Registry is messed up

By JesseM · 34 replies
Jan 1, 2008
  1. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +184

    Hmmm.. I can tell you where I see issues and remnants of the infection. And I can tell you where I would look and what I would do if I were the one scrubbing my own system clean… But don’t know if that’s the best advice for you, as I don’t know how much experience you have prowling around the internals and judiciously creating backups and restore points to recover should you make a mistake (happens to even the most experienced)

    So, consider submitting an HJT log again. The people trained to review them are also familiar with automated tools to fix the problems (i.e. they’re not as dangerous as manually going under the hood to fix everything). And are you sure you submitted an HJT log before? I see some entries that “scream” infection. I wouldn’t think the regular HJT reviewers could miss them.

    All that said, here’s where I see problems and where I’d also go checking
    • As I understand HJT logs, you’re win.ini file has been hacked. It contains instuctions to load and run scvhost.exe. I’d scrub the win.ini file. And I’d also look at sys.ini just to be cautious.
    • Scvhost has also been hacked into the Local Machine Group Policy so it's run at user logon (HKLM\..\Policies\Explorer\Run). I’m guessing is ok to delete this single key but is just my guess. Can’t say for certain.
    • You have a hosts file entry that maps all requests for domain to IP (It will always be mapped here and not by a Domain Name Server). Don’t know if this is a legit entry (but that domain isn’t resolved by DNS when I tried it. Maybe is an old one you once registered?)
    • I’d also scan the registry for any references to scvhost
    • And check the Winlogon value for userinit.. I didn't see it in HJT after all.
    • Not sure what you meant when you say you scanned for explorer.exe and found four identical references to C:/Windows/explorer.exe.. You checked the option to “Include non-indexed, hidden and system files” right? Did you mean the “Name” the search return included the string explorer.exe (e.g. explorer.exe.lnk). Could you copy/paste the four references?
  2. JesseM

    JesseM TS Booster Topic Starter Posts: 220

    Thanks so much for the advice.

    I have actually never submitted a HJT log, and I am not familiar with how to do so.

    The DNS thing is something I made a while back, so it shouldn't be a problem.

    I scanned the registry for scvhost and I think I found the source of the problem, but I'm not sure how I'd go about fixing it. The location of the two references were:
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
    These values both point to C:\Windows\system32\scvhost.exe

    The Winlogon value for userinit is userinit.exe, should be fine.

    The search for explorer.exe, with non-indexed hidden files included, returned with four nearly identical 'explorer.exe' instances. I looked through their properties and found that they are located in different places:
    explorer.exe - C:\Windows
    explorer.exe - C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb
    explorer.exe - C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a
    explorer.exe - C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf
  3. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Those entries for scvhost.exe should have shown up in HKCU /Run Tab
  4. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +184

    1. Your registry search only found it in two places?? I was expecting at least three. Could you manually check for the registry key (and any values) for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    2. Have seen this is the type of infection that hooks itself into many, many different places (not just Winlogon) to try and make sure it is always re-started. (I had to scrub the Vundo trojan one time. It also hooks itself into many places but it also keeps changing the startup filename!)

      The problem with Startup Control Panel is it only checks for startups in a very limited number of places (e.g. it doesn't look at Winlogon or Local Group Policies where this thing appears plus other spots) Which only makes me say "DUH". Don't know why i didn't tell you to use Autoruns. You can download and run it. Pretty intuitive user interface but just look for now. Don't uncheck any boxes or make any changes yet.
    3. Just to double check.... When you looked at Winlogon/Userinit was userinit.exe the only thing there? No parameters, or commas, or anything else appear after it?
    4. I'm also expecting to find scvhosts appearing as a text string within your C:\Windows\win.ini file. Don't have access to Vista machine right now but know you can have it search for strings in files (will take awhile to run). Could you search for scvhost as a string?
    The instructions for fix should be straight forward now i think. Can discuss tomorrow if you could pls check first for things above.
  5. JesseM

    JesseM TS Booster Topic Starter Posts: 220

    I actually didn't search beyond the two instances I found before. Here is a list of all 7 results after searching for scvhost.exe:

    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run\Generic Host Process
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Generic Host Process
    HKEY_USERS\S-1-5-21-3138149437-1689907971-922131132-1001\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
    HKEY_USERS\S-1-5-21-3138149437-1689907971-922131132-1001\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
    HKEY_USERS\S-1-5-21-3138149437-1689907971-922131132-1001\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run\Generic Host Process

    I have downloaded and run Autoruns. I'm not quite sure what to do with this right now.

    You are right, I didn't catch it but there is a comma after 'userinit.exe,'

    I am not sure what you mean when you say "Could you search for scvhost as a string?" I searched for scvhost and checked the "Match whole string only" box and nothing came up. I'm guessing I did this wrong.
  6. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +184

    Some general notes and then some things about cleanup
    • Should you suspect an infection some other time, here’s a link to Viruses/Spyware/Malware, preliminary removal instructions. It includes instructions about running/posting HijackThis logs to get assistance. The people who regularly review HJT logs are also familiar with a variety of automated spyware removal scripts which can make the clean-up job easier.
    • The Autoruns tool provides a wealth of data about all the places where things are being started/run on your computer but can be to the point of an overwhelming amount of information if you’re not familiar with it. On the other hand, all this data is particularly helpful when looking for infections that aren’t using the more common Windows startup methods.
    • Startup Control Panel, also suggested, is also a great tool (I use it as well). Its interface is much simpler and it’ll help you see/control startups found in the more typical Windows locations. These are the locations generally used by vendors and applications you download that start things you don’t really want/need. It’s the nasty infections that use the less typical locations.
    • Although the infection on your computer hooks itself into many different startup locations (including those lessl typical ones), it appears they all try to start the same scvhost.exe executable which, luckily, Spybot already removed. That’s a plus, cause you can be sure one of the first things the executable does is reinsert all of its hooks.
    So, for cleaning up what ‘s still lying around on your system:
    1. Purge scvhost.exe from Spybot. Open Spybot, Click Recovery, select scvhost.exe (and any other relevant) entries. Click Purge
    2. Do a full system backup to be sure you can always recover in case of anything while you try to scrub clean (Recommend something that can do a full disk image backup/restore like Symantec Ghost or Acronis True Image. Personally, I like Acronis.. and you can get a 15day free trial if you want to download/try/use it first before buying.
    3. Start HijackThis. (It should be version 2.0.2)
      • Run a scan and save a logfile
      • I’m expecting the scan output to include the following 3 lines but search for any other instance of scvhost as well.
        • F3 - REG:win.ini: load=C:\Windows\system32\scvhost.exe
        • F3 - REG:win.ini: run=C:\Windows\system32\scvhost.exe
        • O4 - HKLM\..\Policies\Explorer\Run: [Generic Host Process] C:\Windows\system32\scvhost.exe
      • Check the box next to each of the 3 lines
      • Click Fix Checked
      • Run another scan and there shouldn’t be any references to scvhost
    4. Start the Autoruns tool
      • Look at the status it displays in lower left corner of the Autoruns window. Wait until it shows Ready.
      • It is now displaying all startup locations that apply to the current user. Click Users in the menu bar across top of window to see and select the different startups which apply for each user.
      • Click the Everything tab (to see everything) for the current user. Select the first line of the display to position the search at the beginning. Then hit Ctrl-F and find the entry for Userinit
      • Select and right-click userinit.exe entry. You’ll see a context menu. Left-click on Verify to verify this is Microsoft executable. Repeat for each user.
      • fyi. You could have also Autoruns to search/clean the scvhost entries. Unchecking the item in Autoruns disables the line item. Highlight and right click the item to select delete and get rid of it.
    5. Reboot your machine. I believe your startup should be back to normal
    6. Once you’ve verified all is good, delete all your old system restore points! This assures you don’t accidentally reinfect yourself via a System Restore operation.
  7. JesseM

    JesseM TS Booster Topic Starter Posts: 220

    The errors no longer pop up! One question: what did verifying the userinit entries do?

    Thank you so much for your time and dedication!
  8. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +184

    Hey, you’re most welcome. We’re all happy to be able to help. As for your question…

    One of the big security holes in Windows (going back to Windows 95) was a hacker’s ability to replace a Windows system file with their own (i.e. same directory, same file name but, in fact, the hacker's executable).

    As MS released subsequent operating systems, they developed and tried improving on operating system methods to try and detect when system files were changed. Once detected, the operating system restores the original version. (In Vista, protected versions are kept in the %windir%\winsxs directory and used to restore changed versions.)

    This feature has evolved with names like “Windows File Protection (WFP)” and “System File Checker (SFC).” My post #15 in this thread has the syntax to run the sfc command to scan your system files immediately and make corrections

    Since your infection had already touched Winlogon/Shell in your registry, the intent was to make sure the Userinit entry and the userinit.exe program itself weren't also hacked. In theory, WFP should be checking/correcting things periodically but, in the past, WFP has been disabled or otherwise defeated by some infections.

    Using Autoruns to do an “on the spot” verify that Winlog/Userinit pointed to a Microsoft authored executable was an added layer of precaution.

    Fyi.. If Autoruns checks a file and comes back “Verified”, the file is from the indicated publisher. However, if it says “Unable to Verify” that doesn’t necessarily indicate the file is bogus. (Most files from MS do verify, tho i don't believe all do.)
  9. JesseM

    JesseM TS Booster Topic Starter Posts: 220

    Thank you for the information, I will keep that in mind for future reference.

    However, today, for the first time since my last post, I got the "Cannot load scvhost.exe" again when I logged on. Very weird. I searched my registry for scvhost and nothing turned up. However, I had a new startup item that executed the file 'C:\Windows\system32\wuur.exe' and after a trip to Google I was quite sure I was looking at some kind of malware. I searched for wuur.exe and turned up with one result, which I deleted.

    The funny thing is, the only difference between the last time I logged in and the time I got the message today is the fact that I updated iTunes, which automatically added various obnoxious startups like QTTask.exe.
  10. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +184

    Getting a "cannot load scvhost" message again is not good (let alone the other problem you indicated)

    Suggest two things
    1) Do a step-by-step through the Viruses/Spyware/Malware removal instructions AND run a new HJT log and post as is also indicated in those instructions for others to review.
    2) But, am curious, and ask you do the following to make sure you "see everything" and search through file contents as well as file/folder names.

    Click Control Panel -> Folder Options -> View. Then Set or Clear each of the following settings as indicated
    • Set Show hidden files and folders
    • Clear Hide extensions for known file types (i think it just helps to see file extensions when you're trying to spot problems)
    • Clear Hide protected operating system files
    Click Apply and then, still in Folder Options, click the Search tab.
    • Set Always search file names and contents
    • Set Include subfolders when typing
    • Set Find partial matches
    • Set When searching non-indexed locations include sys directories and
    • Set Include compressed files (this setting will really make it sloooooowwwww)
    Click OK and be advised your Searches with these settings will be very sloooooowww while it searches every folder name, file name and contents of each file. (i.e. Slow as in you might want to let it run overnight am guessing.) You can restore the settings when done searching for scvhost

    Now you can first open Autoruns. When it;s done scanning, position cursor on first entry displayed. Hit Ctrl-F to "Find" find any first instance of scvhost. After any first match, you can keep hitting F3 to "Find Next" match(s).

    Then have Vista do a Search for scvhost without the .exe this time since we set partial matches. Your computer is now set to look inside a file for the string scvhost as well as in the filename. (if you were to do opt for Vista Advanced Search you can accomplish same without changing Folder Options but figure show you folder settings available as well)

    This was the intent of my search request in a much earlier post. This looks for scvhost started indirectly (i.e. a script (or similar) is called with a non-suspicious file name. scvhost is inside the script and started within the script)

    Bottom line is you should follow the removal instructions and post an HJT log per the link i included above. But am curiouis what you might find by doing these searches first (and maybe it's some new stuff for you to know if it's unfamiliar stuff)
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...