Author Topic: Examine this registry file  (Read 646 times)

Offline Mar

  • Gold Member
  • *****
  • Posts: 2203
Examine this registry file
« on: October 30, 2014, 07:56:14 PM »
So I caught a few "bitcoin miners" after one decided to start maxing out my cpu. cgminer.exe, cudaminer.exe, and minerd.exe (the one that maxed the cpu). I removed them and everything related to them including folders and registry files while in safe mode, and malwarebytes nailed a trojan calling itself Windows Explorer.

I restarted with the network unplugged and something that seemed to be related to a game my brother downloaded, "Papers, Please", started automatically and tried to connect to the intardweeb to download and install who knows what, probably everything I just removed (I was very amused when it complained to me that it couldn't connect).

Went into safe mode again and wiped all traces of that game that I could find. Then I put my learning cap on for a few moments and discovered msconfig and the startup tab. 3 things stood out: "Power Start", "Windows Explorer", and "Windows Search", all of which were manufactured by Unknown and had odd commands and locations compared to the rest of the list. All three command some kind of gibberish in C:\Windows\Installer\{seemingly random numbers/letters}\_random number/letters.exe. I found the location folder for each (empty) but know nothing of C:\Windows\Installer. I disabled them of course.

So I went to the registry again keying some of those random numbers/letters and found what seems to me the information displayed under the startup tab of msconfig. As far as I can tell they're just shortcuts leading to nowhere now after my rampage through the file system, but I wanted to show it to you guys in case there's info leading to more stuff I need to delete.



Quote
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Power Start.lnk]
"path"="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Power Start.lnk"
"backup"="C:\\Windows\\pss\\Power Start.lnk.CommonStartup"
"location"="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"
"backupExtension"=".CommonStartup"
"command"="C:\\Windows\\Installer\\{E546FCA2-D36A-4AB1-B7C7-EB5FE5BA2B77}\\_2ADCF42E1BE5987D12027F.exe /NOCONSOLE /SILENT \"%windir%\\power.bat\""
"item"="Power Start"
"YEAR"=dword:000007de
"MONTH"=dword:0000000a
"DAY"=dword:0000001e
"HOUR"=dword:00000006
"MINUTE"=dword:0000001f
"SECOND"=dword:0000000d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Windows Explorer.lnk]
"path"="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Windows Explorer.lnk"
"backup"="C:\\Windows\\pss\\Windows Explorer.lnk.CommonStartup"
"location"="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"
"backupExtension"=".CommonStartup"
"command"="C:\\Windows\\Installer\\{E546FCA2-D36A-4AB1-B7C7-EB5FE5BA2B77}\\_52A3D7FF1AAE001BB104F5.exe "
"item"="Windows Explorer"
"YEAR"=dword:000007de
"MONTH"=dword:0000000a
"DAY"=dword:0000001e
"HOUR"=dword:00000006
"MINUTE"=dword:0000001f
"SECOND"=dword:0000000d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Windows Search.lnk]
"path"="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Windows Search.lnk"
"backup"="C:\\Windows\\pss\\Windows Search.lnk.CommonStartup"
"location"="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"
"backupExtension"=".CommonStartup"
"command"="C:\\Windows\\Installer\\{E546FCA2-D36A-4AB1-B7C7-EB5FE5BA2B77}\\_1CDCC5BF21B5A7ABFFB7F8.exe "
"item"="Windows Search"
"YEAR"=dword:000007de
"MONTH"=dword:0000000a
"DAY"=dword:0000001e
"HOUR"=dword:00000006
"MINUTE"=dword:0000001f
"SECOND"=dword:0000000d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ProfilerU]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ProfilerU"
"hkey"="HKLM"
"command"="C:\\Program Files\\SmartTechnology\\Software\\ProfilerU.exe"
"inimapping"="0"
"YEAR"=dword:000007de
"MONTH"=dword:0000000a
"DAY"=dword:0000001e
"HOUR"=dword:00000006
"MINUTE"=dword:00000020
"SECOND"=dword:0000002e

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SaiMfd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SaiMfd"
"hkey"="HKLM"
"command"="C:\\Program Files\\SmartTechnology\\Software\\SaiMfd.exe"
"inimapping"="0"
"YEAR"=dword:000007de
"MONTH"=dword:0000000a
"DAY"=dword:0000001e
"HOUR"=dword:00000006
"MINUTE"=dword:00000020
"SECOND"=dword:0000002e

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"startup"=dword:00000002


By the way, does anybody know what this bitcoin mining business is all about?
𝒻𝓇𝑜𝓂 𝓉𝒽𝑒 𝓈𝒽𝒶𝒹𝑜𝓌𝓈 𝑜𝒻 𝓌𝒶𝓇'𝓈 𝓅𝒶𝓈𝓉 𝒶 𝒹𝑒𝓂𝑜𝓃 𝑜𝒻 𝓉𝒽𝑒 𝒶𝒾𝓇 𝓇𝒾𝓈𝑒𝓈 𝒻𝓇𝑜𝓂 𝓉𝒽𝑒 𝑔𝓇𝒶𝓋𝑒

  "Onward to the land of kings—via the sky of aces!"
  Oh, and zack1234 rules. :old:

Offline FLS

  • AH Training Corps
  • Plutonium Member
  • *******
  • Posts: 11617
      • Trainer's Website
Re: Examine this registry file
« Reply #1 on: October 30, 2014, 10:13:23 PM »
You might want to revert to a restore point prior to the game download.

Offline Mar

  • Gold Member
  • *****
  • Posts: 2203
Re: Examine this registry file
« Reply #2 on: October 30, 2014, 10:49:20 PM »
Too long ago, might as well reformat, but I really don't want to. I can't say for sure that's where it came from anyway.

Rig's running normally with no activity from anything I don't recognize, just wondering if that registry file tells anyone anything.
𝒻𝓇𝑜𝓂 𝓉𝒽𝑒 𝓈𝒽𝒶𝒹𝑜𝓌𝓈 𝑜𝒻 𝓌𝒶𝓇'𝓈 𝓅𝒶𝓈𝓉 𝒶 𝒹𝑒𝓂𝑜𝓃 𝑜𝒻 𝓉𝒽𝑒 𝒶𝒾𝓇 𝓇𝒾𝓈𝑒𝓈 𝒻𝓇𝑜𝓂 𝓉𝒽𝑒 𝑔𝓇𝒶𝓋𝑒

  "Onward to the land of kings—via the sky of aces!"
  Oh, and zack1234 rules. :old: