How do I tell what program inserted a registry entry?
July 18, 2004 7:05 AM Subscribe
PCFilter : Is there any way to tell what program inserted something into the registry?
I've been attacked by four seperate virii that sophos claims don't exist in the wild. One of them (netclnc.exe) keeps reappearing in my registry and the system32, and I want to know what's putting it there so I can kill it. Ideas?
I've been attacked by four seperate virii that sophos claims don't exist in the wild. One of them (netclnc.exe) keeps reappearing in my registry and the system32, and I want to know what's putting it there so I can kill it. Ideas?
Response by poster: I'll check out RegMon.
I've seen that page for netclnc, and done as instructed several times now, but the bastard comes back. I think it reappears after a reboot, but I don't think it's starting the process on startup, which is annoying me somewhat. I'm not sure if something is reinfecting me (inwhichcase it must be either Felix or Viktoria (pcs)) or it's smarter than people think and it's reinfecting itself.
My firewall is healthy enough to annoy my ISP when they're pinging me, so I assume it's not coming in that way...
posted by twine42 at 7:45 AM on July 18, 2004
I've seen that page for netclnc, and done as instructed several times now, but the bastard comes back. I think it reappears after a reboot, but I don't think it's starting the process on startup, which is annoying me somewhat. I'm not sure if something is reinfecting me (inwhichcase it must be either Felix or Viktoria (pcs)) or it's smarter than people think and it's reinfecting itself.
My firewall is healthy enough to annoy my ISP when they're pinging me, so I assume it's not coming in that way...
posted by twine42 at 7:45 AM on July 18, 2004
Response by poster: missed out a thanks in there. *sigh*
Also, how did you find that? My googling returned so much noise I couldn't find anything worthwhile.
posted by twine42 at 7:54 AM on July 18, 2004
Also, how did you find that? My googling returned so much noise I couldn't find anything worthwhile.
posted by twine42 at 7:54 AM on July 18, 2004
twine42: Please do let us know when you figure it out. It sounds nasty....
posted by Daddio at 8:07 AM on July 18, 2004
posted by Daddio at 8:07 AM on July 18, 2004
Response by poster: For Daddio, in case I forget, the files I eradicated so far are...
ifa32.exe and wingx32.exe - (W32/Rbot-BU) - one and the same virus it appears. Kill one and the other respawns it, kill both and they die. Sophos claims one copy in the wild but ignored my offer to email them a copy. ;)
netclnc.exe - the one that kept respawning. No word I can find from any of the anti-virus companies. It seems to be opening up lots of ports and wrecking my net connection.
csmss.exe - (Troj/Dedler-D) - this one infected my own personal laptop. It travels by ICQ (which I don't have). Again, Sophos has just one report of it in the wild.
I don't understand how these virii got us, considering we're firewalled, use Thunderbird and Fire(fox|bird), don't use p2p. The first seems to be a worm, so it's possible it snuck in and gave us the rest, but it's not returned to do the job again, so...
I'll keep you guys informed though.
posted by twine42 at 8:36 AM on July 18, 2004
ifa32.exe and wingx32.exe - (W32/Rbot-BU) - one and the same virus it appears. Kill one and the other respawns it, kill both and they die. Sophos claims one copy in the wild but ignored my offer to email them a copy. ;)
netclnc.exe - the one that kept respawning. No word I can find from any of the anti-virus companies. It seems to be opening up lots of ports and wrecking my net connection.
csmss.exe - (Troj/Dedler-D) - this one infected my own personal laptop. It travels by ICQ (which I don't have). Again, Sophos has just one report of it in the wild.
I don't understand how these virii got us, considering we're firewalled, use Thunderbird and Fire(fox|bird), don't use p2p. The first seems to be a worm, so it's possible it snuck in and gave us the rest, but it's not returned to do the job again, so...
I'll keep you guys informed though.
posted by twine42 at 8:36 AM on July 18, 2004
Also be warry of unkown virsuses inserting themselves into one of the startup *.ini files. This happened to me a few years back and the virus propogation name was command.exe- not to be confused with command.com. That bastardly program would run on startup through one of the ini files and managed to reinstall the virus program and prevented deletion except by some trickery on my part (namely restarting the computer in DOS mode so the command.exe file wouldn't start and delete the file. Then, when windows started, I got one of those "cannot find command.exe file" messages and I figured out where the launching command was from there). For whatever reason, I've found regular virus programs suck at finding those type of viruses.
Another roundabout trick I've learned is use Administartive Tools. I forget which program to use, but its the one that holds all the regular windows processes. Sometimes a program/virus will insert itself into this either under a regular windows process such as messaging- ripe for annoying spyware- or create a completely new one. You can usually right-click on the process to see its startup path. You can disable its startup from the given tool, too.
I have no idea if that'll help, but good luck!
posted by jmd82 at 9:58 AM on July 18, 2004
Another roundabout trick I've learned is use Administartive Tools. I forget which program to use, but its the one that holds all the regular windows processes. Sometimes a program/virus will insert itself into this either under a regular windows process such as messaging- ripe for annoying spyware- or create a completely new one. You can usually right-click on the process to see its startup path. You can disable its startup from the given tool, too.
I have no idea if that'll help, but good luck!
posted by jmd82 at 9:58 AM on July 18, 2004
Spybot 1.3 will install teatimer.exe, a realtime registry modification monitor. I *think* it tells you what's doing the modification, but I'm not positive.
FYI, folks: that's what teatimer is, should you run across it in a task list. ;-)
posted by baylink at 11:01 AM on July 18, 2004
FYI, folks: that's what teatimer is, should you run across it in a task list. ;-)
posted by baylink at 11:01 AM on July 18, 2004
On a side note, using XP, does anyone know how to end those processees Windows won't let you end or delete files that won't let themselves be deleted?
posted by jmd82 at 12:03 PM on July 18, 2004
posted by jmd82 at 12:03 PM on July 18, 2004
ms office? a user bringing in floppies? (for the source).
posted by andrew cooke at 1:20 PM on July 18, 2004
posted by andrew cooke at 1:20 PM on July 18, 2004
jmd82: Previously mentioned on here, Process Explorer is the bee's.
posted by punilux at 2:13 PM on July 18, 2004
posted by punilux at 2:13 PM on July 18, 2004
Response by poster: ansdrew: users would be myself or my wife, I don't use floppies and she shuns Office. ;)
I'm seriously at a loss here. Our only contact with the world is via the Internet. God that sounds pathetic. You know what I mean.
posted by twine42 at 3:21 PM on July 18, 2004
I'm seriously at a loss here. Our only contact with the world is via the Internet. God that sounds pathetic. You know what I mean.
posted by twine42 at 3:21 PM on July 18, 2004
Where exactly are you looking in the registry?
H_KEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\run ?
runServices?
HijackThis is good stuff...
posted by jopreacher at 6:08 PM on July 18, 2004
H_KEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\run ?
runServices?
HijackThis is good stuff...
posted by jopreacher at 6:08 PM on July 18, 2004
Response by poster: I'm searching the reg in general, but yeah, that was one of the main area things seemed to appear. That and the user specific areas f the reg.
posted by twine42 at 1:51 AM on July 19, 2004
posted by twine42 at 1:51 AM on July 19, 2004
« Older What was this song (en espanol)? | Can anyone recommend a desk for computer/desktop... Newer »
This thread is closed to new comments.
if all else fails - hijack this.
posted by triv at 7:20 AM on July 18, 2004