Regsvr.exe locks me out of task manager and regedit

[jasonwhat]

I'll tell the whole embarrassing story in hopes someone can help, or to
help others with the same problem.

I got an attachement from a contact on yahoo claiming to be a picture.
Of course the file was not really a jpeg, but launched some sort of
virus, baby.exe on the computer. Once I clicked it I knew what I had
done. I deleted the attachment file and performed a scan with NAV,
which turned up nothing.

A bit later I noticed I was getting an error that the administrator had
disabled task manager. Then I tried regedit and got a similar error.
Of course, it is my comp and I'm the admin. I spent a few hours
searching and tried several resources, spybot search and destroy,
adaware, asquared, hijack this found a registry entry that was setting
the lockout value to 1 on task manager, but I was unable to fix it
through hijack this.

I ran another NAV scan and it detected a generic trojan, baby.exe which
I got rid of. However, the lockouts of taskmanager and regedit
continued. I used a-squared to view the processes running in
taskmanager and found REGSVR.EXE, which I killed. From here I ran the
UnHookExec from NAV that freed my registry (I tried it before and
nothing) and re-enabled task manager access through regedit.
Everything seemed to be running find, though except I was having
trouble getting System Restore enabled again.

I searched and found a REGSVR-009(bunch of numbers).exe file and
deleted that. However, on restart, I was locked out of task manager
again and had to repeat the same steps of using a-squared to kill
REGSVR.EXE and go through regedit to enable taskmanger.

Most googlesearches identify REGSVR.EXE as part of a worm, but I was
unable to find anything using various tools and scans. I also checked
my registry for the typical systems and didn't find any. I have no
idea what is causing this to run everytime I start the computer.

Any ideas how I can find what is causing REGSVR.EXE to run and lock me
out of taskmanager and regedit? Even though NAV and other say I'm
clean, something isn't right and it is probably doing more than just
locking me out of taskmanager. Is this maybe a new virus that most
anti-virus, malware, and anti-trojan programs can't find?

Any help is great, thank you.

 

[David H. Lipman]

From: "jasonwhat" <[email protected]>

| I'll tell the whole embarrassing story in hopes someone can help, or to
| help others with the same problem.
|
| I got an attachement from a contact on yahoo claiming to be a picture.
| Of course the file was not really a jpeg, but launched some sort of
| virus, baby.exe on the computer. Once I clicked it I knew what I had
| done. I deleted the attachment file and performed a scan with NAV,
| which turned up nothing.
|
| A bit later I noticed I was getting an error that the administrator had
| disabled task manager. Then I tried regedit and got a similar error.
| Of course, it is my comp and I'm the admin. I spent a few hours
| searching and tried several resources, spybot search and destroy,
| adaware, asquared, hijack this found a registry entry that was setting
| the lockout value to 1 on task manager, but I was unable to fix it
| through hijack this.
|
| I ran another NAV scan and it detected a generic trojan, baby.exe which
| I got rid of. However, the lockouts of taskmanager and regedit
| continued. I used a-squared to view the processes running in
| taskmanager and found REGSVR.EXE, which I killed. From here I ran the
| UnHookExec from NAV that freed my registry (I tried it before and
| nothing) and re-enabled task manager access through regedit.
| Everything seemed to be running find, though except I was having
| trouble getting System Restore enabled again.
|
| I searched and found a REGSVR-009(bunch of numbers).exe file and
| deleted that. However, on restart, I was locked out of task manager
| again and had to repeat the same steps of using a-squared to kill
| REGSVR.EXE and go through regedit to enable taskmanger.
|
| Most googlesearches identify REGSVR.EXE as part of a worm, but I was
| unable to find anything using various tools and scans. I also checked
| my registry for the typical systems and didn't find any. I have no
| idea what is causing this to run everytime I start the computer.
|
| Any ideas how I can find what is causing REGSVR.EXE to run and lock me
| out of taskmanager and regedit? Even though NAV and other say I'm
| clean, something isn't right and it is probably doing more than just
| locking me out of taskmanager. Is this maybe a new virus that most
| anti-virus, malware, and anti-trojan programs can't find?
|
| Any help is great, thank you.

Use the following Multi AV Scanning Tool. It will help you remove the virus that was
installed as well as give you back access to Task Manager and Regedit.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[jasonwhat]

Thanks Dave.

I've tried Sophos and Trend both in normal and safe mode with no luck.
They find no viruses and when I restart in normal mode I'm still locked
out. I'll try the others, but I seem to be clean of all the normal
viruses related to the REGSVR.EXE process.

Is it possible to trace what file is causing an exe program to run?
Using a-squared the process is said to be running in C:\Windows\
Process ID: 220
Threads: 4
Priority: Normal

I also had 3 errors running Sophos that could be related to a virus,
but I doubt that. Here they are anyways:

Full Scanning

Could not open c:\Documents and Settings\Jason\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat
Could not open c:\Documents and Settings\Jason\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Could not check c:\Documents and Settings\Jason\My
Documents\AABE\Website Originals\publications\CSI903.ppt (corrupt)

3960 files swept in 19 minutes and 49 seconds.
3 errors were encountered.
No viruses were discovered.
Ending Sophos Anti-Virus.

 

[David H. Lipman]

From: "jasonwhat" <[email protected]>

| Thanks Dave.
|
| I've tried Sophos and Trend both in normal and safe mode with no luck.
| They find no viruses and when I restart in normal mode I'm still locked
| out. I'll try the others, but I seem to be clean of all the normal
| viruses related to the REGSVR.EXE process.
|
| Is it possible to trace what file is causing an exe program to run?
| Using a-squared the process is said to be running in C:\Windows\
| Process ID: 220
| Threads: 4
| Priority: Normal
|
| I also had 3 errors running Sophos that could be related to a virus,
| but I doubt that. Here they are anyways:
|
| Full Scanning
|
| Could not open c:\Documents and Settings\Jason\Local
| Settings\Application Data\Microsoft\Windows\UsrClass.dat
| Could not open c:\Documents and Settings\Jason\Local
| Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
| Could not check c:\Documents and Settings\Jason\My
| Documents\AABE\Website Originals\publications\CSI903.ppt (corrupt)
|
| 3960 files swept in 19 minutes and 49 seconds.
| 3 errors were encountered.
| No viruses were discovered.
| Ending Sophos Anti-Virus.


The LOG files cound not be scaned because the OS is actively using those Log files and their
respective File Handles are in use. Normal operation. This is as reported; CSI903.ppt
(corrupt)

Sophos found nothing ?

I see at Sophos that REGSVR.EXE is associated with a RBot worm and a couple of Trojans.
http://www.sophos.com/virusinfo/analyses/w32rbotpr.html
http://www.sophos.com/virusinfo/analyses/trojwebmoneyg.html
http://www.sophos.com/virusinfo/analyses/trojpwssagib.html


Edit C:\AV-CLS\killproc.txt
Append; REGSVR.EXE to the list. Make sure the last line is a blank line.

Then run the Multi AV Menu again.

Use the McAfee module. Scan in Normal Mode and reboot the PC into "Safe Mode with Command
Prompt" then and then execute; C:\AV-CLS\DOSCLEAN.BAT and C:\AV-CLS\SOFCLEAN.BAT

 

[jasonwhat]

I was trying to follow your instructions and had problesm with
DOSCLEAN.BAT hanging in the middle of scan.

I was getting some hangs from Sophos earlier but still got a report.
However, I ran Sophos again, it did an update. Then I scanned only
C:\WINDOWS where to instances of the Trojan PWSSagi-E were found.

http://www.sophos.com/virusinfo/analyses/trojpwssagie.html


Here is the log:
Full Scanning

Could not check C:\WINDOWS\Registration\R00000000000f.clb (corrupt)
Could not check C:\WINDOWS\Registration\R000000000010.clb (corrupt)Removal successful
Could not open C:\WINDOWS\system32\config\system.LOG
Could not check C:\WINDOWS\system32\emptyregdb.dat (corrupt)Removal successful

1 master boot record swept.
12406 files swept in 17 minutes and 27 seconds.
4 errors were encountered.
2 viruses were discovered.
2 files out of 12406 were infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email (e-mail address removed)
or telephone +44 1235 559933
Ending Sophos Anti-Virus.

I still have to do some tests and rebooting to see if it is gone, but
at least the file has been identified. I guess I need to change all my
passwords.

Thanks.

 

[David H. Lipman]

From: "jasonwhat" <[email protected]>

| I was trying to follow your instructions and had problesm with
| DOSCLEAN.BAT hanging in the middle of scan.
|
| I was getting some hangs from Sophos earlier but still got a report.
| However, I ran Sophos again, it did an update. Then I scanned only
| C:\WINDOWS where to instances of the Trojan PWSSagi-E were found.
|
| http://www.sophos.com/virusinfo/analyses/trojpwssagie.html
|
| Here is the log:
| Full Scanning
|
| Could not check C:\WINDOWS\Registration\R00000000000f.clb (corrupt)
| Could not check C:\WINDOWS\Registration\R000000000010.clb (corrupt)| Removal successful
| Could not open C:\WINDOWS\system32\config\system.LOG
| Could not check C:\WINDOWS\system32\emptyregdb.dat (corrupt)| Removal successful
|
| 1 master boot record swept.
| 12406 files swept in 17 minutes and 27 seconds.
| 4 errors were encountered.
| 2 viruses were discovered.
| 2 files out of 12406 were infected.
| Please send infected samples to Sophos for analysis.
| For advice consult www.sophos.com, email (e-mail address removed)
| or telephone +44 1235 559933
| Ending Sophos Anti-Virus.
|
| I still have to do some tests and rebooting to see if it is gone, but
| at least the file has been identified. I guess I need to change all my
| passwords.
|
| Thanks.

http://www.sophos.com/virusinfo/analyses/trojpwssagie.html

Confusing in what it stated...
Protection available since 7 December 2005 22:15:08 (GMT)
Included in our products from February 2006 (4.02)

Yes, change your passwords since they are mostly compromised since it is a Password Stealing
Trojan.

 

[jasonwhat]

Dave,

Thanks so much for the tool. Obviously it was a big help, as were your
instructions. Things seem to be running fine now. I guess this is a
pretty new virus so it won't ship in their products until Feb., and the
solution is recent.

Things seem to be good now.

Thanks.

 

[David H. Lipman]

From: "jasonwhat" <[email protected]>

| Dave,
|
| Thanks so much for the tool. Obviously it was a big help, as were your
| instructions. Things seem to be running fine now. I guess this is a
| pretty new virus so it won't ship in their products until Feb., and the
| solution is recent.
|
| Things seem to be good now.
|
| Thanks.

fantastic !

I am happy to hear that and thanx for updating the thread.

Happy Holidays !