Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Totally illogical, there was no chance. -- Spock, "The Galileo Seven", stardate 2822.3

computers / alt.windows7.general / Re: Weird Malware Like Behaviour

SubjectAuthor
* Weird Malware Like BehaviourJava Jive
+* Re: Weird Malware Like BehaviourJava Jive
|`* Re: Weird Malware Like BehaviourBrian Gregory
| `* Re: Weird Malware Like BehaviourKen Blake
|  `* Re: Weird Malware Like Behaviourwasbit
|   `- Re: Weird Malware Like BehaviourKen Blake
`* Re: Weird Malware Like BehaviourRalph Fox
 `- Re: Weird Malware Like BehaviourJava Jive

1
Weird Malware Like Behaviour

<u9qsvi$1fhhm$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=6655&group=alt.windows7.general#6655

  copy link   Newsgroups: alt.windows7.general
Path: i2pn2.org!i2pn.org!eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: jav...@evij.com.invalid (Java Jive)
Newsgroups: alt.windows7.general
Subject: Weird Malware Like Behaviour
Date: Wed, 26 Jul 2023 11:36:29 +0100
Organization: A noiseless patient Spider
Lines: 158
Message-ID: <u9qsvi$1fhhm$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Wed, 26 Jul 2023 10:36:35 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="7ab2e64f65ca8f03745f46e8895ba6dc";
logging-data="1558070"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18OI5cuFD1OjaN+C6ygddVGlhh52XGPeOQ="
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101
Thunderbird/68.4.2
Cancel-Lock: sha1:CcWr5K3l/3/qEAbTLq96eehjcNw=
Content-Language: en-GB
X-Mozilla-News-Host: news://news.eternal-september.org
 by: Java Jive - Wed, 26 Jul 2023 10:36 UTC

This is the run key from the registry of one of my W7 PCs ...

www.macfh.co.uk/Temp/RunKey.jpg

.... and by way of confirmation here's an export of it ...

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EEventManager"="\"C:\\Program Files (x86)\\Epson Software\\Event
Manager\\EEventManager.exe\""

.... however ...

9:50:31 D:\Temp>reg query
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ETDCtrl REG_EXPAND_SZ C:\Program
Files\Elantech\ETDCtrl.exe
IgfxTray REG_SZ C:\Windows\system32\igfxtray.exe
HotKeysCmds REG_SZ C:\Windows\system32\hkcmd.exe
Persistence REG_SZ C:\Windows\system32\igfxpers.exe
Malwarebytes TrayApp REG_SZ C:\PROGRAMS\MALWAREBYTES
ANTIMALWARE\mbamtray.exe
SynTPEnh REG_SZ C:\Program
Files\Synaptics\SynTP\SynTPEnh.exe
nwiz REG_SZ C:\Program Files\NVIDIA
Corporation\nview\nwiz.exe /installquiet

.... so WTF is going on? A rootkit? But a scan by MalwareBytes finds
only a false positive uninstaller file (so a file only loaded into
memory and run when uninstalling the relevant program, which would
delete itself anyway) ...

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 7/26/23
Scan Time: 10:32 AM
Log File: 6642e258-2b97-11ee-8208-001c2346ddc2.json

-Software Information-
Version: 4.5.32.271
Components Version: 1.0.2051
Update Package Version: 1.0.72995
License: Free

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Charles-P1\Cruachan

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 248688
Threats Detected: 2
Threats Quarantined: 0
Time Elapsed: 4 min, 9 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled <-- Note this!
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 1
Adware.DotDo,
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FLAC,
No Action By User, 5824, 924227, , , , , ,

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Adware.DotDo, C:\PROGRAM FILES (X86)\FLAC\UNINSTALL.EXE, No Action
By User, 5824, 924227, 1.0.72995, , ame, ,
B7E822162FE81D4A8F2025B9329D425C,
F3DA78D3670C50DE2D71C32FAD129484F8672FFE11ADAB980757E72B3E3497CD

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

.... however that file is genuine, it's the uninstall program for a FLAC
encoder/decoder which allows Windows Media Player to play FLAC files,
has been on my builds since 2k/XP days, more than a decade, and is a
false positive ...


https://www.virustotal.com/gui/file/f3da78d3670c50de2d71c32fad129484f8672ffe11adab980757e72b3e3497cd

Any suggestions as to why the REG command line program finds a different
set of run keys from those actually listed in the registry? I do
recognise most or all of the 'spurious' keys found, nearly all of them
relate to hardware in some way, and may have existed at some time, but
long since were deleted:

ETDCtrl Touchpad driver listed in TaskMgr as running
IgfxTray Graphics driver and ...
HotKeysCmds ... Hotkey switcher and ...
Persistence ... graphics driver for a *different* PC
(I think all three previously deleted)
Malwarebytes No explanation needed
(also I think previously deleted, because I have
other runtime protection and tend to use MB only as
a back up scanner when there is a specific problem,
as now.)
SynTPEnh Touchpad driver and ...
nwiz ... graphics driver for a third PC
(again I think both previously deleted)

--

Fake news kills!

I may be contacted via the contact address given on my website:
www.macfh.co.uk

Re: Weird Malware Like Behaviour

<u9qt7u$1fhhm$2@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=6656&group=alt.windows7.general#6656

  copy link   Newsgroups: alt.windows7.general
Path: i2pn2.org!i2pn.org!eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: jav...@evij.com.invalid (Java Jive)
Newsgroups: alt.windows7.general
Subject: Re: Weird Malware Like Behaviour
Date: Wed, 26 Jul 2023 11:40:58 +0100
Organization: A noiseless patient Spider
Lines: 18
Message-ID: <u9qt7u$1fhhm$2@dont-email.me>
References: <u9qsvi$1fhhm$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Wed, 26 Jul 2023 10:41:02 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="7ab2e64f65ca8f03745f46e8895ba6dc";
logging-data="1558070"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18T1Mqf501UNMBYxocny5xZ3NKR8ERsjgQ="
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101
Thunderbird/68.4.2
Cancel-Lock: sha1:CngtJphwnViexDOmoLx/3boc+IU=
In-Reply-To: <u9qsvi$1fhhm$1@dont-email.me>
Content-Language: en-GB
 by: Java Jive - Wed, 26 Jul 2023 10:40 UTC

Oh, and I meant to mention also ...

On 26/07/2023 11:36, Java Jive wrote:
>
>     Registry Key: 1
>     Adware.DotDo,
> HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FLAC,
> No Action By User, 5824, 924227, , , , , ,

.... that this key also is not visible in Regedit!

--

Fake news kills!

I may be contacted via the contact address given on my website:
www.macfh.co.uk

Re: Weird Malware Like Behaviour

<kiddb2F3mq5U1@mid.individual.net>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=6662&group=alt.windows7.general#6662

  copy link   Newsgroups: alt.windows7.general
Path: i2pn2.org!rocksolid2!i2pn.org!weretis.net!feeder8.news.weretis.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: void-inv...@email.invalid (Brian Gregory)
Newsgroups: alt.windows7.general
Subject: Re: Weird Malware Like Behaviour
Date: Wed, 26 Jul 2023 21:17:38 +0100
Lines: 22
Message-ID: <kiddb2F3mq5U1@mid.individual.net>
References: <u9qsvi$1fhhm$1@dont-email.me> <u9qt7u$1fhhm$2@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Trace: individual.net V9s+XFL/QhYR4gD9gUzJ+QYt4T2hkW8eh3GJl41x87u/EMkxTh
Cancel-Lock: sha1:J/wE+4ALzSrndqIpKLo43sOyk5M= sha256:TMndjSzzOthNyBiUlZ5mMHMMNq9d+WH1yqUT9I1jNjI=
User-Agent: Mozilla Thunderbird
Content-Language: en-GB
In-Reply-To: <u9qt7u$1fhhm$2@dont-email.me>
 by: Brian Gregory - Wed, 26 Jul 2023 20:17 UTC

On 26/07/2023 11:40, Java Jive wrote:
> Oh, and I meant to mention also ...
>
> On 26/07/2023 11:36, Java Jive wrote:
>>
>>      Registry Key: 1
>>      Adware.DotDo,
>> HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FLAC, No Action By User, 5824, 924227, , , , , ,
>
> ... that this key also is not visible in Regedit!
>
>

Maybe try with MalwareBytes uninstalled or disabled. Disconnect from the
net first if it makes you feel safer.

I gave up on MalwareBytes some time ago because it made too many bizarre
things happen each time they updated it.

--
Brian Gregory (in England).

Re: Weird Malware Like Behaviour

<n314cipandk7hnegfe96jh01s47dpgokdn@4ax.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=6670&group=alt.windows7.general#6670

  copy link   Newsgroups: alt.windows7.general
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer01.iad!feed-me.highwinds-media.com!news.highwinds-media.com!fx13.iad.POSTED!not-for-mail
From: -rf-...@-.invalid (Ralph Fox)
Newsgroups: alt.windows7.general
Subject: Re: Weird Malware Like Behaviour
Message-ID: <n314cipandk7hnegfe96jh01s47dpgokdn@4ax.com>
References: <u9qsvi$1fhhm$1@dont-email.me>
User-Agent: ForteAgent/8.00.32.1272
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Face: 5gSW~"1=jGDo(BXfTrgL2BnC3tUB_\d0u@mP~wA1fvK`z8I[>1jXVVZ!N6ittQ.K<5!i3l> ==jcyAk.[B>kLg8TY{+8%edZ(le:ncPt%s8Pr?]QXNXO]0RC#V_zt|%>=bt>rZ2iCI^-yl7Be(]Ep> OfyI!3Bf|e
Lines: 206
X-Complaints-To: abuse@easynews.com
Organization: Forte - www.forteinc.com
X-Complaints-Info: Please be sure to forward a copy of ALL headers otherwise we will be unable to process your complaint properly.
Date: Thu, 27 Jul 2023 18:13:50 +1200
X-Received-Bytes: 7430
 by: Ralph Fox - Thu, 27 Jul 2023 06:13 UTC

On Wed, 26 Jul 2023 11:36:29 +0100, Java Jive wrote:

> This is the run key from the registry of one of my W7 PCs ...
>
>
> www.macfh.co.uk/Temp/RunKey.jpg
>
>
> ... and by way of confirmation here's an export of it ...
>
>
> Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
> "EEventManager"="\"C:\\Program Files (x86)\\Epson Software\\Event
> Manager\\EEventManager.exe\""
>
>
> ... however ...
>
>
> 9:50:31 D:\Temp>reg query
> "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> ETDCtrl REG_EXPAND_SZ C:\Program
> Files\Elantech\ETDCtrl.exe
> IgfxTray REG_SZ C:\Windows\system32\igfxtray.exe
> HotKeysCmds REG_SZ C:\Windows\system32\hkcmd.exe
> Persistence REG_SZ C:\Windows\system32\igfxpers.exe
> Malwarebytes TrayApp REG_SZ C:\PROGRAMS\MALWAREBYTES
> ANTIMALWARE\mbamtray.exe
> SynTPEnh REG_SZ C:\Program
> Files\Synaptics\SynTP\SynTPEnh.exe
> nwiz REG_SZ C:\Program Files\NVIDIA
> Corporation\nview\nwiz.exe /installquiet
>
>
> ... so WTF is going on?

On 64-bit Windows, 32-bit applications get different parts of the
registry to 64-bit applications.

The above sounds like it may be a 64-bit application vs. 32-bit
application thing.

Try these tests:

1. Using the 64-bit version of the registry editor (regedit.exe),
check both of these registry keys:

1a) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

1b) [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run]

Registry key 1a is the one where 64-bit applications go.

Registry key 1b is the one where 32-bit applications actually go
when they ask the registry for 1a.

2. From a 64-bit command prompt window, run these two commands:

2a) C:\Windows\System32\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

2b) C:\Windows\SysWOW64\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Command 2a is the 64-bit version of reg.exe.

Command 2b is the 32-bit version of reg.exe. Even though the path
has '64' in it, 'WOW64' means Windows-32 On a Windows-64 system.
The 32-bit version will actually get the registry settings from
key 1b above.

REFERENCES

<https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/view-system-registry-with-64-bit-windows>
<https://learn.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry>

> A rootkit? But a scan by MalwareBytes finds
> only a false positive uninstaller file (so a file only loaded into
> memory and run when uninstalling the relevant program, which would
> delete itself anyway) ...
>
>
> Malwarebytes
> www.malwarebytes.com
>
> -Log Details-
> Scan Date: 7/26/23
> Scan Time: 10:32 AM
> Log File: 6642e258-2b97-11ee-8208-001c2346ddc2.json
>
> -Software Information-
> Version: 4.5.32.271
> Components Version: 1.0.2051
> Update Package Version: 1.0.72995
> License: Free
>
> -System Information-
> OS: Windows 7 Service Pack 1
> CPU: x64
> File System: NTFS
> User: Charles-P1\Cruachan
>
> -Scan Summary-
> Scan Type: Threat Scan
> Scan Initiated By: Manual
> Result: Completed
> Objects Scanned: 248688
> Threats Detected: 2
> Threats Quarantined: 0
> Time Elapsed: 4 min, 9 sec
>
> -Scan Options-
> Memory: Enabled
> Startup: Enabled
> Filesystem: Enabled
> Archives: Enabled
> Rootkits: Enabled <-- Note this!
> Heuristics: Enabled
> PUP: Detect
> PUM: Detect
>
> -Scan Details-
> Process: 0
> (No malicious items detected)
>
> Module: 0
> (No malicious items detected)
>
> Registry Key: 1
> Adware.DotDo,
> HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FLAC,
> No Action By User, 5824, 924227, , , , , ,
>
> Registry Value: 0
> (No malicious items detected)
>
> Registry Data: 0
> (No malicious items detected)
>
> Data Stream: 0
> (No malicious items detected)
>
> Folder: 0
> (No malicious items detected)
>
> File: 1
> Adware.DotDo, C:\PROGRAM FILES (X86)\FLAC\UNINSTALL.EXE, No Action
> By User, 5824, 924227, 1.0.72995, , ame, ,
> B7E822162FE81D4A8F2025B9329D425C,
> F3DA78D3670C50DE2D71C32FAD129484F8672FFE11ADAB980757E72B3E3497CD
>
> Physical Sector: 0
> (No malicious items detected)
>
> WMI: 0
> (No malicious items detected)
>
>
> (end)
>
>
> ... however that file is genuine, it's the uninstall program for a FLAC
> encoder/decoder which allows Windows Media Player to play FLAC files,
> has been on my builds since 2k/XP days, more than a decade, and is a
> false positive ...
>
>
>
> https://www.virustotal.com/gui/file/f3da78d3670c50de2d71c32fad129484f8672ffe11adab980757e72b3e3497cd
>
>
> Any suggestions as to why the REG command line program finds a different
> set of run keys from those actually listed in the registry? I do
> recognise most or all of the 'spurious' keys found, nearly all of them
> relate to hardware in some way, and may have existed at some time, but
> long since were deleted:
>
>
> ETDCtrl Touchpad driver listed in TaskMgr as running
> IgfxTray Graphics driver and ...
> HotKeysCmds ... Hotkey switcher and ...
> Persistence ... graphics driver for a *different* PC
> (I think all three previously deleted)
> Malwarebytes No explanation needed
> (also I think previously deleted, because I have
> other runtime protection and tend to use MB only as
> a back up scanner when there is a specific problem,
> as now.)
> SynTPEnh Touchpad driver and ...
> nwiz ... graphics driver for a third PC
> (again I think both previously deleted)

--
Kind regards
Ralph

ζητεῖτε καὶ εὑρήσετε

Re: Weird Malware Like Behaviour

<u9u66d$1tu3r$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=6678&group=alt.windows7.general#6678

  copy link   Newsgroups: alt.windows7.general
Path: i2pn2.org!i2pn.org!paganini.bofh.team!eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: jav...@evij.com.invalid (Java Jive)
Newsgroups: alt.windows7.general
Subject: Re: Weird Malware Like Behaviour
Date: Thu, 27 Jul 2023 17:32:04 +0100
Organization: A noiseless patient Spider
Lines: 104
Message-ID: <u9u66d$1tu3r$1@dont-email.me>
References: <u9qsvi$1fhhm$1@dont-email.me>
<n314cipandk7hnegfe96jh01s47dpgokdn@4ax.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 27 Jul 2023 16:32:13 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="62d05afa7516e7557cda7f07d9bdffb8";
logging-data="2029691"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+8xtgbntI9cg/LZbZTC8wZ/AzW99C4588="
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101
Thunderbird/68.4.2
Cancel-Lock: sha1:oq06TeZ1RzMZ2oMN5MWwJJMF31g=
Content-Language: en-GB
In-Reply-To: <n314cipandk7hnegfe96jh01s47dpgokdn@4ax.com>
 by: Java Jive - Thu, 27 Jul 2023 16:32 UTC

On 27/07/2023 07:13, Ralph Fox wrote:
> On Wed, 26 Jul 2023 11:36:29 +0100, Java Jive wrote:
>
>> This is the run key from the registry of one of my W7 PCs ...
>>
>>
>> www.macfh.co.uk/Temp/RunKey.jpg
>>
>>
>> ... and by way of confirmation here's an export of it ...
>>
>>
>> Windows Registry Editor Version 5.00
>>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
>> "EEventManager"="\"C:\\Program Files (x86)\\Epson Software\\Event
>> Manager\\EEventManager.exe\""
>>
>>
>> ... however ...
>>
>>
>> 9:50:31 D:\Temp>reg query
>> "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
>>
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>> ETDCtrl REG_EXPAND_SZ C:\Program
>> Files\Elantech\ETDCtrl.exe
>> IgfxTray REG_SZ C:\Windows\system32\igfxtray.exe
>> HotKeysCmds REG_SZ C:\Windows\system32\hkcmd.exe
>> Persistence REG_SZ C:\Windows\system32\igfxpers.exe
>> Malwarebytes TrayApp REG_SZ C:\PROGRAMS\MALWAREBYTES
>> ANTIMALWARE\mbamtray.exe
>> SynTPEnh REG_SZ C:\Program
>> Files\Synaptics\SynTP\SynTPEnh.exe
>> nwiz REG_SZ C:\Program Files\NVIDIA
>> Corporation\nview\nwiz.exe /installquiet
>>
>>
>> ... so WTF is going on?
>
>
> On 64-bit Windows, 32-bit applications get different parts of the
> registry to 64-bit applications.
>
> The above sounds like it may be a 64-bit application vs. 32-bit
> application thing.
>
>
> Try these tests:
>
> 1. Using the 64-bit version of the registry editor (regedit.exe),
> check both of these registry keys:
>
> 1a) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
>
> 1b) [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run]
>
> Registry key 1a is the one where 64-bit applications go.
>
> Registry key 1b is the one where 32-bit applications actually go
> when they ask the registry for 1a.

You've hit the mark, for which many thanks. Besides all the copies in
packages in C:\Windows\winsxs, I seem to have two workable copies of
Regedit ...

1) C:\Windows\regedit.exe, 417 KB

.... is the 64-bit version and seems to find the extra entries I couldn't
see before, and ...

2) C:\Windows\SysWOW64\regedit.exe, 389 KB

.... was the one being launched by my shortcut, and is the 32-bit.

> 2. From a 64-bit command prompt window, run these two commands:
>
> 2a) C:\Windows\System32\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
>
> 2b) C:\Windows\SysWOW64\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
>
> Command 2a is the 64-bit version of reg.exe.
>
> Command 2b is the 32-bit version of reg.exe. Even though the path
> has '64' in it, 'WOW64' means Windows-32 On a Windows-64 system.
> The 32-bit version will actually get the registry settings from
> key 1b above.

Yes, point proven and mystery explained. I've now changed the shortcut
to launch (1) and have tidied up the spurious extra entries, many thanks
for your accurate help.

> REFERENCES
>
> <https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/view-system-registry-with-64-bit-windows>
> <https://learn.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry>

--

Fake news kills!

I may be contacted via the contact address given on my website:
www.macfh.co.uk

Re: Weird Malware Like Behaviour

<4485cid1qesfgsc6rfp38b3f6m78j3sd3l@4ax.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=6680&group=alt.windows7.general#6680

  copy link   Newsgroups: alt.windows7.general
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: Ken...@invalid.news.com (Ken Blake)
Newsgroups: alt.windows7.general
Subject: Re: Weird Malware Like Behaviour
Date: Thu, 27 Jul 2023 09:53:39 -0700
Lines: 34
Message-ID: <4485cid1qesfgsc6rfp38b3f6m78j3sd3l@4ax.com>
References: <u9qsvi$1fhhm$1@dont-email.me> <u9qt7u$1fhhm$2@dont-email.me> <kiddb2F3mq5U1@mid.individual.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Trace: individual.net xbcVyg7dXwNOdVPD8sDGqgL0Y/DPCWAuLbNnKm9I64ZDcI+YAJ
Cancel-Lock: sha1:HS+CXiCyCmK864RslZdLuUqjDWc= sha256:QGp71XZVp9GX7ajCpn1pK9A0sYkhNDVxYNiT3yW/j9Q=
X-Newsreader: Forte Agent 6.00/32.1186
 by: Ken Blake - Thu, 27 Jul 2023 16:53 UTC

On Wed, 26 Jul 2023 21:17:38 +0100, Brian Gregory
<void-invalid-dead-dontuse@email.invalid> wrote:

>On 26/07/2023 11:40, Java Jive wrote:
>> Oh, and I meant to mention also ...
>>
>> On 26/07/2023 11:36, Java Jive wrote:
>>>
>>>      Registry Key: 1
>>>      Adware.DotDo,
>>> HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FLAC, No Action By User, 5824, 924227, , , , , ,
>>
>> ... that this key also is not visible in Regedit!
>>
>>
>
>Maybe try with MalwareBytes uninstalled or disabled. Disconnect from the
>net first if it makes you feel safer.
>
>I gave up on MalwareBytes some time ago because it made too many bizarre
>things happen each time they updated it.

I still run MalwareBytes AntiMalware. I don't remember its ever
causing a bizarre thing.

Do I need MalwareBytes AntiMalware in addition to Defender? No, I know
it's probably overkill. But as far as I'm concerned, there's no
downside to using it, so just in case...

Re: Weird Malware Like Behaviour

<ua01j5$278vr$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=6688&group=alt.windows7.general#6688

  copy link   Newsgroups: alt.windows7.general
Path: i2pn2.org!i2pn.org!eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: was...@nowhere.invalid (wasbit)
Newsgroups: alt.windows7.general
Subject: Re: Weird Malware Like Behaviour
Date: Fri, 28 Jul 2023 10:25:57 +0100
Organization: A noiseless patient Spider
Lines: 22
Message-ID: <ua01j5$278vr$1@dont-email.me>
References: <u9qsvi$1fhhm$1@dont-email.me> <u9qt7u$1fhhm$2@dont-email.me>
<kiddb2F3mq5U1@mid.individual.net>
<4485cid1qesfgsc6rfp38b3f6m78j3sd3l@4ax.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Fri, 28 Jul 2023 09:25:58 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="74db81e53d06ca706f891c65747d825e";
logging-data="2335739"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18t1uX2UKSvtJyAjGIH27Eu"
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:5.0) Aura/20220608
Interlink/52.9.8194
Cancel-Lock: sha1:SaSiJyJitJvXqn/gp8xAK5nG9Lw=
Content-Language: en-US
In-Reply-To: <4485cid1qesfgsc6rfp38b3f6m78j3sd3l@4ax.com>
 by: wasbit - Fri, 28 Jul 2023 09:25 UTC

On 27/07/2023 17:53, Ken Blake wrote:
>
> snip <
>
> I still run MalwareBytes AntiMalware. I don't remember its ever
> causing a bizarre thing.
>
> Do I need MalwareBytes AntiMalware in addition to Defender? No, I know
> it's probably overkill. But as far as I'm concerned, there's no
> downside to using it, so just in case...
>

Not enough information Ken.
Is it the paid for version which takes over from Defender as the
'resident' protection.
The free version did this for 1 month then reverted to being an 'on
demand' scanner - but often failed to allow Defender to change back to
being the 'resident' protection.

--
Regards
wasbit

Re: Weird Malware Like Behaviour

<q8n7ci9tej744vbushifmcugnms56kg7tq@4ax.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=6693&group=alt.windows7.general#6693

  copy link   Newsgroups: alt.windows7.general
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: Ken...@invalid.news.com (Ken Blake)
Newsgroups: alt.windows7.general
Subject: Re: Weird Malware Like Behaviour
Date: Fri, 28 Jul 2023 08:22:28 -0700
Lines: 25
Message-ID: <q8n7ci9tej744vbushifmcugnms56kg7tq@4ax.com>
References: <u9qsvi$1fhhm$1@dont-email.me> <u9qt7u$1fhhm$2@dont-email.me> <kiddb2F3mq5U1@mid.individual.net> <4485cid1qesfgsc6rfp38b3f6m78j3sd3l@4ax.com> <ua01j5$278vr$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
X-Trace: individual.net Plj9TptkU5PUa+XvleBTLgdL1xE1Xvu9CM0fQxj9aH3nbtbtcp
Cancel-Lock: sha1:T42T6QwuZBUKcPKECheOLsYhFek= sha256:fUKdfUZNlP0dreuxGoIhDD6pQhylhT1U0ZWB6cdJOjk=
X-Newsreader: Forte Agent 6.00/32.1186
 by: Ken Blake - Fri, 28 Jul 2023 15:22 UTC

On Fri, 28 Jul 2023 10:25:57 +0100, wasbit <wasbit@nowhere.invalid>
wrote:

>On 27/07/2023 17:53, Ken Blake wrote:
>>
>> snip <
>>
>> I still run MalwareBytes AntiMalware. I don't remember its ever
>> causing a bizarre thing.
>>
>> Do I need MalwareBytes AntiMalware in addition to Defender? No, I know
>> it's probably overkill. But as far as I'm concerned, there's no
>> downside to using it, so just in case...
>>
>
>Not enough information Ken.
>Is it the paid for version which takes over from Defender as the
>'resident' protection.

Both, at different periods.

>The free version did this for 1 month then reverted to being an 'on
>demand' scanner - but often failed to allow Defender to change back to
>being the 'resident' protection.

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor