HKEY_CLASSES_ROOT different depending on who is logged in

Discussion in 'Virus Information' started by SnoBoy, Mar 16, 2010.

  1. SnoBoy

    SnoBoy Guest

    In the aftermath of an infection, after deleting the file ave.exe from the
    user's profile, I discovered that a registry key is different if I log in as
    a different admin user than the one that was logged in when the infection
    happened.

    When logged in as the user who was logged in at the time of infection,
    HKEY_CLASSES_ROOT\.exe had an additional \shell\open\command entry that
    opened ave.exe every time you attenpted to run any program.

    When loggin in as a different admin user, that key wasn't there and instead,
    there was a different key - the expected key: PersistentHandler

    It appears to me that this is far more than a simple fake antivirus malware
    infection, so I am reformatting and reinstalling.

    Question is, shouldn't the HKEY_CLASSES_ROOT hive be the same for all users
    unless there is some sort of rootkit like behavior going on?
     
    SnoBoy, Mar 16, 2010
    #1
    1. Advertisements

  2. SnoBoy

    MEB Guest

    Typical of this type of malicious activity, however it also protects
    itself from discovery.

    http://www.prevx.com/filenames/2108630271898590013-X1/AVE.EXE.html

    Interestingly you can find sites that claim it is a safe file as the
    name may be/has been used by supposedly legitimate programs. Of course
    that is one method of hiding malware. Associated with Vista Total
    Care/Vista Security Tool 2010 and several others.

    Two other of the various keys affected also include:
    HKEY_CURRENT_USER\Software\Classes\.exe
    HKEY_CURRENT_USER\Software\Classes\secfile

    Your present course of re-installing is the safest method. Make sure to
    zero and re-format using the manufacturer's disk tools, if possible.

    --
    MEB
    http://peoplescounsel.org/ref/windows-main.htm
    Windows Info, Diagnostics, Security, Networking
    http://peoplescounsel.org
    The "real world" of Law, Justice, and Government
    ___---
     
    MEB, Mar 16, 2010
    #2
    1. Advertisements

  3. SnoBoy

    VanguardLH Guest

    There are only 2 real registry hives:

    HKEY_LOCAL_MACHINE
    HKEY_USERS

    All the others are pseudo-hives because they are compiled from entries under
    these two real hives. If you look under HKEY_USERS, you will see there are
    separate sub-branches for each Windows account (listed by the S-1-5-21 SID
    number). The branch for your account gets melded into the pseudo-hives when
    you login under that account.

    There is a Classes branch under the global (machine) hive. There is a
    Classes branch under each user account. HKEY_CLASSES_ROOT is a pseudo-hive
    composed of the global and user (the one currently logged in) Classes
    branches.

    http://www.amazon.com/s/?url=search-alias%3Daps&field-keywords=windows+registry
    You might find these at your local public library. If you're going to dig
    into the registry, you need to know some about how it works.
     
    VanguardLH, Mar 16, 2010
    #3
  4. Much of the registry is created dynamically at logon.
     
    FromTheRafters, Mar 17, 2010
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.