Tags:












How do I tell what program inserted a registry entry?
July 18, 2004 7:05 AM   RSS feed for this thread Subscribe

PCFilter : Is there any way to tell what program inserted something into the registry?
I've been attacked by four seperate virii that sophos claims don't exist in the wild. One of them (netclnc.exe) keeps reappearing in my registry and the system32, and I want to know what's putting it there so I can kill it. Ideas?
posted by twine42 to computers & internet (14 comments total)
hi, after a quick google check, i came up with this, which seems to be a solution to your problem. i hope.

if all else fails - hijack this.
posted by triv at 7:20 AM on July 18, 2004


RegMon will do too.
posted by ed\26h at 7:34 AM on July 18, 2004


I'll check out RegMon.

I've seen that page for netclnc, and done as instructed several times now, but the bastard comes back. I think it reappears after a reboot, but I don't think it's starting the process on startup, which is annoying me somewhat. I'm not sure if something is reinfecting me (inwhichcase it must be either Felix or Viktoria (pcs)) or it's smarter than people think and it's reinfecting itself.

My firewall is healthy enough to annoy my ISP when they're pinging me, so I assume it's not coming in that way...
posted by twine42 at 7:45 AM on July 18, 2004


missed out a thanks in there. *sigh*

Also, how did you find that? My googling returned so much noise I couldn't find anything worthwhile.
posted by twine42 at 7:54 AM on July 18, 2004


twine42: Please do let us know when you figure it out. It sounds nasty....
posted by Daddio at 8:07 AM on July 18, 2004


For Daddio, in case I forget, the files I eradicated so far are...

ifa32.exe and wingx32.exe - (W32/Rbot-BU) - one and the same virus it appears. Kill one and the other respawns it, kill both and they die. Sophos claims one copy in the wild but ignored my offer to email them a copy. ;)

netclnc.exe - the one that kept respawning. No word I can find from any of the anti-virus companies. It seems to be opening up lots of ports and wrecking my net connection.

csmss.exe - (Troj/Dedler-D) - this one infected my own personal laptop. It travels by ICQ (which I don't have). Again, Sophos has just one report of it in the wild.

I don't understand how these virii got us, considering we're firewalled, use Thunderbird and Fire(fox|bird), don't use p2p. The first seems to be a worm, so it's possible it snuck in and gave us the rest, but it's not returned to do the job again, so...

I'll keep you guys informed though.
posted by twine42 at 8:36 AM on July 18, 2004


Also be warry of unkown virsuses inserting themselves into one of the startup *.ini files. This happened to me a few years back and the virus propogation name was command.exe- not to be confused with command.com. That bastardly program would run on startup through one of the ini files and managed to reinstall the virus program and prevented deletion except by some trickery on my part (namely restarting the computer in DOS mode so the command.exe file wouldn't start and delete the file. Then, when windows started, I got one of those "cannot find command.exe file" messages and I figured out where the launching command was from there). For whatever reason, I've found regular virus programs suck at finding those type of viruses.
Another roundabout trick I've learned is use Administartive Tools. I forget which program to use, but its the one that holds all the regular windows processes. Sometimes a program/virus will insert itself into this either under a regular windows process such as messaging- ripe for annoying spyware- or create a completely new one. You can usually right-click on the process to see its startup path. You can disable its startup from the given tool, too.

I have no idea if that'll help, but good luck!
posted by jmd82 at 9:58 AM on July 18, 2004


Spybot 1.3 will install teatimer.exe, a realtime registry modification monitor. I *think* it tells you what's doing the modification, but I'm not positive.

FYI, folks: that's what teatimer is, should you run across it in a task list. ;-)
posted by baylink at 11:01 AM on July 18, 2004


On a side note, using XP, does anyone know how to end those processees Windows won't let you end or delete files that won't let themselves be deleted?
posted by jmd82 at 12:03 PM on July 18, 2004


ms office? a user bringing in floppies? (for the source).
posted by andrew cooke at 1:20 PM on July 18, 2004


jmd82: Previously mentioned on here, Process Explorer is the bee's.
posted by punilux at 2:13 PM on July 18, 2004


ansdrew: users would be myself or my wife, I don't use floppies and she shuns Office. ;)

I'm seriously at a loss here. Our only contact with the world is via the Internet. God that sounds pathetic. You know what I mean.
posted by twine42 at 3:21 PM on July 18, 2004


Where exactly are you looking in the registry?

H_KEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\run ?
runServices?

HijackThis is good stuff...
posted by jopreacher at 6:08 PM on July 18, 2004


I'm searching the reg in general, but yeah, that was one of the main area things seemed to appear. That and the user specific areas f the reg.
posted by twine42 at 1:51 AM on July 19, 2004


« Older estes muertos viven en el camp...   |   I'm in the market for a new co... Newer »
This thread is closed to new comments.