Rogue.DriveCleaner?????

nalacknick · August 29, 2009, 5:15pm

Hello today I thought I would d/l Malwarebytes and scan my system just to see if it detected anything that Comodo may have missed.
Anyway the result scan said I had a Rogue.DriveCleaner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats(2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6)

My com works fine…no apparent naughty stuff going on with my com. Do you think this a false positve? or if not why didn’t Comodo pick this up?

Thanks
Nick

system · August 30, 2009, 1:37am

Hi nalacknick,

If you can find the FP file,you can submit through this link:Comodo Firewall | Get Best Personal Firewall Software for $29.99 A Year we can go to have a look at it.

Thanks and Regards,
hailong.■■■■

nalacknick · August 30, 2009, 8:48am

Hi hailong.■■■■…I think I have submitted the file to you…I exported the file from regedit to my docs and then submitted it to you and virus total…virus total came up clean so maybe a fp from malwarebytes??.
Please let me know if you have recieved the file and the results .
Thanks
Nick

Endymion · August 30, 2009, 9:30am

Hallo nalacknick,

the registry entry and the corresponding reg file is unlikely to be malicious in itself.

It appear that MBAM detected a registry remnant/leftover of DriveCleaner though it didn’t report any executable which could be submitted for analysis (maybe the files aren’t there anymore)

According to some HjackThis and SAS logs posted elsewhere on Internet the 2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6 GUID correspond to a component installed in Internet Explorer “Downloaded Program Files” special folder.

O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab

Malware.DriveCleaner HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}#SystemComponent HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}#Installer HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\Contains HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\Contains\Files HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\Contains\Files#C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exe HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\DownloadInformation HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\DownloadInformation#CODEBASE HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\DownloadInformation#INF HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\InstalledVersion HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\InstalledVersion#LastModified

Opening “Downloaded Program Files” folder it is possible to look at the properties of the components installed (it will list also legitimate components) and to remove them but not to copy them.

In order to copy the content of that folder it should be needed to use the cmd prompt and several commands.


cd \
cd %windir%\Downloaded Program Files
md C:\foldercopy
xcopy /s . C:\foldercopy
dir /s > C:\foldercopy\list.txt

these command should create a foldercopy folder on C (C:\foldercopy) containing all files and a list (list.txt)

nalacknick · August 30, 2009, 9:59am

Hi Endymion
here is the log from MBAM

Malwarebytes’ Anti-Malware 1.40
Database version: 2712
Windows 5.1.2600 Service Pack 2

30/08/2009 09:50:59
mbam-log-2009-08-30 (09-50-59).txt

Scan type: Quick Scan
Objects scanned: 14293
Time elapsed: 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Looks like maybe as you say just a remnance of a nasty left in registry??

Endymion · August 30, 2009, 10:33am

[url=http://msdn.microsoft.com/en-us/library/dd433050(VS.85).aspx]HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats[/url] apparently contain only statistics info and in IE8 is used to restrict ActiveX on a per site basis (AllowedDomains).

Though HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} could be indication of DriveCleaner it is not as much relevant if the corresponding component has been already removed.

It looks MBAM did not detect the component so it is likely that DriveCleaner files have been removed but in order to confirm this manually require some additional steps.

nalacknick · August 30, 2009, 1:42pm

Ok Thanks Endymion…what do you suggest I do to confirm for sure?..I must point out that I am not experienced when it comes to removing nasties as I do try to keep a tight ship (thx to Comodo) so usually nasties don’t get a chance to infect my system.
Your advice would be appreciated
Thanks
Nick

p.s. I have a folder copy of d/l prog files if that is still relevant?

Endymion · August 30, 2009, 4:36pm

If you copied the download folder you can submit those files to virustotal.

You can also access Downloaded Program Files normally and check the packages properties to see if there is one with the {2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} guid

eg: the above image show the properties of the flash player component, including its guid.

You can also manually create a restore point ad then use regedit.exe to confirm if HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} is still there.

HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\Contains\Files should point to the actual file location of DriveCleaner component

[attachment deleted by admin]

nalacknick · August 30, 2009, 8:27pm

Ok Thankyou for the info I will check it out just for my own peace of mind
Thanks
Nick