Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Win32.Softomate recreates itself in the registry after deletion

  1. #11
    oxford Guest

    Default Re: Win32.Softomate recreates itself in the registry after deletion

    It 'seems' so, but i'm afraid to use my "flashget" program, afraid that it might trigger something. Do you use Flashget at all? (it's basically a download manager) but i want to be careful.

  2. #12
    tasman Guest

    Default Re: Win32.Softomate recreates itself in the registry after deletion

    No I don't use it. At least you got rid of it for know, and you could try using flashget and if it returnes you could get rid of it again and you wouldknow that's what causedit. Good luck Tasman

  3. #13
    cubsfanindiana Guest

    Default Re: Win32.Softomate recreates itself in the registry after deletion

    I wonder if Win32.Softomate is a false positive because ZA Pro found it on my system as well. I use Spy Sweeper 5.0 too. They still offer discount codes when you renew for the anti-spyware?

  4. #14
    oxford Guest

    Default Re: Win32.Softomate recreates itself in the registry after deletion

    i don't think they offer it for the ZA spyware edition anymore but i may be wrong. But they did offer me a discount on Steganos Safe 8 for $19.95 instead of $29.95.

  5. #15
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Win32.Softomate recreates itself in the registry after deletion

    Go here for a free PestPatrol- it is a 2005 version, in English not German, and the updates are free for a year.

    http://www.ca.com/de/dsin/

    Also the Ewido on line scanner is excellent for any question of trojans in the PC,
    ewido.net/

    Plus it becomes freeware after the trial period.

    Oldsod
    Best regards.
    oldsod

  6. #16
    oxford Guest

    Default Re: Win32.Softomate recreates itself in the registry after deletion

    It has come back, but only when i've established a connection to the internet

    So, is there a way to delete instalty the registry keys that I specify that may appear out of nowhere so i don't have to manually delete them myself?

    i'm sorry if this is a long winded post

    this is a summary:

    In summary, when the key HKEY_USERS\S-1-5-21-2258042937-489720601-3762058672-1006\Software\...\{00021492-0000-0000-C000-000000000046} is created [...somehow.. by the contents of \ShellNew\?] the key HKEY_CURRENT_USER\Software\...\{00021492-0000-0000-C000-000000000046} is created WHICH IS THE TROJAN.


    \ShellNew\ =
    Text Document \ 00 00 00 ... \ REG_BINARY \ 928
    ~reserved~ \ 18 00 00 ... REG_BINARY \ 24
    Language 1033 \ (0x00000409) REG_DWORD \ 4
    (default)ab \ (value not set) \ REG_SZ \ 0





    ================================================== =======

    The reg key ZoneAlarm originally picked up was Win32.Softomate trojan:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\Discardable\PostSetup\Component Categories\{00021492-0000-0000-C000-000000000046}

    ================================================== =======

    Now I have found two other registry keys that are suspiciously linked to the trojan in two directories; the first one:

    HKEY_USERS\S-1-5-21-2258042937-489720601-3762058672-1006\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Discardable\PostSetup\Component Categories\{00021492-0000-0000-C000-000000000046}

    ================================================== =======

    inside of \...\...\{00021492-0000-0000-C000-000000000046}
    is ENUM

    ================================================== =======

    \...\...\...\{00021492-0000-0000-C000-000000000046}\ENUM\ is located here:

    HKEY_USERS\S-1-5-21-2258042937-489720601-3762058672-1006\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Discardable\PostSetup\Component Categories\{00021492-0000-0000-C000-000000000046}\Enum

    ================================================== =======

    contents of 'ENUM' are as follows :

    Name \ Data \ Type \ Size

    Implementing \ 1C 00 00 00 01.. \ REG_BINARY \ 28

    (default)ab \ (value not set) \ REG_SZ \ 0

    ================================================== =======

    ***

    \ShellNew\ is the second registry key folder, !!!!which i think the contents of this registry key folder is responsible for the recreation of Win32.Softomate

    ***

    ================================================== =======

    location of \ShellNew\

    HKEY_USERS\S-1-5-21-2258042937-489720601-3762058672-1006\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Discardable\PostSetup\ShellNew

    ================================================== =======

    contents of \ShellNew\ are as follows:

    Name \ Data \ Type \ Size
    Text Document \ 00 00 00 ... \ REG_BINARY \ 928
    ~reserved~ \ 18 00 00 ... REG_BINARY \ 24
    Language 1033 \ (0x00000409) REG_DWORD \ 4
    (default)ab \ (value not set) \ REG_SZ \ 0


    -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-



    ONLY AFTER


    HKEY_USERS\S-1-5-21-2258042937-489720601-3762058672-1006\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Discardable\PostSetup\Component Categories\{00021492-0000-0000-C000-000000000046}\Enum


    is created... [somehow?.. .. by \ShellNew\?]



    then the trojan recreates/appears here:


    HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\Discardable\PostSetup\Component Categories\{00021492-0000-0000-C000-000000000046}


    {00021492-0000-0000-C000-000000000046} = being the trojan


    ================================================== =======


    note that the two keys come from separate directories.

    HKEY_CURRENT_USER\Software\...\{00021492-0000-0000-C000-000000000046}

    and

    HKEY_USERS\S-1-5-21-2258042937-489720601-3762058672-1006\Software\...\{00021492-0000-0000-C000-000000000046}

    In summary, when the key HKEY_USERS\S-1-5-21-2258042937-489720601-3762058672-1006\Software\...\{00021492-0000-0000-C000-000000000046} is created [...somehow.. by the contents of \ShellNew\?] the key HKEY_CURRENT_USER\Software\...\{00021492-0000-0000-C000-000000000046} is created which ZoneAlarm picks up as the trojan


    \ShellNew\ =
    Text Document \ 00 00 00 ... \ REG_BINARY \ 928
    ~reserved~ \ 18 00 00 ... REG_BINARY \ 24
    Language 1033 \ (0x00000409) REG_DWORD \ 4
    (default)ab \ (value not set) \ REG_SZ \ 0



    rob

  7. #17
    oxford Guest

    Default Re: Win32.Softomate recreates itself in the registry after deletion

    Pestpatrol did not pick up Win32.Softomate,

    It is at the moment still recreating itself EVERY FREAKING TIME I DELETE IT FROM THE REGISTRY.

    i've tried Panda, Ewido, Trojan Hunter, Spysweeper, Spybot, Adaware, Spyware blaster updates, AVG, F-secure, Kaspersky, and PestPatrol.

    Zone Alarm Spyware Ed. is the ONLY scanner that picks this up.

    The issue that i'm facing :now: is whenever the trojan has come back, it slows my dsl connection to a crawl, ... when i delete it, it's back to normal, then the trojan comes back > only to return my dsl to erratic ping spikes then to a slow crawl.


    Someone suggested it could be a false-positive. :C


    regards,
    rob

    Message Edited by oxford on 09-04-2006 10:56 PM

  8. #18
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Win32.Softomate recreates itself in the registry after deletion

    Hi

    It may very well be a false positive. And hopefully a user has reported it to Zone Labs.

    To be on the safe side, consider the possibility of a rootkit, To check it further, perhaps use the RootKitRevealer from sysinternals.com and the Blacklight from F-Secure. Both are freewarea and are strictly scanners with no removal and very easy to use. Removal is the manual process, but they will say exactly what and where it is. Please do the browser and disk cleaning first before the sacns and also a file cleaner if you use one.


    Oldsod
    Best regards.
    oldsod

  9. #19
    nickpail Guest

    Default Re: Win32.Softomate recreates itself in the registry after deletion

    Greetings. I am afraid I have to report exactly the same problem of Win32 Softomate being detected by the latest version of ZA Security Suite, deleting it, only for the same Registry entry to crop up 24 hours or approx 2 reboots later. Clearly cleaing out the registry key is not removing the programme - is it being re-activated via an incoming message string not stoppd by ZA Firewall perhaps? Plus it is very interesting that no other programme - and I have run THE LOT! - can find it! On the other hand, the contributor who suggested a false positive also said his broadband connection slowed dramatically when this trojan was present - a contradiction I think! I know where it came from - a Fire Emblem screensaver downloaded from http://feonline.simgames.net/to pleae a youngster. I would not normally risk such a site but McAfee Site Advisor gave it a green. And trying to contact McAfee about such matters is a waste of time labyrinth.I no longer trust their reports.Any help gratefully accepted. And any reason Zone Alarm/ Checkpoint have not got to grips with this problem?
    Nick H (NickPail)

Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •