sbornstein2
asked on
Virus Registry Folder is causing a freeze to Spyware and Regedit
Hello all. I have a registry folder that I finally figured out is freezing my spyware when deep scanning the registry. Also if I go to regedit and then drill down to that folder it totally freezes up and my hourglass stays up. The folder is in Software\Microsoft\Windows \Installer \Folder. The name of the folder is folder. Thanks all for any help I cant even delete it.
ASKER
It wont let me in safe mode either it freezes the rededit there as well.
is it under HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE/
and are you logging in with the Administrator account in safemode or with your normal user account?
and are you logging in with the Administrator account in safemode or with your normal user account?
ASKER
Administrator yes and its under the Local_Machine it is still freezing in safe mode when I touch the folder
ASKER
I cant even run registry mechanic on it even in safe mode it gets to the one folder and stops the program and hangs. Every program is hanging on that one registry folder
did you install or uninstall any program after which this problem started?
the HKEY_LOCA_MACHINE>Software >Microsoft >Windows>C urrent Version>Installer>Folders contains the information for folders where the Programs are installed.
the HKEY_LOCA_MACHINE>Software
ASKER
no its a virus I know it is. I had to track down another exe that was messing up all my google links if I hit a google link it was taking me to another spyware page and then lycos etc. It was completly messed up I found the exe that I could not even see in the System32 directory. I had to go to Safe Mode with Command Prompt and then delete the file from there. Now I am stuck with this last thing the registry folder must have something holding it. I dont see anything in my hijack this log holding this.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.ex
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\WINNT\System32\CTsvcCDA
C:\PROGRA~1\SYMANT~1\SYMAN
C:\WINNT\System32\svchost.
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL
C:\PROGRA~1\SYMANT~1\SYMAN
C:\WINNT\System32\nvsvc32.
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\PROGRA~1\MICROS~4\MSSQL
C:\WINNT\system32\stisvc.e
C:\WINNT\System32\WBEM\Win
C:\WINNT\Explorer.EXE
C:\WINNT\system32\mspmspsv
C:\WINNT\system32\svchost.
C:\WINNT\System32\inetsrv\
C:\WINNT\System32\svchost.
C:\WINNT\system32\devldr32
C:\PROGRA~1\Adaptec\Direct
C:\Program Files\2Wire\2PortalMon.exe
C:\PROGRA~1\SYMANT~1\SYMAN
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Intuit\QuickBooks\Co
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\mrtMngr.
C:\WINNT\system32\wuauclt.
C:\WINNT\system32\taskmgr.
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Des
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\Direct
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMAN
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Co
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMAN
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMAN
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.
ASKER
Everything here looks fine to me. The VPN access is fine as well.
ASKER
I just killed more processes same issue with the folder freezing. Here is my latest log. Process Explorer is fine that is what I was running to kill processes:
Logfile of HijackThis v1.99.1
Scan saved at 7:14:11 AM, on 4/30/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.ex e
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\WINNT\System32\CTsvcCDA .exe
C:\PROGRA~1\SYMANT~1\SYMAN T~1\DefWat ch.exe
C:\WINNT\System32\svchost. exe
C:\PROGRA~1\SYMANT~1\SYMAN T~1\Rtvsca n.exe
C:\WINNT\System32\WBEM\Win Mgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost. exe
C:\WINNT\System32\inetsrv\ inetinfo.e xe
C:\WINNT\System32\svchost. exe
C:\WINNT\system32\devldr32 .exe
C:\PROGRA~1\Adaptec\Direct CD\directc d.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\PROGRA~1\SYMANT~1\SYMAN T~1\vptray .exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\mrtMngr. EXE
C:\WINNT\system32\wuauclt. exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Des ktop\Hijac kThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ProcessExplorer9\pro cexp.exe
C:\WINNT\system32\regsvc.e xe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\Direct CD\directc d.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMAN T~1\vptray .exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Co mponents\Q BAgent\QBD Agent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA .exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMAN T~1\DefWat ch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin. exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMAN T~1\Rtvsca n.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32. exe
Logfile of HijackThis v1.99.1
Scan saved at 7:14:11 AM, on 4/30/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.ex
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\System32\CTsvcCDA
C:\PROGRA~1\SYMANT~1\SYMAN
C:\WINNT\System32\svchost.
C:\PROGRA~1\SYMANT~1\SYMAN
C:\WINNT\System32\WBEM\Win
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.
C:\WINNT\System32\inetsrv\
C:\WINNT\System32\svchost.
C:\WINNT\system32\devldr32
C:\PROGRA~1\Adaptec\Direct
C:\Program Files\2Wire\2PortalMon.exe
C:\PROGRA~1\SYMANT~1\SYMAN
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\mrtMngr.
C:\WINNT\system32\wuauclt.
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Des
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ProcessExplorer9\pro
C:\WINNT\system32\regsvc.e
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\Direct
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMAN
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Co
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMAN
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMAN
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.
ASKER
I ran the fixware I rebooted and everything. Then it said please report the report with your hijack this log but nothing came up for a report?
ASKER
Wow your awesome that did the trick actually. I can now access that folder and my spyware is running now :). Thanks a million that was a killer. I usually can beat the viruses but that one was throwing me for a loop. Thanks alot.
what processes were they?
Nothing showing in the log, which also looks strange because only 2 lines in Hijackthis are present.
Maybe some lines did not show up for some reason.
Can you please run the Fixwareout.exe to see if wareout is in there but not showing?
Nothing showing in the log, which also looks strange because only 2 lines in Hijackthis are present.
Maybe some lines did not show up for some reason.
Can you please run the Fixwareout.exe to see if wareout is in there but not showing?
ASKER
you mean run it again?
I should have refreshed before posting!
I thought it probably was wareout, but I've never seen wareout to be hiding from the HJT log, this is the first time ever!!
See how I can learn everyday! lol
I thought it probably was wareout, but I've never seen wareout to be hiding from the HJT log, this is the first time ever!!
See how I can learn everyday! lol
ASKER
it worked whatever it was that took care of it and now my spyware is running and I can access that registry folder without it freezing. That must have been a good virus there.
ASKER
Ya that was a good one. Even more interesting was another exe that was in my system32 that was not showing at all even with showing all hidden files etc. I had to delete that exe as well. Thanks for your help. Hijack this was not a help in this one.
It was wareout!!
Fixwareout.exe only fixes wareout infection.
That's why I wanted to see the log because wareout infection always show up in the log, but not in your case which amazes me!
Malware writers are always having new tricks! you mentioned one of wareout symptoms that's why I thought maybe it was wareout. If you didn't mentioned the symptom then I wouldn't know it was wareout.
Can you please tell me what the .exe was called? it will help me learn more.
Few malware don't show up in Hijackthis log anymore, malware code writers are getting really clever in hiding their nasties from the log.
Thanks for the points with an "A" grade! :)
Fixwareout.exe only fixes wareout infection.
That's why I wanted to see the log because wareout infection always show up in the log, but not in your case which amazes me!
Malware writers are always having new tricks! you mentioned one of wareout symptoms that's why I thought maybe it was wareout. If you didn't mentioned the symptom then I wouldn't know it was wareout.
Can you please tell me what the .exe was called? it will help me learn more.
Few malware don't show up in Hijackthis log anymore, malware code writers are getting really clever in hiding their nasties from the log.
Thanks for the points with an "A" grade! :)
ASKER
I am not sure what it was. It said to use the report with your hijack this log but I dont see a report. Where would it have generated it?
You can find the report here --> C:\fixwareout\report.txt
the log will have all wareout related registry entries.
the log will have all wareout related registry entries.
ASKER
Ya I dont think I have it but there was a file under the FindT directory. It says 4/26 though. I ran it directly from the link here but then went back and right clicked Save As to my desktop to have it. But this is probably it:
Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Urls\ xedocne
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Urls\ gib_ogol
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Urls\ repiwoh
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Urls\ llun
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Urls\ 23plhps
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Urls\ mgcppp
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Urls\ tesvaf
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Urls\ 32refaseli f
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate
»»»»» Search by size and names...
* csr.exe C:\WINNT\System32\CSAXG.EX E
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINNT\SYSTEM32\CSAXG.EX E 51,216 2006-04-29
Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate
»»»»» Search by size and names...
* csr.exe C:\WINNT\System32\CSAXG.EX
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINNT\SYSTEM32\CSAXG.EX
ASKER
What is pretty bad is I have the latest Symantec virus protection and it does not do crap for any of this. I can probably remember 4 occassions I have been infected and nothing was picked up. I might switch to McAfee instead. Thanks for all your help that was a big one. Thanks again
Yeah those were the registry entries taken care of by Fixwareout.exe.
Used to have Norton, but even with Live Update on and auto-protect on, we still got infected so we switch and it's been a year now that we're virus free.
You're welcome! and thanks for the "A" grade, :) the grading also makes a lot of difference to the points, :)
And I learn something new from here, which is wareout can now also hide from hijackthis scan, it didn't used to be able to.
Used to have Norton, but even with Live Update on and auto-protect on, we still got infected so we switch and it's been a year now that we're virus free.
You're welcome! and thanks for the "A" grade, :) the grading also makes a lot of difference to the points, :)
And I learn something new from here, which is wareout can now also hide from hijackthis scan, it didn't used to be able to.
and then run some good anti-malware and anti-virus software to make sure that the system is clean now.
Anti-Spyware\Adware Tools
http://www.alaynah.net/shehar/anti_spyware.htm