• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1399
  • Last Modified:

Virus Registry Folder is causing a freeze to Spyware and Regedit

Hello all.  I have a registry folder that I finally figured out is freezing my spyware when deep scanning the registry.  Also if I go to regedit and then drill down to that folder it totally freezes up and my hourglass stays up.  The folder is in Software\Microsoft\Windows\Installer\Folder.  The name of the folder is folder.  Thanks all for any help I cant even delete it.
0
sbornstein2
Asked:
sbornstein2
  • 15
  • 6
  • 3
1 Solution
 
SheharyaarSaahilCommented:
boot into safemode and delete it from there
and then run some good anti-malware and anti-virus software to make sure that the system is clean now.

Anti-Spyware\Adware Tools
http://www.alaynah.net/shehar/anti_spyware.htm
0
 
sbornstein2Author Commented:
It wont let me in safe mode either it freezes the rededit there as well.
0
 
SheharyaarSaahilCommented:
is it under HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE/
and are you logging in with the Administrator account in safemode or with your normal user account?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
sbornstein2Author Commented:
Administrator yes and its under the Local_Machine it is still freezing in safe mode when I touch the folder
0
 
sbornstein2Author Commented:
I cant even run registry mechanic on it even in safe mode it gets to the one folder and stops the program and hangs.  Every program is hanging on that one registry folder
0
 
SheharyaarSaahilCommented:
did you install or uninstall any program after which this problem started?
the HKEY_LOCA_MACHINE>Software>Microsoft>Windows>Current Version>Installer>Folders contains the information for folders where the Programs are installed.
0
 
sbornstein2Author Commented:
no its a virus I know it is.  I had to track down another exe that was messing up all my google links if I hit a google link it was taking me to another spyware page and then lycos etc.  It was completly messed up I found the exe that I could not even see in the System32 directory.  I had to go to Safe Mode with Command Prompt and then delete the file from there.  Now I am stuck with this last thing the registry folder must have something holding it.  I dont see anything in my hijack this log holding this.
0
 
rpggamergirlCommented:
Can we please look at your Hijackthis log, I know you already said everything looks fine there, but malware/virus entries in hijackthis can also looklike legit entries.


Try this one too;
You must have an active Internet connection when running this fix, in order to download the Brute Force Uninstaller (BFU) from Merijn's page.


Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

If you have problems with your connection:
Please go to Start -> Control Panel, and choose Network Connections.  Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.  Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.  Click OK twice, and restart your computer.
0
 
sbornstein2Author Commented:

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlagent.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\devldr32.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\mrtMngr.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

0
 
sbornstein2Author Commented:
Everything here looks fine to me.  The VPN access is fine as well.
0
 
sbornstein2Author Commented:
I just killed more processes same issue with the folder freezing.  Here is my latest log.  Process Explorer is fine that is what I was running to kill processes:

Logfile of HijackThis v1.99.1
Scan saved at 7:14:11 AM, on 4/30/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\devldr32.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\mrtMngr.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ProcessExplorer9\procexp.exe
C:\WINNT\system32\regsvc.exe

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

0
 
sbornstein2Author Commented:
I ran the fixware I rebooted and everything.  Then it said please report the report with your hijack this log but nothing came up for a report?
0
 
sbornstein2Author Commented:
Wow your awesome that did the trick actually.  I can now access that folder and my spyware is running now :).  Thanks a million that was a killer.  I usually can beat the viruses but that one was throwing me for a loop. Thanks alot.
0
 
rpggamergirlCommented:
what processes were they?

Nothing showing in the log, which also looks strange because only 2 lines in Hijackthis are present.

Maybe some  lines did not show up for some reason.
Can you please run the Fixwareout.exe to see if wareout is in there but not showing?
0
 
sbornstein2Author Commented:
you mean run it again?
0
 
rpggamergirlCommented:
I should have refreshed before posting!

I thought it probably was wareout, but I've never seen wareout to be hiding from the HJT log, this is the first time ever!!

See how I can learn everyday! lol
0
 
sbornstein2Author Commented:
it worked whatever it was that took care of it and now my spyware is running and I can access that registry folder without it freezing.  That must have been a good virus there.
0
 
sbornstein2Author Commented:
Ya that was a good one.  Even more interesting was another exe that was in my system32 that was not showing at all even with showing all hidden files etc.  I had to delete that exe as well.  Thanks for your help.  Hijack this was not a help in this one.
0
 
rpggamergirlCommented:
It was wareout!!
Fixwareout.exe only fixes wareout infection.
That's why I wanted to see the log because wareout infection always show up in the log, but not in your case which amazes me!

Malware writers are always having new tricks! you mentioned one of wareout symptoms that's why I thought maybe it was wareout. If you didn't mentioned the symptom then I wouldn't know it was wareout.

Can you please tell me what the .exe was called? it will help me learn more.
Few malware don't show up in Hijackthis log anymore, malware code writers are getting really clever in hiding their nasties from the log.

Thanks for the points with an "A" grade! :)
0
 
sbornstein2Author Commented:
I am not sure what it was.  It said to use the report with your hijack this log but I dont see a report.  Where would it have generated it?
0
 
rpggamergirlCommented:
You can find the report here --> C:\fixwareout\report.txt

the log will have all wareout related registry entries.
0
 
sbornstein2Author Commented:
Ya I dont think I have it but there was a file under the FindT directory.  It says 4/26 though.  I ran it directly from the link here but then went back and right clicked Save As to my desktop to have it.  But this is probably it:


Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please
 
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
 
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate
 
»»»»» Search by size and names...
* csr.exe  C:\WINNT\System32\CSAXG.EXE
 
»»»»» Misc files
 
»»»»» Checking for older varients covered by the Rem3 tool
 
»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINNT\SYSTEM32\CSAXG.EXE       51,216 2006-04-29      
0
 
sbornstein2Author Commented:
What is pretty bad is I have the latest Symantec virus protection and it does not do crap for any of this.  I can probably remember 4 occassions I have been infected and nothing was picked up.  I might switch to McAfee instead.  Thanks for all your help that was a big one.  Thanks again
0
 
rpggamergirlCommented:
Yeah those were the registry entries taken care of by Fixwareout.exe.

Used to have Norton, but even with Live Update on and auto-protect on, we still got infected so we switch and it's been a year now that we're virus free.

You're welcome! and thanks for the "A" grade, :) the grading also makes a lot of difference to the points, :)

And I learn something new from here, which is wareout can now also hide from hijackthis scan, it didn't used to be able to.

0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 15
  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now