BleepingComputer.com: Banker Trojan (unsrvc.exe) ... Take 2

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Banker Trojan (unsrvc.exe) ... Take 2 + Backdoor Agent (bpfvmo.exe)

#1 User is offline   DeLuk 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Members
  • Posts: 206
  • Joined: 05-May 06
  • Gender:Not Telling
  • Location:Portugal

Posted 03 February 2008 - 02:33 PM

Greetings to the forum. :blink:

Making a long story short, as explained in this previous topic, our home PC got infected with a banker trojan (unsrvc.exe) and some other malware, and the preliminary cleaning as described caused Windows to get stuck in login/logoff loop. Having by now been able to solve the login/logoff loop, so I'd most appreciate your expert assistance, to rid of whatever remainders of the infection are leftover. (Charles, who was helping me before, advised me best to start a new topic now to save confusion.) I'll include next all logs/reports concerning the infection for your analysis/reference. (For any further details, if needed, do please refer to the previous topic.)

Preliminary HJT log
(Scan ran previously to starting with the preliminary cleaning.)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:21:45, on 18-12-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\BillP Studios\WinPatrol\winpatrol.exe
C:\Programas\HDD Thermometer\HDD Thermometer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\lxcrcoms.exe
C:\Programas\SpywareGuard\sgmain.exe
C:\Programas\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\unsrvc.exe -runservice
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programas\FlashGet\jccatch.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programas\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programas\FlashGet\getflash.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinPatrol] C:\Programas\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Programas\HDD Thermometer\HDD Thermometer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programas\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Programas\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Programas\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Programas\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\smc.exe

--
End of file - 6461 bytes

-----

As noted, C:\WINDOWS\system32\unsrvc.exe does not appear among the runnig processes after all. I take it then that, as I was assuming before, the act of denying unsrvc.exe to set as a startup entry via WinPatrol which caused the fake message window of FlashPlayer being installed to close should then equally cause the unsrvc.exe process to be terminated. Also no such entry O4 - HKLM\..\Run: [unsrvc] C:\WINDOWS\system32\unsrvc.exe -runservice is present. Good twice, that WinPatrol was there watching over.

Previously I also ran a scan with HJT 1.99.1, before switching to the latest HJT 2.0.2, if by chance that log may be needed too for some reason, do please let me know. (The two logs do differ in some few lines.)

----------

SpyBot report


--- Report generated: 2007-12-18 17:09 ---

Troj.PrintSpool: Configurações (Chave do registo, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xsa3egycnya2d


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

----------

AVG Anti-Spyware (18-12-2007)

For some odd reason (and although yes, it is of course set to generate reports "Automatically after each scan"!) AVG Anti-Spyware did not generate a report for the scan made (at least I could not see/locate it)! (This is something I could actually notice also before in another computer.)

In any case here's the "report" from the quarantined files:

C:\WINDOWS\system32\bpfvmo.exe
C:\Brave\Download\image98i8.zip
3 .exe files + 1 .com file in System Restore

All 6 items identified as Backdoor.Agent.deu.

(I'm supposing that the .com file should relate to the file image-363.JPEG-wolf1_30_hotmail.com which was the actual file inside the archive image98i8.zip. Such file image-363.JPEG-wolf1_30_hotmail.com was initially also found on C:\Documents and Settings\q\Local Settings\Temp and, according to the analysis at virustotal.com by then, it was to be a copy of bpfvmo.exe. This file image-363.JPEG-wolf1_30_hotmail.com found on C:\Documents and Settings\q\Local Settings\Temp was at once removed when running CCleaner for the preliminary cleaning. Also BTW FYI C:\Brave\Download\ is just a personal downloads folder of my brother.)

----------

Panda Online ActiveScan report

Incident Status Location
Virus:W32/Agent.HKB.worm Disinfected C:\Documents and Settings\q\Os meus documentos\install_flash_player.exe
Virus:W32/Agent.HKB.worm Disinfected C:\WINDOWS\sysstr.sys
Virus:W32/Agent.HKB.worm Disinfected C:\WINDOWS\system32\unsrvc.exe
----------

Latest HJT log
(Scan ran after the preliminary cleaning as described and after now having fixed the login/logoff loop.)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:20:18, on 01-02-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\BillP Studios\WinPatrol\winpatrol.exe
C:\Programas\HDD Thermometer\HDD Thermometer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\lxcrcoms.exe
C:\Programas\SpywareGuard\sgmain.exe
C:\Programas\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programas\FlashGet\jccatch.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programas\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programas\FlashGet\getflash.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinPatrol] C:\Programas\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Programas\HDD Thermometer\HDD Thermometer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programas\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Programas\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Programas\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Programas\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\smc.exe

--
End of file - 6351 bytes

-----

Only difference to the preliminary log is indeed the entry F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\unsrvc.exe -runservice which is of course no longer present.

----------

Kaspersky Online Virus Scanner report
(Scan ran now, after the preliminary cleaning as described and after having fixed the login/logoff loop. Note: I'm including only the entries referring to infected files, to make it shorter. If those referring to all of the locked objects are needed too, though, please let me know, and I'll post the full report promptly.)

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, February 01, 2008 9:31:23 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/02/2008
Kaspersky Anti-Virus database records: 545650
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 69587
Number of viruses found: 2
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 01:24:47

Infected Object Name / Virus Name / Last Action

C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP15\A0005030.exe Infected: Trojan-Downloader.Win32.VB.bzh skipped
C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP18\A0005234.exe Infected: Backdoor.Win32.Agent.deu skipped
C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP18\A0005253.exe Infected: Trojan-Downloader.Win32.VB.bzh skipped

Scan process completed.

----------

AVG Anti-Spyware (01-02-2008)

Also ran a new scan with AVG Anti-Spyware for reference. For some reason again it did not generate a report for the scan made! In any case here's again the "report" from the malware traces found:

3 .exe files in System Restore. One identified as Backdoor.Agent.deu and the other two identified as Downloader.VB.bzh.

----------

As noted, malware files are at this point only found in System Restore (which I know we'll rid of "for good" when in the final we reset System Restore, yes).

There's a couple of other infection-related files left, though: C:\WINDOWS\system32\iospc.sys (0 bytes, and reported by TrendMicro as being related to this infection) and C:\WINDOWS\system32\filetemp.tmp (please, refer to my initial post in the previous topic for why it is my believe that this file too is related to this infection). (On turn, luckily, no such file winsrvc.exe exists after all, a fact which in some way also goes to match with my "theory" by then; again, do refer to my initial post.)

Just ran a new scan at virustotal.com on filetemp.tmp and it is still not detected by no scanner at all.

Then again, if useful (even who knows eventually for any user reading this thread in the future), here's also the initial VirusTotal reports for both files unsrvc.exe and bpfvmo.exe when previously I submitted them for analysis (I'm though only including the results for the scanners which actually detected each of the analysed files, for keeping it more practical):

File C:\WINDOWS\system32\unsrvc.exe

File unsrvc.exe received on 2007.12.18 13:42:50 (CET)

Antivirus Version Last Update Result

AntiVir 7.6.0.45 2007.12.18 TR/Dldr.VB.bzh.1
DrWeb 4.44.0.09170 2007.12.18 modification of BackDoor.Generic.1629
Fortinet 3.14.0.0 2007.12.18 W32/VB.BZH!tr.dldr
F-Secure 6.70.13030.0 2007.12.18 Trojan-Downloader.Win32.VB.bzh
Ikarus T3.1.1.15 2007.12.18 Trojan-Downloader.Win32.VB.bzh
Kaspersky 7.0.0.125 2007.12.18 Trojan-Downloader.Win32.VB.bzh
Panda 9.0.0.4 2007.12.18 W32/Agent.HKB.worm
Prevx1 V2 2007.12.18 Heuristic: Suspicious Downloader
Symantec 10 2007.12.18 Downloader
VBA32 3.12.2.5 2007.12.17 suspected of Trojan-Spy.xBank.23 (paranoid heuristics)
Webwasher-Gateway 6.6.2 2007.12.18 Trojan.Dldr.VB.bzh.1

Additional informations
File size: 323584 bytes
MD5: 112fc78ad176d7076225450973ff1c7e
SHA1: ea806cc7040242c1c4aba5a55c99ccdc7a542918
PEiD: -
Prevx info: http://info.prevx.com/aboutprogramtext.asp...EB606003EB66A0E

---

File C:\WINDOWS\system32\bpfvmo.exe

File bpfvmo.exe received on 2007.12.18 13:57:15 (CET)

Antivirus Version Last Update Result

AntiVir 7.6.0.45 2007.12.18 BDS/Agent.deu
AVG 7.5.0.503 2007.12.17 Obfustat.ACPM
CAT-QuickHeal 9.00 2007.12.17 Backdoor.Agent.deu
eTrust-Vet 31.3.5385 2007.12.18 Win32/Cotmonger.DN
Ewido 4.0 2007.12.18 Backdoor.Agent.deu
Fortinet 3.14.0.0 2007.12.18 W32/Agent.DEU!tr.bdr
F-Secure 6.70.13030.0 2007.12.18 Backdoor.Win32.Agent.deu
Ikarus T3.1.1.15 2007.12.18 Backdoor.Win32.Agent.deu
Kaspersky 7.0.0.125 2007.12.18 Backdoor.Win32.Agent.deu
NOD32v2 2729 2007.12.18 Win32/Agent.DBP
Panda 9.0.0.4 2007.12.18 Bck/Agent.HJU
Prevx1 V2 2007.12.18 Generic.Malware
Sophos 4.24.0 2007.12.18 Mal/Generic-A
TheHacker 6.2.9.162 2007.12.17 Backdoor/Agent.deu
Webwasher-Gateway 6.6.2 2007.12.18 Trojan.Backdoor.Agent.deu

Additional informations
File size: 98304 bytes
MD5: baa55c201b5acc6865a81031a43925a7
SHA1: 5376b3dff88cf0f7bf330e7a0dc00289ce25fa7d
PEiD: -
Prevx info: http://info.prevx.com/aboutprogramtext.asp...DE82A00C015EE84

----------

Just in case, for reference, I also saved an HJT startup list, both previously to the preliminary cleaning and now; if by chance needed or useful for your analysis, just please let me know, and I'll post that as well. Both lists differ in actually only a couple items, as follows:

(previous to the preliminary cleaning)

Quote

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\unsrvc.exe -runservice

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Serviço de transferência inteligente em fundo: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Print Spooler Service: C:\WINDOWS\system32\bpfvmo.exe /service (disabled)


(current)

Quote

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Serviço de transferência inteligente em fundo: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


While Print Spooler Service: C:\WINDOWS\system32\bpfvmo.exe /service (disabled) is obviously gone in the current list, as so [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] > UserInit = C:\WINDOWS\system32\unsrvc.exe -runservice has been corrected to [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] > UserInit = C:\WINDOWS\system32\userinit.exe,; I do wonder why Serviço de transferência inteligente em fundo: %SystemRoot%\System32\svchost.exe -k netsvcs has since changed from "manual start" to "autostart" (is this a motive to worry over, or?...), as also what is actually the supposed default setting there (manual or auto)?...

Also, if there's any further info/detail I can provide to assist in your analysis of the whole issue?...

Other than that, I'd so truly appreciate your guidance, as to what is left to do, to clean the remainders of this double infection. (Just manually delete those two leftover files, filetemp.tmp and iospc.sys, and followingly reset System Restore? Any further cleaning tool/deeper scanner to run?) Most grateful for all help. :thumbsup:

This post has been edited by DeLuk: 04 February 2008 - 07:10 AM

#2 User is offline   OldTimer 

  • Malware Expert
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 11,083
  • Joined: 28-January 05
  • Gender:Male
  • Location:Holland Michigan USA

Posted 08 February 2008 - 08:36 PM

Hello DeLuk and welcome to the BC HijackThis forum. Everything in the log looks fine. No problems there. If an anti-virus or anti-spyware application is flagging a file as bad just have the application quarantine it. Occasionally they one worng but those two files are most assuredly not normal. As for the service, that should be on Automatic. It is the BITS service and is required to do various system functions.

It looks like you are good to go.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 User is offline   DeLuk 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Members
  • Posts: 206
  • Joined: 05-May 06
  • Gender:Not Telling
  • Location:Portugal

Posted 10 February 2008 - 07:39 AM

Hello OldTimer, and thanks so much for your reply and final review of my case. :)

Quote

Everything in the log looks fine. No problems there.


Yes, I realized that the final HJT log showed no traces of malware action. :) I was only just wondering whether any further scanner might be needed to be run... :thumbsup:

Quote

If an anti-virus or anti-spyware application is flagging a file as bad just have the application quarantine it. Occasionally they one worng but those two files are most assuredly not normal.


My bit of concern is precisely that: that so far no scanner is yet picking this file filetemp.tmp. I mean, I have no idea whatsoever whether it has actual malware capabilities and what those may be, yet from what I could notice in both cases I faced, this file is indeed related to this unsrvc-trojan infection. (And that being the case, if in the end it ain't identified by no anti-malware scanner, then others who may get infected with this trojan may not get aware that also this file filetemp.tmp is one to be removed. Though then again, as I was saying, I really have no idea whether this file even presents any actual danger at all; maybe it even does not?...) Hmm, I wonder whether perhaps I should send a sample of it somewhere (maybe to Avast as it's the one anti-virus I use myself) for any further analysis, or something?... (As I was saying, I did submit the file for analysis at VirusTotal numerous times, but no scanner yet picked it...)

Anyways. So I've now manually deleted both those remaining files, iospc.sys and filetemp.tmp, as I did reset (disable/re-enable) System Restore following to that. I've as well by now deleted all quarantine backups that had been made along the cleaning process, namely SpyBot's and AVG Anti-Spyware's. And also I ran an additional scan with both Kaspersky Online Scanner and AVG Anti-Spyware, just to double check, and it came all clean now. :blink:

So, other than this, nothing further? Good to go, then? :)

Though, speaking of AVG Anti-Spyware, just a note to add that, curiously, it now did generate a report for the scan made! (So now that there's no malware there's a report, and when there was malware there was no report!? Odd, is it not!?) I do still wonder, what was it, causing the lack of reports, before?... And whether, whenever there'll be malware again, there'll be a scan report then?... (Is this some known bug resulting from some recent update or something, I wonder?... Ever experienced the same?...) Also, I do keep wondering, why are reports currently being saved in the Quarantine folder?... Shouldn't it be in the Reports one instead?... Or am I mistaken actually? Hmm... Oh well, think I'll maybe just settle with re-installing AVG Anti-Spyware from scratch, just to see whether that "odd behaviour" changes or remains or... Odd, indeed... :wacko:

Thanks so much, once again, for your time and guidance. :)

This post has been edited by DeLuk: 10 February 2008 - 07:44 AM

#4 User is offline   OldTimer 

  • Malware Expert
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 11,083
  • Joined: 28-January 05
  • Gender:Male
  • Location:Holland Michigan USA

Posted 10 February 2008 - 12:42 PM

Hi DeLuk. Yes, you are good to go. I have seen AVG not produce reports many times (even when there is no infection). I think it is a bug with AVG. It seems to be the upgrade to 7.5 where this is most prevalent. Prior version did not seem to have that issue.

It's hard to say what the filetemp.tmp file was for. If you still have it we could send it to VirusTotal or Jotti and see what they say. It might just be a miscellaneous file from an update or something where a current file needed to be replaced. Who knows.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 User is offline   DeLuk 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Members
  • Posts: 206
  • Joined: 05-May 06
  • Gender:Not Telling
  • Location:Portugal

Posted 11 February 2008 - 05:10 PM

Hi OldTimer, and thank you again, for new reply. :thumbsup:

Regarding AVG Anti-Spyware, I see... That being the case, not worth the reinstall, then...

And with regards to that filetemp.tmp file, yes, I do still have it. As also sysstr.sys, another of the files related to this unsrvc-trojan (which I believe was perhaps a later "replacer" of iospc.sys) and which up untill now also ain't picked by any scanner (except Panda, currently detecting it as "suspicious file"). (I did keep all suspicious/malware files all backed up in password-protected archives, should them be required for any further analysis.)

Quote

If you still have it we could send it to VirusTotal or Jotti and see what they say.


Do you mean submitting the file for analysis at each of the websites? If so, I did just that, today again. Yet, both VirusTotal and Jotti still report nothing found for filetemp.tmp. Same result for sysstr.sys, as I was saying with the exception of Panda, which currently identifies this as "suspicious file"; only at VirusTotal though, at Jotti, however, Panda reports nothing found (odd, no? :wacko:).

Or do you mean submitting the file(s) to you/BC for you/BC to send it to VirusTotal/Jotti for any further analysis?...

Well, in any case, if at all useful, I'm pasting next (from my initial post in the previous topic) what I could "notice" with regards to both these files, filetemp.tmp and sysstr.sys:

Quote

As for filetemp.tmp, however, I do believe that it must be related with this trojan infection as well. Also sysstr.sys, although up untill now only Panda detects it as malware (currently it detects it as "Suspicious file", whereas previously it would detect it as Trj/Agent.HFM, the same as it has always detected unsrvc.exe), it must certainly be part of the infection too. Note: the first time I checked the properties of sysstr.sys, version tab, the original file name was "iospc.exe" and the internal name was "iospc", whereas on TrendMicro iospc.sys is reported as also being related to this trojan infection. (The file iospc.sys which exists in the laptop is currently a 0 bytes file. Yet perhaps sysstr.sys somehow had/has some relation with it?... Perhaps it's its "substitute" in the current "version" of this trojan infection?...) Also I did open the file sysstr.sys with Notepad (not sure whether that was even recommendable, or if it was a careless action?... I just wanted to check whether there was any "readable" hopefully helpful info in there), and among the "readable" lines there, this one did stand out: \ A F : \ F Y A S S \ P r o g r a m a ç ã o \ S p e c t r u m P r o j e c t 0 8 - 1 2 - 2 0 0 7 \ w s c r n t f y - W o r m \ S p e c t r u m A n t i - G B u s t e r \ A n t i G B u s t e r . v b p. spectrum.iitalia.com being the site to which unsrvc.exe always first attempts to connect, so I'm guessing this to somehow confirm that sysstr.sys must indeed be also related with this trojan infection, no?...

Also, I could notice that, meanwhile, both the properties and also file size of sysstr.sys have changed. As so did the filesize of filetemp.tmp.

I also by now noticed that, when booting while having the modem cable already connected, on the Temporary Internet Files folder, there appears the file url.txt (as TrendMicro also details it), and then almost always also the file config.rar, and sometimes also yet a third file, exe1.rar. (Analysing both rar files at virustotal.com, it reports nothing found for config.rar, and "Suspicious file" for exe1.rar by Panda, the same detection as for sysstr.sys.) Also I could notice that, if the file config.rar is created (downloaded from somewhere, right?), then the modification date and time of filetemp.tmp changes, to the same as the date and time of when the file config.rar has been created. (This is also why I believe that the file filetemp.tmp must indeed be related with this trojan infection too.) The same way, if the file exe1.rar is created (downloaded), then the modification date and time of sysstr.sys also changes, to the same as the date and time of when the file exe1.rar has been created. (If though only config.rar is created, and exe1.rar isn't, then respectively the modification date and time changes only for filetemp.tmp, and not for sysstr.sys.) As if those two rar files in the Temporary Internet Files folder were for updating the "corresponding" files in the Windows and System32 folders or something (config.rar for updating filetemp.tmp and exe1.rar for updating sysstr.sys, respectively)... Curiously, when the modification date and time happens to change for both files, then that of sysstr.sys always is 2 seconds later than that of filetemp.tmp (i.e. seemingly filetemp.tmp always get to be modified ahead of sysstr.sys). Curiously, also, each of the temporary rar files has only 2 bytes less in size than the "corresponding installed file" (latest config.rar is 8562 bytes while filetemp.tmp is currently 8564 bytes, and latest exe1.rar is 69632 bytes while sysstr.sys is currently 69634 bytes); plus, if opening each of those 4 files with Notepad, config.rar and filetemp.tmp appear to have the same "characters" contents except for config.rar having one less "blank line" at the end, and the same goes for exe1.rar and sysstr.sys which also appear to have the same "characters" content except for exe1.rar having one less "blank line" at the end too (so I suppose it's that one less "blank line" which makes the temporary rar files to be 2 bytes less in size than the "corresponding installed file", thus in the end config.rar and exe1.rar must indeed be copies of filetemp.tmp and sysstr.sys, respectively, meant for updating those files, no?)... (Note, however, that, although each time config.rar or exe1.rar are created it does always cause the modification date and time to change respectively for filetemp.tmp and sysstr.sys, I believe it does not necessarily cause the size of filetemp.tmp and the size and/or properties details of sysstr.sys to also change everytime, i.e. it's not like "the contents" of filetemp.tmp and sysstr.sys always gets "updated" everytime config.rar or exe1.rar get into the Temporary Internet Files folder; at least not from what I could notice anyway... Logically the "corresponding installed files", filetemp.tmp and sysstr.sys, must be due to get updated when actual updated versions of config.rar and exe1.rar are "released" by the server site, I guess, of course...)

...

Properties (Version tab) info details for sysstr.sys

File version: 3.3.0.4 (previously: 1.0.0.0)
Description: Deecttonee (previously: Dectone)
Copyright: DDeeccttooncee (previously: Dectone)

Comments: DDecctonne (previously: Dectone)
Company: DDecctonne SSollutiionnss (previously: Dectone Solutions)
Language: English (EUA)
Legal trademarks: Ddecttonee (previously: Dectone)
Original file name: syscom.exe (previously: sysstr.exe / before that: iospc.exe)
Product name: AntiGBuster (previously: Dectone)
Internal name: syscom (previously: sysstr / before that: iospc)
File version: 3.03.0004 (previously: 1.00)
Product version: 3.03.0004 (previously: 1.00)


(But these are perhaps even meaningless details, and the files, as you were saying, just miscellaneous ones and even harmless in the end anyway, moreover when they are orphaned, who knows?...)

Well, if anything else at all, let me know. And again, thank you greatly, for your assistance. :blink:

This post has been edited by DeLuk: 12 February 2008 - 06:33 AM

#6 User is offline   DeLuk 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Members
  • Posts: 206
  • Joined: 05-May 06
  • Gender:Not Telling
  • Location:Portugal

Posted 12 February 2008 - 05:26 PM

An additional doubt, yet. I was searching some more, today, about this unsrvc-trojan, and came across this page at ThreatExpert, where it is referred that, besides the registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\Run > unsrvc = C:\WINDOWS\system32\unsrvc.exe -runservice being created and the one HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon > Userinit = C:\WINDOWS\system32\userinit.exe, being modified to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon > Userinit = C:\WINDOWS\system32\unsrvc.exe -runservice as previously mentioned, supposedly this trojan also creates a few "Gbpsv" entries in the HKLM\System\<ControlSets and CurrentControlSet>\Services\ keys. Being not aware of that before, so I went to check it, via regedit, and indeed I could find such "Gbpsv" keys there. (All 4 keys found are just empty ones, though.) RegSearch log as follows:

----------

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 12-02-2008 12:06:38 for strings:
; 'gbpsv'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Gbpsv]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Gbpsv]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Gbpsv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gbpsv]

; End Of The Log...

----------

From what I could read around (see SpyBot's forum), seems that such "Gbpsv" keys are actually also created by this G-Buster internet banking plugin (see CastleCops' info), which is to be legitimate. Also appears that previously SpyBot had been detecting such "Gbpsv" keys as malicious (mid January), whereas those which are created by this internet banking plugin are legitimate, thus SpyBot later corrected the false-positive in some recent update (late January). (I did, in the meantime, run a SpyBot scan, and it did not flag the "Gbpsv" keys in the registry.)

As no such G-Buster internet banking plugin is or has ever been installed in our computer, however, so I can only conclude that those "Gbpsv" keys which are found in our computer's registry must indeed have been created by the unsrvc-trojan. Thus I wonder whether those keys should be deleted? (I know those are now just meaningless orphaned keys, yet, should them be deleted nonetheless? After all they did only get there due to malware, and in the end, currently they're there for nothing anyways...)

(At this point I have to recall the "readable line" in the file sysstr.sys where it stood "Anti-GBuster". Certainly shows some "connection" between the two: the G-Buster internet banking plugin, and the "Anti-GBuster" banker trojan, which certainly should aim to bypass the security solution granted by such G-Buster plugin or whatever, in order to perform god knows what malicious actions. Argh! :thumbsup:)

This post has been edited by DeLuk: 13 February 2008 - 09:10 AM

#7 User is offline   OldTimer 

  • Malware Expert
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 11,083
  • Joined: 28-January 05
  • Gender:Male
  • Location:Holland Michigan USA

Posted 12 February 2008 - 05:56 PM

Hi DeLuk. If they are empty then they are doing nothing. They can stay or go, it doesn't really matter either way. Every scanner has its own quirks and emits false positives (calling good things bad) or saying bad things are Ok. There isn't a perfect one in the bunch. There are just too many variables for any one scanner to catch them all accurately. That's why almost every one is updated on an almost daily basis.

If the unsrvc is gone then I wouldn't worry about it anymore.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 User is offline   DeLuk 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Members
  • Posts: 206
  • Joined: 05-May 06
  • Gender:Not Telling
  • Location:Portugal

Posted 13 February 2008 - 09:07 AM

Hi OldTimer, and thanks for further enlightenment. :)

Quote

If they are empty then they are doing nothing. They can stay or go, it doesn't really matter either way.


Yes, I know and understand that. :thumbsup:

Let's say, though, that I'd anyway wish to remove those unnecessary keys from the registry. I know that I could do that simply via regedit, by selecting each of the keys with a right-click and then choose to delete each of them, yes. I understand that I could, though, also have those keys be deleted by making myself (in Notepad) a regfix .reg file for that purpose, right? For the sake of learning, then, I wonder if I could request your expert guidance please, in making such a regfix .reg file for having those keys be deleted then? :blink:

(Or would you advise best to actually do it via regedit, in fact? :))

I understand that, for deleting a key, one must add a minus sign ( - ) in front of that respective key, correct? Now, I wonder though what "header" I should use for the purpose of deleting such keys: should it be "Windows Registry Editor Version 5.00" or "REGEDIT4", i.e. should the regfix file be done like this?...

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Gbpsv]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Gbpsv]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Gbpsv]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gbpsv]


Or like this?...

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Gbpsv]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Gbpsv]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Gbpsv]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gbpsv]


Or would that actually be irrelevant for this particular purpose of deleting these specific keys? (And may I ask, what actually is the difference of sometimes using one "header" and other times using the other? I wondered about this before and Blender was explaining me then that it's important to use the proper header so registry reads the information properly... What then makes each of the headers to be the proper one for each specific occasion/purpose?...)

Thank you so greatly for your patience with my layman-questioning... :wacko:

#9 User is offline   OldTimer 

  • Malware Expert
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 11,083
  • Joined: 28-January 05
  • Gender:Male
  • Location:Holland Michigan USA

Posted 13 February 2008 - 10:14 AM

Hi DeLuk. Either one of those registry files would work on XP. Version 4 files are from 98/NT and work on 98/NT as well as XP and above. Verison 5 files only work on XP and above (well actually 2K also but 2K did not include regedit by default). The difference between the two is that version 4 exported/imported in ANSI while version 5 exports/imports in Unicode. It doesn't matter until you start importing/exporting values that are multi_sz, hex, or expanded values.

Do a little Googling and there is alot of information regarding the various formats and requirements. I do not have the time nor is this the proper forum to go into an indepth explanation of registry formats or their use. The XP forum would be more appropriate for that.

Unless there are any continuing malware related issues to resolve I will close this topic.

Cheers and Happy Computing.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 User is offline   DeLuk 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Members
  • Posts: 206
  • Joined: 05-May 06
  • Gender:Not Telling
  • Location:Portugal

Posted 13 February 2008 - 11:55 AM

Thank you again, OldTimer, for prompt reply, and additional explanations. :) And sorry myself, for the bit of additional asking. Not at all I meant to abuse of your time. Just indeed wanted to have a general idea on the matter to double make sure that, making the regfix file one way or the other, I wasn't risking doing anything wrong... :wacko: So thanks so much once more, for confirming that for me, and yet the general explanation with regards to my question. :)

Other than that, yes, topic may be closed. Having now deleted those last remaining malware-related "Gbpsv" registry entries, (as far as I can notice) all malware issues are by now resolved, yes. :)

Cheers and happy computing back to you! :thumbsup: And thank you so greatly, one last time, for your time and patience and all help, thank you truly! :blink:

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users