vulnerablity?

Discussion in 'malware problems & news' started by argus tuft, Dec 1, 2006.

Thread Status:
Not open for further replies.
  1. argus tuft

    argus tuft Registered Member

    Joined:
    Sep 20, 2006
    Posts:
    280
    Location:
    Australia
    Hi all, when scanning with ad-aware, I always get this
    HKEY_CLASSES_ROOT:regfile\shell\open\command"" ("regedit.exe" "%1")
    reported as a windows vulnerability. Whenever I let ad-aware fix it, spybots teatimer pops up a box asking if i want to allow/ remember this. I tell it to do both. Next time I scan with ad-aware this 'vulnerability' has returned. Can anyone say what the cause/ significance of this is? Thanks in advance, Argus :)
     
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    All I can say is that the default entry for HKEY_CLASSES_ROOT\regfile\shell\open\command is:-

    regedit.exe "%1"

    [Note the quotes around the %1 but not Regedit.exe]

    This just means that regfiles (ie files with .reg extension) are run by Regedit. Malware may wish to prevent this by making changes. Indeed changing file associations is a way a trojan can get running. If the trojan associated itself with, say, a .txt file then every time you attempted to open such a file you would run the trojan instead of running Notepad!

    That is why AdAware is looking at these Reg positions, however if you look in Regedit and find both

    HKEY_CLASSES_ROOT\regfile\shell\open\command and

    HKLM\Software\Classes\Root\regfile\shell\open\command

    have the correct entry then there is something wrong with AdAware!
     
  3. argus tuft

    argus tuft Registered Member

    Joined:
    Sep 20, 2006
    Posts:
    280
    Location:
    Australia
    Thanks TopperID,
    when i booted up this morning, about the 1st thing that happened, a box from spybot saying that it had allowed the change of regedit.exe "%1" back to what it was before!
    re regedit, in HKEY_CLASSES_ROOT\regfile\shell\open\command it said regedit.exe "%1"
    and there was no HKLM\Software\Classes\Root\regfile\shell\open\command , rather it was HKLM\Software\Classes\regfile\shell\open\command , and it was correct there...
    Should there be a Root? https://www.wilderssecurity.com/images/smilies/confused.gif
    o_O
    Argus
     
  4. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    No, sorry, that was a typo due to my fingers working faster than my brain. :D

    It should be:-

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command

    as you say.
     
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Possibly or the database is not current :doubt:

    With Adaware's latest database of SE1R135 27.11.2006 I am not seeing this notification of a problem :doubt:

    argus tuft,

    Would you mind going to the Start button > Run and copy the bold portion below into the Open: window Please.

    regedit /e c:\regfile.txt "HKEY_CLASSES_ROOT\regfile\shell\open\command"

    click OK to execute the command.

    That will export that key to a newly created file into your C:\ drive as a file named regfile.txt

    Would you then find that file and post the contents Please. This will let us double check what Adaware is actually reporting.

    Thanks,
    Bubba
     
  6. argus tuft

    argus tuft Registered Member

    Joined:
    Sep 20, 2006
    Posts:
    280
    Location:
    Australia
    Thanks everyone for your help, much appreciated :)
    the contents of the regfile are:
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\regfile\shell\open\command]
    @="regedit.exe \"%1\""

    this morning spybot reported that it had allowed the change of extension handler catagory based on my whitelist?
    It seems that when I allow ad-aware to fix it, I have to tell spybot to allow the change, and then spybot allows it to be changed back again! I have absolutley no idea what is doing the changing however.. :-(
    Thanks again, Argus
     
  7. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    That particular entry is a valid entry and Adaware should not be alerting to that entry. What Definitions file are you using ?
    Open Adaware and look in the Initialization Status area of the Ad-Aware SE Status section.

    Also....in reading some of your past posts I'll assume this is on your XP2 system ?
    If so....open Windows Explorer and got to the Documents and Settings\All Users\Spybot - Search & Destroy\Excludes folder. Look for the RegKeyWhite.sbe file and right click that file....then select Open With > Notepad....copy the registry entry contents of that file and paste that info into a post to this thread Please.

    BTW....do you use a program called Script Sentry :doubt:

    Bubba
     
  8. argus tuft

    argus tuft Registered Member

    Joined:
    Sep 20, 2006
    Posts:
    280
    Location:
    Australia
    Thanks for your response Bubba,
    Ad-aware's current def file is SE1R135 27.11.2006, though this has been happening through the last couple of ad-aware updates...
    Here is regkeywhite, I hope you wanted the whole thing! (I am on XP sp2)
    HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe=C:\WINDOWS\system32\ssstars.scr
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Name of App=C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon=
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent=
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ATIPTA=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\InstallShieldSetup=C:\PROGRA~1\INSTAL~1\{0BEDB~1\setup.exe -rebootC:\PROGRA~1\INSTAL~1\{0BEDB~1\reboot.ini
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}=
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}=
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\NeroFilterCheck=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0=rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\-edit-\LOCALS~1\Temp\IXP000.TMP\"
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\NetFxUpdate_v1.1.4322="C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe" 0 v1.1.4322 GAC + NI NID
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\WinSideBySideSetupCleanup 10221485=rundll32 sxs.dll,SxspRunDllDeleteDirectory C:\WINDOWS\WinSxS\InstallTemp\10221485
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\WinSideBySideSetupCleanup 10221840=rundll32 sxs.dll,SxspRunDllDeleteDirectory C:\WINDOWS\WinSxS\InstallTemp\10221840
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\WinSideBySideSetupCleanup 10315201=rundll32 sxs.dll,SxspRunDllDeleteDirectory C:\WINDOWS\WinSxS\InstallTemp\10315201
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\FLMK08KB=C:\Program Files\Multimedia Keyboard\KbdAp32A.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\WMC_RebootCheck=C:\WINDOWS\inf\unregmp2.exe /FixUps
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\iTunesHelper="C:\Program Files\iTunes\iTunesHelper.exe"
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\SpybotSnD="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE" /autocheck
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SpybotSnD="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE" /autocheck
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\PPPackage=C:\WINDOWS\Temp\PPPackage\setup.exe
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\updateMgr=C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\READER\AdobeUpdateManager.exe AcRdB7_0_0
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\updateMgr=C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\READER\ADOBEUPDATEMANAGER.EXE AcRdB7_0_0 -reboot 1
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\updateMgr=C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\READER\ADOBEUPDATEMANAGER.EXE AcRdB7_0_7 -reboot 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Regcledtkrn=C:\WINDOWS\system32\Regsvr32.exe /s "C:\Program Files\CyberLink\PowerDirector Express\cledtkrn.dll"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}=
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{17492023-C23A-453E-A040-C7C580BBF700}=
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender="C:\Program Files\Windows Defender\MSASCui.exe" -hide
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\!ewido="C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe=C:\WINDOWS\system32\sspipes.scr
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AnyDVD="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AnyDVD=C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon=
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SUPERAntiSpyware=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page=http://go.microsoft.com/fwlink/?LinkId=54896
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page=http://go.microsoft.com/fwlink/?LinkId=69157
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL=http://go.microsoft.com/fwlink/?LinkId=69157
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL=http://go.microsoft.com/fwlink/?LinkId=54896
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\NoIE4StubProcessing=C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout=
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}=
    HKEY_CLASSES_ROOT\regfile\shell\open\command\="regedit.exe" "%1"
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv=grpconv -o
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SandboxieControl=C:\Program Files\Sandboxie\Control.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{E947A403-B614-4FA8-B9E7-E790F0BDC87E}=
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E947A403-B614-4FA8-B9E7-E790F0BDC87E}=
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\IERESETATTRIB=%SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\system32\ieudinit.exe -ResetFileAttributes
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\IERESETICONS=%SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\iereseticons.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}=
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}=
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0=rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\-edit-\LOCALS~1\Temp\IXP001.TMP\"
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Ulead AutoDetector v2=C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SpywareTerminator="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
    HKEY_CLASSES_ROOT\regfile\shell\open\command\=regedit.exe "%1"
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SpywareTerminator="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WPDShServiceObj={AAA288BA-9A4C-45B0-95D7-94D524869DB5}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\MPlayer2_FixUp=C:\WINDOWS\inf\unregmp2.exe /Fixups
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\KB926239=rundll32.exe apphelp.dll,ShimFlushCache

    No, I have never used script sentry :-( should I be?
    Thanks, Argus
     
  9. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    You are Welcome and yes that is the latest update.

    Not necessarily and was just asking because it is one of many programs out there that does modify that key and was just making sure Adaware or Spybot was not burping on something not mentioned or seen.

    If you look at that Spybot RegKeyWhite list that you posted there are 2 entries and they are different. One of them has quotes around regedit.exe and one does not. As TopperID alluded to early on....the one that is proper is the one without quotes around regedit.exe. Due to the way Spybot TeaTimer works in monitoring the registry and how it saves the allowed entries....I am of the opinion that due to Spybot being told to allow the one with quotes it is somehow in a viscious loop. How or why you initially had any request for modifications to that regfile key is anybody's guess and is probably water under the bridge. However as TopperId said....there is malware that finds these type keys of interest.

    Anyway....TeaTimer takes snapshots of Registry entries and compares these with the Registry at startup. Until these snapshots are updated you are likely to get pop-ups (at startup) of changes you made in the past. In other words, TeaTimer attempts to return the Registry to the state it was in when the snapshot was taken. This happens primarily when you reboot the system. To refresh TeaTimer's snapshot files:

    • Right click Spybot's TeaTimer System Tray Icon > click Exit Spybot-S&D Resident.
      • TeaTimer closes.
      • TeaTimer's snapshot files are refreshed at this time.

    Then edit\delete the white list with those regedit.exe entries....the one with quotes and the one without quotes. To edit\delete this information:
    • Right click on the TeaTimer system tray icon and select Settings. This will bring up TeaTimer's "White & Black List". There are four (4) Buttons across the top of the "White & Black List":
      • Allowed processes
      • Blocked processes
      • Allowed registry changes
      • Blocked registry changes

        Note: If you don't see all four buttons, try expanding the window to the right.

        You can review all the entries that you have stored by clicking on these buttons. The entries that you should review are in "Allowed registry changes" and "Blocked registry changes". You can delete entries by clicking on the scripted black "X" to the right of the entry that you want to delete and then clicking the "OK" button when you're done. This will in effect make TeaTimer forget what you told it to remember so that during future changes to these items TeaTimer will issue a pop-up dialog rather then just a notification pop-up.

    I would then re-boot and see if Adaware still burps.

    Bubba
     
  10. argus tuft

    argus tuft Registered Member

    Joined:
    Sep 20, 2006
    Posts:
    280
    Location:
    Australia
    Thanks Bubba,
    I have done what you suggested, and its done the trick :), Ad-aware found nothing.
    As you obviously know what you're talking about re spybot, do you know how I can 'update' it eg new entries (in startup, BHO's ActiveX etc)are in bold type?
    Does that even make sense? Anyway, thanks again for your help and patience!
    argus
     
Thread Status:
Not open for further replies.