Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Files Recreate Themselves And Registry Keys Won't Stay Deleted!


  • Please log in to reply
2 replies to this topic

#1 ICKIER

ICKIER

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 07 April 2008 - 09:53 PM

Recently ran across a friends computer that was jacked up with WLEntry commands everywhere in the registry. Two main areas where the keys would not stay either deleted or edited were exefile/shell/open/command and hklm/software/microsoft/command processor. Also in the temp directory was a dll, drv and sys file that claimed to be "Install SQL cabs" that would not stay deleted. Both these files and registry key...if you delete them they came back as random generated filenames.
I'm stumped. First post.
Rather that a lengthy log posting since I'm fairly good at knowing what's good and what's bad, I'm only displaying areas I know are bad hoping it's enough for someone to direct.
If not, instruct me and I'll patiently wait response.

"Silent Runners.vbs", revision RED (R28) (Echo output), launched at: 20:06
Operating System: Windows XP SP2


Startup items buried in registry:
---------------------------------


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"eeojrsmb" = "rundll32.exe "C:\WINDOWS\system32\cgdokbdkm.dll" WLEntryPoint"


HKLM\SOFTWARE\Microsoft\Command Processor\
INFECTION WARNING! "AutoRun" = "rundll32.exe "C:\DOCUME~1\Andrew\LOCALS~1\Temp\gesadiognto.sys" WLEntryPoint"

BC AdBot (Login to Remove)

 


m

#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,723 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:08 PM

Posted 09 April 2008 - 12:43 AM

Hello ICKIER,

In order to assist you, we need additional information.

What is your operating system: Windows XP, Vista, etc.?

What security programs do you have installed? Please name them.

What symptoms is the computer experiencing? Please describe.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 ICKIER

ICKIER
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 09 April 2008 - 01:28 PM

XP PRO SP2
NORTON CORP ANTI VIRUS

INTERNET EXPLORER WOULD ONLY LAND ON A SITE IF THAT SITE WAS LISTED AS THE HOME PAGE.
IF IE WAS OPEN ON THE HOME PAGE AND ANY WEBSITE WAS TYPED IN TO JUMP TO IT WOULD LOCK UP AND NEVER REACH THE SITE. ANY SITE USED AS THE HOME PAGE WILL BE REACHABLE BUT ANY LINKS ON THAT SITE WOULD NOT BE.

WITH THE FRUSTRATION I JUST WENT AHEAD AND REINSTALLED THE OS.

SO IS COMMAND PROCESSOR A NEW PLACE TO HIDE START UPS?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users