|
Posted by jasonwhat on December 15, 2005, 6:21 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I'll tell the whole embarrassing story in hopes someone can help, or to
help others with the same problem.
I got an attachement from a contact on yahoo claiming to be a picture.
Of course the file was not really a jpeg, but launched some sort of
virus, baby.exe on the computer. Once I clicked it I knew what I had
done. I deleted the attachment file and performed a scan with NAV,
which turned up nothing.
A bit later I noticed I was getting an error that the administrator had
disabled task manager. Then I tried regedit and got a similar error.
Of course, it is my comp and I'm the admin. I spent a few hours
searching and tried several resources, spybot search and destroy,
adaware, asquared, hijack this found a registry entry that was setting
the lockout value to 1 on task manager, but I was unable to fix it
through hijack this.
I ran another NAV scan and it detected a generic trojan, baby.exe which
I got rid of. However, the lockouts of taskmanager and regedit
continued. I used a-squared to view the processes running in
taskmanager and found REGSVR.EXE, which I killed. From here I ran the
UnHookExec from NAV that freed my registry (I tried it before and
nothing) and re-enabled task manager access through regedit.
Everything seemed to be running find, though except I was having
trouble getting System Restore enabled again.
I searched and found a REGSVR-009(bunch of numbers).exe file and
deleted that. However, on restart, I was locked out of task manager
again and had to repeat the same steps of using a-squared to kill
REGSVR.EXE and go through regedit to enable taskmanger.
Most googlesearches identify REGSVR.EXE as part of a worm, but I was
unable to find anything using various tools and scans. I also checked
my registry for the typical systems and didn't find any. I have no
idea what is causing this to run everytime I start the computer.
Any ideas how I can find what is causing REGSVR.EXE to run and lock me
out of taskmanager and regedit? Even though NAV and other say I'm
clean, something isn't right and it is probably doing more than just
locking me out of taskmanager. Is this maybe a new virus that most
anti-virus, malware, and anti-trojan programs can't find?
Any help is great, thank you.
|
|
Posted by David H. Lipman on December 15, 2005, 7:59 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| I'll tell the whole embarrassing story in hopes someone can help, or to
| help others with the same problem.
|
| I got an attachement from a contact on yahoo claiming to be a picture.
| Of course the file was not really a jpeg, but launched some sort of
| virus, baby.exe on the computer. Once I clicked it I knew what I had
| done. I deleted the attachment file and performed a scan with NAV,
| which turned up nothing.
|
| A bit later I noticed I was getting an error that the administrator had
| disabled task manager. Then I tried regedit and got a similar error.
| Of course, it is my comp and I'm the admin. I spent a few hours
| searching and tried several resources, spybot search and destroy,
| adaware, asquared, hijack this found a registry entry that was setting
| the lockout value to 1 on task manager, but I was unable to fix it
| through hijack this.
|
| I ran another NAV scan and it detected a generic trojan, baby.exe which
| I got rid of. However, the lockouts of taskmanager and regedit
| continued. I used a-squared to view the processes running in
| taskmanager and found REGSVR.EXE, which I killed. From here I ran the
| UnHookExec from NAV that freed my registry (I tried it before and
| nothing) and re-enabled task manager access through regedit.
| Everything seemed to be running find, though except I was having
| trouble getting System Restore enabled again.
|
| I searched and found a REGSVR-009(bunch of numbers).exe file and
| deleted that. However, on restart, I was locked out of task manager
| again and had to repeat the same steps of using a-squared to kill
| REGSVR.EXE and go through regedit to enable taskmanger.
|
| Most googlesearches identify REGSVR.EXE as part of a worm, but I was
| unable to find anything using various tools and scans. I also checked
| my registry for the typical systems and didn't find any. I have no
| idea what is causing this to run everytime I start the computer.
|
| Any ideas how I can find what is causing REGSVR.EXE to run and lock me
| out of taskmanager and regedit? Even though NAV and other say I'm
| clean, something isn't right and it is probably doing more than just
| locking me out of taskmanager. Is this maybe a new virus that most
| anti-virus, malware, and anti-trojan programs can't find?
|
| Any help is great, thank you.
Use the following Multi AV Scanning Tool. It will help you remove the virus
that was
installed as well as give you back access to Task Manager and Regedit.
Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the
PC.
You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file. http://www.ik-cs.com/multi-av.htm
* * * Please report back your results * * *
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
|
Posted by jasonwhat on December 16, 2005, 12:33 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I've tried Sophos and Trend both in normal and safe mode with no luck.
They find no viruses and when I restart in normal mode I'm still locked
out. I'll try the others, but I seem to be clean of all the normal
viruses related to the REGSVR.EXE process.
Is it possible to trace what file is causing an exe program to run?
Using a-squared the process is said to be running in C:\Windows\
Process ID: 220
Threads: 4
Priority: Normal
I also had 3 errors running Sophos that could be related to a virus,
but I doubt that. Here they are anyways:
Full Scanning
Could not open c:\Documents and Settings\Jason\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat
Could not open c:\Documents and Settings\Jason\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Could not check c:\Documents and Settings\Jason\My
Documents\AABE\Website Originals\publications\CSI903.ppt (corrupt)
3960 files swept in 19 minutes and 49 seconds.
3 errors were encountered.
No viruses were discovered.
Ending Sophos Anti-Virus.
|
|
Posted by David H. Lipman on December 16, 2005, 12:54 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| Thanks Dave.
|
| I've tried Sophos and Trend both in normal and safe mode with no luck.
| They find no viruses and when I restart in normal mode I'm still locked
| out. I'll try the others, but I seem to be clean of all the normal
| viruses related to the REGSVR.EXE process.
|
| Is it possible to trace what file is causing an exe program to run?
| Using a-squared the process is said to be running in C:\Windows\
| Process ID: 220
| Threads: 4
| Priority: Normal
|
| I also had 3 errors running Sophos that could be related to a virus,
| but I doubt that. Here they are anyways:
|
| Full Scanning
|
| Could not open c:\Documents and Settings\Jason\Local
| Settings\Application Data\Microsoft\Windows\UsrClass.dat
| Could not open c:\Documents and Settings\Jason\Local
| Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
| Could not check c:\Documents and Settings\Jason\My
| Documents\AABE\Website Originals\publications\CSI903.ppt (corrupt)
|
| 3960 files swept in 19 minutes and 49 seconds.
| 3 errors were encountered.
| No viruses were discovered.
| Ending Sophos Anti-Virus.
The LOG files cound not be scaned because the OS is actively using those Log
files and their
respective File Handles are in use. Normal operation. This is as reported;
CSI903.ppt
(corrupt)
Sophos found nothing ?
I see at Sophos that REGSVR.EXE is associated with a RBot worm and a couple of
Trojans.
http://www.sophos.com/virusinfo/analyses/w32rbotpr.html
http://www.sophos.com/virusinfo/analyses/trojwebmoneyg.html
http://www.sophos.com/virusinfo/analyses/trojpwssagib.html
Edit C:\AV-CLS\killproc.txt
Append; REGSVR.EXE to the list. Make sure the last line is a blank line.
Then run the Multi AV Menu again.
Use the McAfee module. Scan in Normal Mode and reboot the PC into "Safe Mode
with Command
Prompt" then and then execute; C:\AV-CLS\DOSCLEAN.BAT and
C:\AV-CLS\SOFCLEAN.BAT
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
|
Posted by jasonwhat on December 16, 2005, 4:32 pm
If you were Registered and logged in, you could reply and use other advanced thread options
DOSCLEAN.BAT hanging in the middle of scan.
I was getting some hangs from Sophos earlier but still got a report.
However, I ran Sophos again, it did an update. Then I scanned only
C:\WINDOWS where to instances of the Trojan PWSSagi-E were found.
http://www.sophos.com/virusinfo/analyses/trojpwssagie.html
Here is the log:
Full Scanning
Could not check C:\WINDOWS\Registration\R00000000000f.clb (corrupt)
Could not check C:\WINDOWS\Registration\R000000000010.clb (corrupt)
>>> Virus 'Troj/PWSSagi-E' found in file C:\WINDOWS\REGSVR.EXE
Removal successful
Could not open C:\WINDOWS\system32\config\system.LOG
Could not check C:\WINDOWS\system32\emptyregdb.dat (corrupt)
>>> Virus 'Troj/PWSSagi-E' found in file C:\WINDOWS\system32\Tapi32init.exe
Removal successful
1 master boot record swept.
12406 files swept in 17 minutes and 27 seconds.
4 errors were encountered.
2 viruses were discovered.
2 files out of 12406 were infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email support@sophos.com
or telephone +44 1235 559933
Ending Sophos Anti-Virus.
I still have to do some tests and rebooting to see if it is gone, but
at least the file has been identified. I guess I need to change all my
passwords.
Thanks.
|
| Similar Threads | Posted | | Task manager window is not opening : | January 13, 2007, 1:49 pm |
| Re: Unknkown soldier, or terrorist in my task manager | August 5, 2008, 4:31 pm |
| Virus: No Sound; Task Manager maxing out CPU | October 3, 2008, 12:37 am |
| Task Manager: Listing of "suspect" processes?? | October 5, 2008, 4:51 pm |
| Memory cannot read write error and can not open task manager | August 9, 2008, 12:32 pm |
| regsvr.exe and q387.exe | December 30, 2005, 3:59 am |
| Virus/Trojan kill Norton Antivirus, regedit, msconfig.... | January 6, 2006, 1:05 pm |
| QuickTime Task? | June 7, 2006, 4:33 am |
| task spools.exe and variants | June 17, 2008, 8:28 am |
| Anybody had to deal with McAfee's new Download Manager? | July 30, 2006, 12:39 am |
|
XML site map