Registry errors after trojan invasion (newbie)

  • Thread starter Thread starter Sinus Logarithme
  • Start date Start date
S

Sinus Logarithme

Win2000 sp4
After cleanup, Normal boot duration is ok, but Safe boot too
long. I also have funny entries in the registry.

(a) Event log, Normal boot mode:
-------------------------------
Error 23:09:11 Server 2506
Description: The value named IRPStackSize in the server's
Registry key LanmanServer\Parameters was invalid.
I believe that this error refers to:
"IRPStackSize"=dword:00000006
in
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters]

(b) Event log, Safe boot mode:
-----------------------------
Error 4:36:37 DCOM 10010 10
Error 4:34:22 SrvCtrlMng 7001 9
Error 4:34:06 SrvCtrlMng 7026 8
Error 4:34:06 SrvCtrlMng 7001 7
Error 4:34:05 SrvCtrlMng 7001 6
Error 4:34:05 SrvCtrlMng 7001 5
Error 4:34:05 SrvCtrlMng 7001 4
Info 4:34:05 eventlog 6005 3
Info 4:34:05 eventlog 6009 2
Error 4:34:05 SrvCtrlMng 7001 1

Description:
10 The server {1BE1F766-5536-11D1-B726-00C04FB926AF} did not
register with DCOM within the required timeout.
(See c below)
9 The Remote Access Connection Manager service depends on
the Telephony service which failed to start because of the
following error: No attempts to start the service have been
made since the last boot.
8 The following boot-start or system-start driver(s) failed
to load: Iamdrv, MRxSmb,NetBios, NetBT, RasAcd, Rdbss, Tcpip
7 The Computer Browser service depends on the Server service
which failed to start because of the following error: No
attempts to start the service have been made since the last
boot.
6 The System Event Notification service depends on the COM+
Event System service which failed to start because of the
following error: No attempts to start the service have been
made since the last boot.
5 The WRQ IAM service depends on the Iamdrv service which
failed to start because of the following error: A device
attached to the system is not functioning.
4 The DNS Client service depends on the TCP/IP Protocol
Driver service which failed to start because of the
following error: A device attached to the system is not
functioning.
3
2
1 The DHCP Client service depends on the Iamdrv service
which failed to start because of the following error: A
device attached to the system is not functioning.

c) About error 10:
-----------------
The registry entry seems circular to me:
[HKEY_CLASSES_ROOT\CLSID\{1BE1F766-5536-11D1-B726-00C04FB926AF}]
@="EventSystemTier2"
"AppID"="{1BE1F766-5536-11D1-B726-00C04FB926AF}"

d) Funny registry entries:
-------------------------
I have many values starting with \??\
e.g:
\??\USB#ROOT_HUB#3&32c8bd93&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
\??\C:\WINNT\system32\Drivers\symevent.sys
Should I delete \??\ everywhere ?

Any help would be appreciated.

PS: Trojan name: Adware.Topantispyware
 
Back
Top