComponents -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoComponents -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoDeletingComponents -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoEditingComponents -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoCloseDragDropBands -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoMovingBands -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoHTMLWallPaper -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoActiveDesktop -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoSaveSettings -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoThemesTab -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMgr -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoDispAppearancePage -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoColorChoice -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoSizeChoice -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoDispBackgroundPage -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoDispScrSavPage -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoDispCPL -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoVisualStyleChoice -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoDispSettingsPage -> Trojan.Small : Cleaned with backup


    ::Report End
     
  2. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    I think we might be seeing a False Positive here. My registry scan by Ewido using both ruleset 1686 and 1687 gave this. I restored these registries after finding the elements documented on the Microsoft site.


    + Created on: 3:12:51 AM, 1/27/2006
    + Report-Checksum: D008A0F4

    + Scan result:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\NoDispBackgroundPage -> Trojan.Small : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\NoDispAppearancePage -> Trojan.Small : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\NoDispScrSavPage -> Trojan.Small : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\NoDispSettingsPage -> Trojan.Small : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\NoDispCPL -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-507921405-1644491937-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoActiveDesktop -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-507921405-1644491937-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoSaveSettings -> Trojan.Small : Cleaned with backup


    ::Report End
     
  3. OldRebel

    OldRebel Registered Member

    Joined:
    Jan 25, 2006
    Posts:
    153
    Location:
    South Carolina USA
    Where were these documented at Mircosoft? I would be concerned now that I deleted something that was supposed to be there, but I can find no information anywhere about any service named XMYRVEKG.EXE. It is strange that an unknown service would appear. It has never been in my HJT logs before. That suggests there is more to this.
     
  4. karl.ewido

    karl.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    236
    Location:
    Germany
    These No* (NoDispBackgroundPage, NoDispSettingsPage,...) values are often misused by malware like trojans, spyware and also hijackers.
     
  5. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    If you do a Google of NoDispBackgroundPage, NoDispAppearancePage, etc. (one at a time), you will find MS pages for these values.

    The XMYRVEKG.EXE looks like something that RootkitRevealer set up..possibly.

    Karl.ewido,

    Are you saying these keys should NOT be in the registry? Or that their values may be incorrect? MS documents indicate a 0/1 value is normal and used.

    http://www.microsoft.com/resources/...s/2000/server/reskit/en-us/regentry/93253.asp
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    A 0 value is the default and allows the user to change the display as he/she wishes
    A 1 value stops the user

    Many of the recent ,malwares especially the smitfraud variants prevent the user changing desktop display etc so Ewido idf it detects the changes quite rightly restores to default of 0 or should do

    are you saying that ewido deletes the entire key

    Now there are occasions when a user will have set the value to 1 themselves to prevent for example children or other users on the computer changing the desktop display or an admin on a company computer might have done this but as a general rule if it's been changed then it's malware that has caused it
     
  7. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Ewido is removing the key...which I don't feel is the correct action.
     
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    It shouldn't really in my view
    it should change any values of (1)to (0)

    BUT not having the key there is the same as a value of 0 and many computers who have never been infected won't have the keys at all ( I don't have them at all)
    And when I am fixing computers with hidden problems or phishing attacks etc one of the keys we look at to see if the infection is present are these keys

    It does absolutely NO harm to remove them
     
  9. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    It's kinda a catch22 then for how Ewido handles them, eh? Beings no harm is done other than for the power user who wants them to be 1 (for whatever reason).

    I'm just kinda curious why these suddenly show up in the Ewido ruleset. It sounds like a weak rule that is associating these keys with some other malicious component that is present on an infected system.
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    The only reason those keys would be found on an uninfected computer would normally be if you have installed a program to restict access to certain functions or you are using XP pro or w2K/2003 with restrictive policies enabled and that should only happen in a corporate environment

    Those keys are NOT routinely installed on any Windows version and the only time I have seen them legitimately on computers is the above scenario or just possibly something like windows blinds or other display tweaking tools MIGHT install them so that only that tool can alter the display
     
  11. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Well, I'm not in agreement that "only happen in a corporate environment".

    There's a lot of us beta testers who implement such things in order to get out of Beta messes without having to reformat and start fresh. For example I've found it invaluable to do what is shown here in order to maintain my sanity with Windows XP-SP2 HE.
    http://www.dougknox.com/xp/tips/xp_home_sectab.htm

    My point is these are valid keys that are provided for a purpose and use. They should not be removed just because they (free standing) "may" be part of a trojan or other malicious element. At worst case, they should be restored to the default value. There are just too many invalid(for the sake of a better word) registry changes/removals caused by false positives from security programs themselves. Sometimes I "scratch my head" as to how the normal computer user even operates after some of the calamity false positives I've seen posted on various forums. JMO.
     
  12. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,304
    Location:
    England
    This was in my scan result today.
    --------------------------------------------------------
    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 10:38:12, 27/01/2006
    + Report-Checksum: 5B194754

    + Scan result:

    HKU\S-1-5-21-4165638892-1836235263-827478911-1007\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoSaveSettings -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-4165638892-1836235263-827478911-1007\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoActiveDesktop -> Trojan.Small : Cleaned with backup


    ::Report End
     
  13. OldRebel

    OldRebel Registered Member

    Joined:
    Jan 25, 2006
    Posts:
    153
    Location:
    South Carolina USA
    This information has clarified the meaning of those registry keys for me, and hopefully this average home user has not damaged his PC! However, I cannot duplicate or recreate a service entry equivalent to XMYRVEKG.EXE. I ran RootkitRevealer - as an experiment - and no new randomly named service appeared in my HJT log after the scan was completed and program closed. IMO this leaves the origin of that service in doubt.
     
  14. OldRebel

    OldRebel Registered Member

    Joined:
    Jan 25, 2006
    Posts:
    153
    Location:
    South Carolina USA
    I forgot to mention that when I ran RootkitRevealer today, Microsoft Antispyware did alert me to its automatically granting a new service, RMCCLH.EXE to be added. BUT, after the scan was completed and closed, I could not find that service still running using administrtive tools, task manager, Microsoft Antispyware tools, or Ewido's running processes. Therefore, I conclude that RootkiRevealed does add a new service, but it does not keep that service running after the scan is closed. The XMYRVEKG.EXE was not only present in my HJY log, it was started and I had to disable it before I could remove it. I don't know squat about most of this, but IMO that is a suspicious service that I would have never noticed if it had not been for Ewido's original alert to the Trojan.small items. I say Thanks to Ewido!
     
  15. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Ruleset 1689 no longer detects the 7 registry values I posted as malicious items in the registry.

    OldRebel,

    You might try restoring the registry entries from quarantine, download the latest ruleset and see which ones, if any, are still detected. Just a thought!
     
  16. OldRebel

    OldRebel Registered Member

    Joined:
    Jan 25, 2006
    Posts:
    153
    Location:
    South Carolina USA
    Ah so! Wish I could do that experiment. Too late. They are deleted. I guess I can survive without them.
     
  17. OldRebel

    OldRebel Registered Member

    Joined:
    Jan 25, 2006
    Posts:
    153
    Location:
    South Carolina USA
    Just for everyone's information, I want to share info that I got from the Microsoft Antispyware newsgroup about this. I am a home user, sole administrator, and use Windows XP SP2 Home Edition, so this info is pertinent to me. It indicates the changes Ewido detected could have been made by malware and concurs with opinions of others on this forum. They said, in part:
    _______________________________________________________________
    restore a backup with Ewido, Open the main menu and click Quarantine,
    Left click the entry you wish to restore then press the Restore Button, I'm
    really not sure if this is a false positive though, They are not active
    trojan files but the values could of been added or changed by malware to make
    it more difficult to clean up, If Ewido has reset the values to 0 then its
    disabled them and if Ewido deletes the key values the system behaves as
    though the value is 0 so it wouldnt cause you any problems.

    The only reason those policy entries would exist is if you have XP
    pro,w2K/2003 and have the restrictive policies enabled and disabling the
    policy would also delete the values Ewido has removed, if some tweaking tool
    or your Administrator has added restrictions that would explain it and in
    that sense it could get frustrating if Ewido is removing the keys but they
    were not protective, If they were set to enabled then you will lose alot of
    functions and control and if they are disabled it would be the same as
    deleting the values.

    Here's a support page showing how to lock a pc using the policy values:

    http://support.microsoft.com/?kbid=198771
    _________________________________________________________________
    I guess I'll consider this matter closed and leave well enough alone. Thanks again to Ewido for alerting me to this issue.
     
  18. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i also noticed that what ewido did in removing the keys was to restore the "defaults" ie no keys.. :)
     
  19. Heco

    Heco Registered Member

    Joined:
    Mar 8, 2003
    Posts:
    264
    Location:
    Provence, France
    Aren't these service and executable related to a game you have installed recently? I have also a service named "XMPENSOGGNWRKK" together with another one "C-DillaCdaC11BA" since i installed "Conflict Vietnam" on my computer... I set them both on MANUAL.
    Hope this helps.
    Cheers
     
  20. OldRebel

    OldRebel Registered Member

    Joined:
    Jan 25, 2006
    Posts:
    153
    Location:
    South Carolina USA
    Just for the record, I still do not know what program used that executable file. It was not from a game, because I have not downloaded any games.

    I did find out from an experiment someone else conducted that my default value for those registry keys (empty) had been changed to 0 by SmitRem when I ran it recently. Ewido simply changed the keys back to default (empty). SitRem changes them to 0 in case smitfraud or one of its variants had changed them to 1.
     
Thread Status:
Not open for further replies.