Problem and questions

[Doktorn]

I got home to my parents and the computer is just a mess. I´m starting to get i together now, but I still have some problems.
The computer is Windows Xp, 598 MHz, 128 Ram and tiny 4 Gb hardrive.

When I first got home lsass complained when I logged on to internet, and a few minutes later it wanted to shut the computer down in 60 seconds. I couldn´t download safetyupdates from microsoft either. I think it was w32/Sdbot.worm.gen that caused the problems and I managed to get rid of it with McAfee Stinger. So I have managed to update from Microsoft and the lsass and shutdownproblems is gone.
Also commercial about how my computer was infected with spyware and I should get this and that to protect me was coming thorugh windows messenger. I took away this with Shootthemessenger.

I downloaded Sygate Personal Firewall and tried to install it. But it can´t be done. Windows Installer doesn´t work. I see a file seems to be missing according to Hijackthis. So is it just to download it or do I need to reinstall Windows Installer and how do I do that then?
Now I have ZoneAlarm as firewall instead, and SystemReg16.exe wants to connect. What file is that? What does it do? I can´t find any information about it.
And of course, if you find anything else wrong in the log, I´m grateful if you tell me.


Logfile of HijackThis v1.99.0
Scan saved at 20:06:59, on 2004-12-24
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Grisoft\AVGFRE~1\avgcc.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\Messenger\msmsgs.exe
C:\WINDOWS\System32\SystemReg16.exe
C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Håkan\Lokala inställningar\Temp\Temporär katalog 1 för hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] IEEXPLORE.exe
O4 - HKLM\..\Run: [Registry System16 Checkup Monitor] SystemReg16.exe
O4 - HKLM\..\Run: [MS Office32cb Startup] OfficeGUI32cb.exe
O4 - HKLM\..\Run: [Registry Checkup System32cd Monitor] Winregs32cdn.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe
O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] IEEXPLORE.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] Winregs32.exe
O4 - HKLM\..\RunServices: [Registry System16 Checkup Monitor] SystemReg16.exe
O4 - HKLM\..\RunServices: [MS Office32cb Startup] OfficeGUI32cb.exe
O4 - HKLM\..\RunServices: [Registry Checkup System32cd Monitor] Winregs32cdn.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Registry System16 Checkup Monitor] SystemReg16.exe
O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] IEEXPLORE.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Windows Installer - Unknown - C:\DOCUME~1\HKAN~1\LOKALA~1\Temp\IXP000.TMP\MsiExec.exe (file missing)
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

[gaara]

How odd, the shutdown problem which you were describing at the beginning of your post sounds a lot like the infamous blaster worm which infected a lot of computers in the summer of 2003 I believe.

I wouldn't be too concerned about letting the systemreg16 file access the internet, I run zonealarm and get that every now and then, and I haven't had any problems with allowing it to access the internet.

I skimmed through your log and all appears fine.

 

[intercodes]

Doktorn,

Hijackthis is running from : C:\Documents and Settings\Håkan\Lokala inställningar\Temp\Temporär katalog 1 för hijackthis.zip\HijackThis.exe

please install the hijackthis in someother folder , say 'c:/hack' , and then post your log. This is important.

and btw, you need to install some patches for Internet explorer. Its pretty old. Check windows update site for any critical updates and install them

 

[Doktorn]

Yes, I thought it was sasser too. But Avg couldn´t find anything, the only thing that has happened is that Stinger found that file and deleted it. But can´t that file be connected to sasser in some way?

I don´t know about updating Explorer. It is working fine, and the space in this harddrive is very small. 4 Gb total, and maybe 600-700 Mb free now. It is a Swedish version also, i think they can be a little after English versions.

And windows installer?

Ok, here is the log again.

Logfile of HijackThis v1.99.0
Scan saved at 16:31:42, on 2004-12-25
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Grisoft\AVGFRE~1\avgcc.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\Messenger\msmsgs.exe
C:\WINDOWS\System32\SystemReg16.exe
C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Documents and Settings\Håkan\Lokala inställningar\Temp\Temporär katalog 2 för hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] IEEXPLORE.exe
O4 - HKLM\..\Run: [Registry System16 Checkup Monitor] SystemReg16.exe
O4 - HKLM\..\Run: [MS Office32cb Startup] OfficeGUI32cb.exe
O4 - HKLM\..\Run: [Registry Checkup System32cd Monitor] Winregs32cdn.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe
O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] IEEXPLORE.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] Winregs32.exe
O4 - HKLM\..\RunServices: [Registry System16 Checkup Monitor] SystemReg16.exe
O4 - HKLM\..\RunServices: [MS Office32cb Startup] OfficeGUI32cb.exe
O4 - HKLM\..\RunServices: [Registry Checkup System32cd Monitor] Winregs32cdn.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Registry System16 Checkup Monitor] SystemReg16.exe
O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] IEEXPLORE.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Windows Installer - Unknown - C:\DOCUME~1\HKAN~1\LOKALA~1\Temp\IXP000.TMP\MsiExec.exe (file missing)
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

[intercodes]

Doktorn,

systemreg16 seems to be a malware process. You need to get rid of it. Hold on....we will go step by step.

*Close all the windows except HJT [ turn off system restore if its is on. ]
*Run and fix the following entries.

------------------------------------

C:\WINDOWS\System32\SystemReg16.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com/ [If you dont know this entry , delete it ]

O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] IEEXPLORE.exe

O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe

O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] IEEXPLORE.exe

O4 - HKLM\..\RunServices: [Microsoft Update Machine] Winregs32.exe

O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] IEEXPLORE.exe

O23 - Service: Windows Installer - Unknown - C:\DOCUME~1\HKAN~1\LOKALA~1\Temp\IXP000.TMP\MsiExec.exe (file missing)

-----------------------------------------------------

I highly recommend this one http://housecall.trendmicro.com/housecall/start_corp.asp