regedit32 and regedit.exe MAlware can't delete

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by juvix8888, Nov 11, 2009.

  1. juvix8888

    juvix8888 Private E-2

    i can not for the life of me get rid of this malware

    it is in my run folders as regedit.exe and restorer32_a......hijack got rid of all of them except regedit but then one or 2 came back .....cant do it from regeistry either

    would some one educated on logs please answer back and tell me where to star on this issue........or even wak me through the process can i post a log on here

    james
     
    juvix8888, Nov 11, 2009
    #1
  2. juvix8888

    juvix8888 Private E-2

    Need Help after Read and Run Please

    I was having google redirects and all of that....then my computer wouldnt restart.
    I noticed regedit.exe, restorer32_a.exe and userini.exe in hijack this and avast said windows aleuron was the issues.
    I tried cleaning with everything in safe mode. Hijack this or malaware bytes couldnt delete the run registry entries. they would just reappear.
    then eventually my computer restarted and said it was shut down wrong so it tried to repair at start up. it did system restore and was functional.

    NOW im here. I did the complete REad me and run me.
    any help would be greatly appreciated.
    heres the logs:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 11/11/2009 at 10:55 PM

    Application Version : 4.30.1004

    Core Rules Database Version : 4263
    Trace Rules Database Version: 2148

    Scan type : Complete Scan
    Total Scan Time : 01:21:37

    Memory items scanned : 756
    Memory threats detected : 0
    Registry items scanned : 6777
    Registry threats detected : 11
    File items scanned : 40386
    File threats detected : 3

    Adware.XML Parser-AIE/Crypt
    HKU\S-1-5-21-216218854-98696775-555611961-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CF021806-DC46-37B4-8C88-91EB9A6E1B0B}
    HKCR\CLSID\{CF021806-DC46-37B4-8C88-91EB9A6E1B0B}
    HKCR\CLSID\{CF021806-DC46-37B4-8C88-91EB9A6E1B0B}
    HKCR\CLSID\{CF021806-DC46-37B4-8C88-91EB9A6E1B0B}\InprocServer32
    HKCR\CLSID\{CF021806-DC46-37B4-8C88-91EB9A6E1B0B}\InprocServer32#ThreadingModel
    HKCR\CLSID\{CF021806-DC46-37B4-8C88-91EB9A6E1B0B}\ProgID
    HKCR\CLSID\{CF021806-DC46-37B4-8C88-91EB9A6E1B0B}\VersionIndependentProgID
    HKCR\D.1
    HKCR\D.1\CLSID
    HKCR\D
    HKCR\D\CLSID
    C:\WINDOWS\SYSTEM32\XWR41105.DLL

    Trojan.Agent/Gen
    C:\WINDOWS\TEMP\BNA15D.TMP

    Trojan.Agent/Gen-ER
    C:\WINDOWS\TEMP\VRT3DAE.TMP
     

    Attached Files:

    juvix8888, Nov 12, 2009
    #2
  3. juvix8888

    juvix8888 Private E-2

    Re: Need Help after Read and Run Please

    And here is the malaware bytes log:

    Malwarebytes' Anti-Malware 1.41
    Database version: 3153
    Windows 6.0.6002 Service Pack 2

    11/11/2009 11:10:41 PM
    mbam-log-2009-11-11 (23-10-41).txt

    Scan type: Quick Scan
    Objects scanned: 97893
    Time elapsed: 4 minute(s), 14 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Windows\Temp\VRT16AD.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
     
    juvix8888, Nov 12, 2009
    #3
  4. juvix8888

    juvix8888 Private E-2

    Google redirects was only the beginning. Please Help.

    I was having Google redirects, then my computer wouldn't restart.
    I noticed regedit.exe, restorer32_a.exe and userini.exe in hijackthis. And Avast said windows aleuron was the issue.
    I tried cleaning with everything (spybot S&D, Avast, Malaware) in safe mode. Hijackthis or Malaware Bytes couldnt delete the "run" registry entries. They would just reappear.
    Eventually my computer restarted and said it was shut down wrong. So it tried to repair at start up. It did system restore and was functional.

    NOW I'm here. I did the complete Read and Run Me.
    Any help would be greatly appreciated.

    Heres the 2 logs that I mistakenly pasted in my other post.
    The other 3 logs are at this post:
    http://forums.majorgeeks.com/showthread.php?t=203021

    Sorry for the choppy post. Thanks Alot.
     

    Attached Files:

    juvix8888, Nov 12, 2009
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Your 3 separate threads were merged into one thread. Please do not keep starting new threads for the same problem on the same PC. Stay in one thread. Make your post and wait for an answer because bumping will cost you further delay in getting an answer. See this: Don't Bump! It Only Hurts You!!!

    Also remember that ALL LOGS must always be attachments.

    Other than what has already been removed, your logs are clean. You need to stop playing with HijackThis and deleting things on your own before you break your PC again. regedit.exe and userinit.exe are required Windows system files. restorer32_a.exe however is not valid but does not exist in your logs.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Last edited: Nov 13, 2009
    chaslang, Nov 13, 2009
    #5
  6. juvix8888

    juvix8888 Private E-2

    i am still getting google redirects though
     
    juvix8888, Nov 13, 2009
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then do the below.

    First right click on C:\MGtools\analyse.exe and select Run As Administrator. Does TrendMicro HijackThis run. You may need to click on the Accept button to accept the license agreement. YOU MUST click the Accept button twice (yes twice!!! It's a bug.) You can close it down afterwards. I just want to make sure it runs and you have accepted the license since it was not showing in your MGtools log.

    Now download (to your Desktop) the new version of combofix.exe then double click on it to run it.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now! If still being redirected, where are you being redirected too and does it happen with all browsers?
     
    chaslang, Nov 15, 2009
    #7
  8. juvix8888

    juvix8888 Private E-2

    Ive restarted a couple times since then and the problem hasnt popped up again
     
    juvix8888, Nov 16, 2009
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then complete the final steps given in message # 5
     
    chaslang, Nov 19, 2009
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds