Solved.
拍手0

There are suspicious CLSID reg. Is this virus or something?

投稿日: 2020-12-07 | 09:02 · 返信 7 · · 翻訳:

Hello. Sorry for the weird question.

In my computer, There are suspicious CLSID registry as below.

%SystemRoot%\system32\[random length and letters].dll
Location: HKCR\CLSID\{4A805FB7-07D5-9F24-EC3C-3932E5493B9F} (fixed location)

In system32 dir, there are no such dll file as said in registry above.
And this value is created again with new [random_name].dll if that registry value be removed.

Also it seems like there are no issue on my computer for year.

At one time, I tried to catch that file using powershell's file create event detect, but failed.
I also tried NPE, but nothing there.

Anyone who know about this registry value?

ファイルの添付: 
Plain text icon registry.txt
解決承認済み
拍手0

Re: There are suspicious CLSID reg. Is this virus or something?

投稿日: 2020-12-10 | 04:56 · パーマリンク

I removed NIS fully as I can and reinstalled it today. And still registry was there.

But, a time NIS is reinstalled, new registry entry value was there which uuid start with D.
And, after license is updated automatic, it seems NIS create another registry entry which same one before.
So, there was 2 registry with random letters. One is same as 4A805FB7-07D5-9F24-EC3C-3932E5493B9F.

It might be changed by user account or license user have.

Actually I still worry, but I also think that would be no problem.
Thank you for reply on my post again.

View Accepted Solution in Context

返信

拍手1 統計

Re: There are suspicious CLSID reg. Is this virus or something?

投稿日: 2020-12-08 | 12:32 · パーマリンク

Hello SaeGon. That registry entry is not present on any of my Windows 10 Pro installs. My recommendation is to download and run a full scan with Malwarebytes. MBAM concentrates on things Norton doesn't always detect. Make sure you thoroughly screen the list of what it finds, if anything, before having it removed. We are here to assist if needed.

Cheers

MS Certified Professional Windows 11 Home 22H2 x 64 build 22621.1702 - Windows 10 Pro x 64 version 22H2 / build 19045.3031 / Norton Security Ultra - Norton 360 Deluxe ver. 22.23.4.6 / Opera GX LVL4 (core: 98.0.4759.74) 64 bit-Early Access w/Norton Chrome Extensions
拍手0

Re: There are suspicious CLSID reg. Is this virus or something?

投稿日: 2020-12-09 | 03:18 · 編集日: 2020-12-09 | 03:33 · パーマリンク

(screenshot is stored in attachment as main2.PNG)

Thank you for reply.
First, I tried Malwarebytes. But nothing there, too.​​​

So, I tried another way to catch up registry edit event using ProcMon v3.60.
As a result, Norton Internet Security was the one that making a registry entry as you can see above screenshot.
Also a registry location was wrong which output from CCleaner's Registry Cleaner.
The currect location is HKCR\WOW6432Node\CLSID\{4A805FB7-07D5-9F24-EC3C-3932E5493B9F}\InprocServer32.

For make random string, process access to Microsoft Base Cryptographic Provider v1.0.
After then, try to open HKCR\WOW6432Node\CLSID\{4A805FB7-07D5-9F24-EC3C-3932E5493B9F}\InprocServer32 key.
If not there create new key using crypto provider.

Before that happen, there are smilar one but just check key existence.
Location: HKCU\Software\Classes\CLSID\{3237555C-C043-4836-AFDE-570D63E9EDAB}\InprocHandler

May I ask is this intended behavior of NIS which is not done by virus or something?
I hope this is the one of protection like kill switch of ransomware.

Windows 10 Pro x64 2004 build 19041.630
NIS 22.20.5.39

ファイルの添付: 
Package icon created registry entry which has random name by NIS
拍手1 統計

Re: There are suspicious CLSID reg. Is this virus or something?

投稿日: 2020-12-09 | 08:08 · パーマリンク

If Norton is creating the key, it would not be a virus. The Norton Product Tamper  feature stops any non Norton process from accessing anything Norton. Whether it is a file, a process, or registry entry.

拍手0

Re: There are suspicious CLSID reg. Is this virus or something?

投稿日: 2020-12-09 | 23:01 · 編集日: 2020-12-09 | 23:03 · パーマリンク

Glad to see another one's reply.

Okay...
There are still registry creation unless I turned off Tamper feature.

I agree Norton's key creation is safe, too, in general.
But I just nervous that AV could connect dll file named with random letters which not exist.

If I see anyone have registry key like me using CCleaner's Registry Cleaner, I would be comfortable.
It might be not exist on same location (4A805FB7-07D5-9F24-EC3C-3932E5493B9F).

Sorry for annoying ones thread.

解決承認済み
拍手0

Re: There are suspicious CLSID reg. Is this virus or something?

投稿日: 2020-12-10 | 04:56 · パーマリンク

I removed NIS fully as I can and reinstalled it today. And still registry was there.

But, a time NIS is reinstalled, new registry entry value was there which uuid start with D.
And, after license is updated automatic, it seems NIS create another registry entry which same one before.
So, there was 2 registry with random letters. One is same as 4A805FB7-07D5-9F24-EC3C-3932E5493B9F.

It might be changed by user account or license user have.

Actually I still worry, but I also think that would be no problem.
Thank you for reply on my post again.

拍手2 統計

Re: There are suspicious CLSID reg. Is this virus or something?

投稿日: 2020-12-12 | 10:48 · パーマリンク

If there are any malicious registry entries on your PC, Norton or Malwarebytes will certainly detect them.  Really no need for you to spend time playing whack-a-mole with the registry.  If you have had previous malware infections that have been remediated there may still be some registry entries associated with the malware present.  This is normal and expected.  Some AV products will leave these harmless remnants for technical reasons.  Nothing to worry about.

拍手0

Re: There are suspicious CLSID reg. Is this virus or something?

投稿日: 2020-12-12 | 12:34 · パーマリンク

Hello, SendOfJive.

As I know, no infection is occurred on my pc cause NIS works correctly.

Honestly, I'm OCD on my computer, so I wished why this registry exist clearly.
But, with reply here, I don't worry about it now.

Thanks for comment for me.

This thread is closed from further comment. Please visit the forum to start a new thread.