Comments on: How do I tell what program inserted a registry entry?

Question: How do I tell what program inserted a registry entry?

twine42 — Sun, 18 Jul 2004 07:05:52 -0800

PCFilter : Is there any way to tell what program inserted something into the registry?
I've been attacked by four seperate virii that sophos claims don't exist in the wild. One of them (netclnc.exe) keeps reappearing in my registry and the system32, and I want to know what's putting it there so I can kill it. Ideas?

By: triv

triv — Sun, 18 Jul 2004 07:20:51 -0800

hi, after a quick google check, i came up with this, which seems to be a solution to your problem. i hope.

if all else fails - hijack this.

By: ed\26h

ed\26h — Sun, 18 Jul 2004 07:34:55 -0800

RegMon will do too.

By: twine42

twine42 — Sun, 18 Jul 2004 07:45:05 -0800

I'll check out RegMon.

I've seen that page for netclnc, and done as instructed several times now, but the bastard comes back. I think it reappears after a reboot, but I don't think it's starting the process on startup, which is annoying me somewhat. I'm not sure if something is reinfecting me (inwhichcase it must be either Felix or Viktoria (pcs)) or it's smarter than people think and it's reinfecting itself.

My firewall is healthy enough to annoy my ISP when they're pinging me, so I assume it's not coming in that way...

By: twine42

twine42 — Sun, 18 Jul 2004 07:54:04 -0800

missed out a thanks in there. *sigh*

Also, how did you find that? My googling returned so much noise I couldn't find anything worthwhile.

By: Daddio

Daddio — Sun, 18 Jul 2004 08:07:52 -0800

twine42: Please do let us know when you figure it out. It sounds nasty....

By: twine42

twine42 — Sun, 18 Jul 2004 08:36:21 -0800

For Daddio, in case I forget, the files I eradicated so far are...

ifa32.exe and wingx32.exe - (W32/Rbot-BU) - one and the same virus it appears. Kill one and the other respawns it, kill both and they die. Sophos claims one copy in the wild but ignored my offer to email them a copy. ;)

netclnc.exe - the one that kept respawning. No word I can find from any of the anti-virus companies. It seems to be opening up lots of ports and wrecking my net connection.

csmss.exe - (Troj/Dedler-D) - this one infected my own personal laptop. It travels by ICQ (which I don't have). Again, Sophos has just one report of it in the wild.

I don't understand how these virii got us, considering we're firewalled, use Thunderbird and Fire(fox|bird), don't use p2p. The first seems to be a worm, so it's possible it snuck in and gave us the rest, but it's not returned to do the job again, so...

I'll keep you guys informed though.

By: jmd82

jmd82 — Sun, 18 Jul 2004 09:58:11 -0800

Also be warry of unkown virsuses inserting themselves into one of the startup *.ini files. This happened to me a few years back and the virus propogation name was command.exe- not to be confused with command.com. That bastardly program would run on startup through one of the ini files and managed to reinstall the virus program and prevented deletion except by some trickery on my part (namely restarting the computer in DOS mode so the command.exe file wouldn't start and delete the file. Then, when windows started, I got one of those "cannot find command.exe file" messages and I figured out where the launching command was from there). For whatever reason, I've found regular virus programs suck at finding those type of viruses.
Another roundabout trick I've learned is use Administartive Tools. I forget which program to use, but its the one that holds all the regular windows processes. Sometimes a program/virus will insert itself into this either under a regular windows process such as messaging- ripe for annoying spyware- or create a completely new one. You can usually right-click on the process to see its startup path. You can disable its startup from the given tool, too.

I have no idea if that'll help, but good luck!

By: baylink

baylink — Sun, 18 Jul 2004 11:01:08 -0800

Spybot 1.3 will install teatimer.exe, a realtime registry modification monitor. I *think* it tells you what's doing the modification, but I'm not positive.

FYI, folks: that's what teatimer is, should you run across it in a task list. ;-)

By: jmd82

jmd82 — Sun, 18 Jul 2004 12:03:40 -0800

On a side note, using XP, does anyone know how to end those processees Windows won't let you end or delete files that won't let themselves be deleted?

By: andrew cooke

andrew cooke — Sun, 18 Jul 2004 13:20:13 -0800

ms office? a user bringing in floppies? (for the source).

By: punilux

punilux — Sun, 18 Jul 2004 14:13:50 -0800

jmd82: Previously mentioned on here, Process Explorer is the bee's.

By: twine42

twine42 — Sun, 18 Jul 2004 15:21:17 -0800

ansdrew: users would be myself or my wife, I don't use floppies and she shuns Office. ;)

I'm seriously at a loss here. Our only contact with the world is via the Internet. God that sounds pathetic. You know what I mean.

By: jopreacher

jopreacher — Sun, 18 Jul 2004 18:08:22 -0800

Where exactly are you looking in the registry?

H_KEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\run ?
runServices?

HijackThis is good stuff...

By: twine42

twine42 — Mon, 19 Jul 2004 01:51:19 -0800

I'm searching the reg in general, but yeah, that was one of the main area things seemed to appear. That and the user specific areas f the reg.