Problem and questions - Techist - Tech Forum

Go Back   Techist - Tech Forum > Computer Software > Microsoft Windows and Software
Click Here to Login
Closed Thread
 
Thread Tools Display Modes
 
Old 12-24-2004, 08:49 PM   #1 (permalink)
Newb Techie
 
Join Date: Dec 2004
Posts: 2
Default Problem and questions

I got home to my parents and the computer is just a mess. I´m starting to get i together now, but I still have some problems.
The computer is Windows Xp, 598 MHz, 128 Ram and tiny 4 Gb hardrive.

When I first got home lsass complained when I logged on to internet, and a few minutes later it wanted to shut the computer down in 60 seconds. I couldn´t download safetyupdates from microsoft either. I think it was w32/Sdbot.worm.gen that caused the problems and I managed to get rid of it with McAfee Stinger. So I have managed to update from Microsoft and the lsass and shutdownproblems is gone.
Also commercial about how my computer was infected with spyware and I should get this and that to protect me was coming thorugh windows messenger. I took away this with Shootthemessenger.

I downloaded Sygate Personal Firewall and tried to install it. But it can´t be done. Windows Installer doesn´t work. I see a file seems to be missing according to Hijackthis. So is it just to download it or do I need to reinstall Windows Installer and how do I do that then?
Now I have ZoneAlarm as firewall instead, and SystemReg16.exe wants to connect. What file is that? What does it do? I can´t find any information about it.
And of course, if you find anything else wrong in the log, I´m grateful if you tell me.


Logfile of HijackThis v1.99.0
Scan saved at 20:06:59, on 2004-12-24
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Grisoft\AVGFRE~1\avgcc.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\Messenger\msmsgs.exe
C:\WINDOWS\System32\SystemReg16.exe
C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Håkan\Lokala inställningar\Temp\Temporär katalog 1 för hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] IEEXPLORE.exe
O4 - HKLM\..\Run: [Registry System16 Checkup Monitor] SystemReg16.exe
O4 - HKLM\..\Run: [MS Office32cb Startup] OfficeGUI32cb.exe
O4 - HKLM\..\Run: [Registry Checkup System32cd Monitor] Winregs32cdn.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe
O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] IEEXPLORE.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] Winregs32.exe
O4 - HKLM\..\RunServices: [Registry System16 Checkup Monitor] SystemReg16.exe
O4 - HKLM\..\RunServices: [MS Office32cb Startup] OfficeGUI32cb.exe
O4 - HKLM\..\RunServices: [Registry Checkup System32cd Monitor] Winregs32cdn.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Registry System16 Checkup Monitor] SystemReg16.exe
O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] IEEXPLORE.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Windows Installer - Unknown - C:\DOCUME~1\HKAN~1\LOKALA~1\Temp\IXP000.TMP\MsiExe c.exe (file missing)
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
__________________

Doktorn is offline  
Old 12-24-2004, 09:12 PM   #2 (permalink)
Wizard Techie
 
Join Date: Dec 2004
Location: Canada
Posts: 3,790
Default

How odd, the shutdown problem which you were describing at the beginning of your post sounds a lot like the infamous blaster worm which infected a lot of computers in the summer of 2003 I believe.

I wouldn't be too concerned about letting the systemreg16 file access the internet, I run zonealarm and get that every now and then, and I haven't had any problems with allowing it to access the internet.

I skimmed through your log and all appears fine.
__________________

__________________
Intel C2D E6320 / AMD Athlon X2 3800+
Gigabyte 965P DS3 / DFI nF4 Ultra-D
2GB OCZ Gold PC2-6400 / 2GB OCZ Gold PC4000
eVGA 8800GTS 320MB / eVGA 6800GS 256MB
150GB Raptor / 74GB Raptor
2x500GB / 320GB
OCZ GameXStreme 850w / OCZ StealthXStream 600w
gaara is offline  
Old 12-24-2004, 10:47 PM   #3 (permalink)
Ultra Techie
 
Join Date: Jun 2004
Posts: 973
Send a message via Yahoo to intercodes
Default

Doktorn,

Hijackthis is running from : C:\Documents and Settings\Håkan\Lokala inställningar\Temp\Temporär katalog 1 för hijackthis.zip\HijackThis.exe

please install the hijackthis in someother folder , say 'c:/hack' , and then post your log. This is important.

and btw, you need to install some patches for Internet explorer. Its pretty old. Check windows update site for any critical updates and install them
intercodes is offline  
Old 12-25-2004, 10:39 AM   #4 (permalink)
Newb Techie
 
Join Date: Dec 2004
Posts: 2
Default

Yes, I thought it was sasser too. But Avg couldn´t find anything, the only thing that has happened is that Stinger found that file and deleted it. But can´t that file be connected to sasser in some way?

I don´t know about updating Explorer. It is working fine, and the space in this harddrive is very small. 4 Gb total, and maybe 600-700 Mb free now. It is a Swedish version also, i think they can be a little after English versions.

And windows installer?

Ok, here is the log again.

Logfile of HijackThis v1.99.0
Scan saved at 16:31:42, on 2004-12-25
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Grisoft\AVGFRE~1\avgcc.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\Messenger\msmsgs.exe
C:\WINDOWS\System32\SystemReg16.exe
C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Documents and Settings\Håkan\Lokala inställningar\Temp\Temporär katalog 2 för hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] IEEXPLORE.exe
O4 - HKLM\..\Run: [Registry System16 Checkup Monitor] SystemReg16.exe
O4 - HKLM\..\Run: [MS Office32cb Startup] OfficeGUI32cb.exe
O4 - HKLM\..\Run: [Registry Checkup System32cd Monitor] Winregs32cdn.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe
O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] IEEXPLORE.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] Winregs32.exe
O4 - HKLM\..\RunServices: [Registry System16 Checkup Monitor] SystemReg16.exe
O4 - HKLM\..\RunServices: [MS Office32cb Startup] OfficeGUI32cb.exe
O4 - HKLM\..\RunServices: [Registry Checkup System32cd Monitor] Winregs32cdn.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Registry System16 Checkup Monitor] SystemReg16.exe
O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] IEEXPLORE.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Windows Installer - Unknown - C:\DOCUME~1\HKAN~1\LOKALA~1\Temp\IXP000.TMP\MsiExe c.exe (file missing)
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Doktorn is offline  
Old 12-25-2004, 12:43 PM   #5 (permalink)
Ultra Techie
 
Join Date: Jun 2004
Posts: 973
Send a message via Yahoo to intercodes
Default

Doktorn,

systemreg16 seems to be a malware process. You need to get rid of it. Hold on....we will go step by step.

*Close all the windows except HJT [ turn off system restore if its is on. ]
*Run and fix the following entries.

------------------------------------

C:\WINDOWS\System32\SystemReg16.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com/ [If you dont know this entry , delete it ]

O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] IEEXPLORE.exe

O4 - HKLM\..\RunServices: [Microsoft Services] lssrv.exe

O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] IEEXPLORE.exe

O4 - HKLM\..\RunServices: [Microsoft Update Machine] Winregs32.exe

O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] IEEXPLORE.exe

O23 - Service: Windows Installer - Unknown - C:\DOCUME~1\HKAN~1\LOKALA~1\Temp\IXP000.TMP\MsiExe c.exe (file missing)

-----------------------------------------------------

I highly recommend this one http://housecall.trendmicro.com/hous...start_corp.asp
intercodes is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 12:19 AM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.