• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

trouble with msconfig, regedit, three finger salute..

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.
cjc_75

cjc_75

Member
Joined
Oct 18, 2001
Location
Alberta,Canada
Hi folks,

I started having a problem whem I try to open msconfig, regedit, cntrl+alt+delete. The windows open then immediatly close. The c+a+d goes to the tool bar briefly(1sec) then dissapears.

Im using winxp pro (no SP), Ive turned Norton auto scan on and off. It juist started happening 2 days ago and I cant seem to do anything about it.

Thanks
C
 
cjc_75 said:
Hi folks,

I started having a problem whem I try to open msconfig, regedit, cntrl+alt+delete. The windows open then immediatly close. The c+a+d goes to the tool bar briefly(1sec) then dissapears.

Im using winxp pro (no SP), Ive turned Norton auto scan on and off. It juist started happening 2 days ago and I cant seem to do anything about it.

Thanks
C
Click to expand...

Sounds like a nasty virus. Try running a current and updated Norton virus scan in safe-mode with system restore turned off and see what it finds. Norton does not always find those nasty buggers in standard mode.
 
This can also be caused by a corrupted install of a Pop-Up Blocker. If you have any installed your may want to unistall. But the 1st thing I would try is what TranceBear suggested.
 
Well, this is what I came up with, Norton would'nt pick them up. I ran a Trojan scan program too with no results.

C:\WINDOWS\system32\dbentry.exe->(PaquetBuilder)->explorer.sys - IRC/Generic* -> Suspicious

C:\WINDOWS\system32\dbentry.exe->(PaquetBuilder)->frntok.exe - Tool:HideWindows -> Infected

I guess Ill try a Google search on how to remove them.

C
 
Hide windows seems to be the culprit. The IRC one is related.

See below info provided by hackbox.com


Virus : Worm/Trojan "Randon" Threatens Port 445
Posted by geokas on2003/3/9 15:23:50
(984 reads)

A new blended worm / trojan threat appears. Kaspersky Labs, an international data security software developer, reports registered infections at the hands of the new network worm "Randon". Kaspersky Labs has already received several incident reports from both Russian and the Netherlands connected with this malicious program.

"Randon" spreads via IRC channels and local area networks and infects computers running Windows 2000 and Windows XP. To penetrate computer systems the worm registers itself in the IRC server (or local area network), scans for all present users and connects to victim computers via port 445 and attempts to gain access by using a fixed list of the most commonly used passwords. When "Randon" manages to successfully break-in it proceeds to transmit to this system the Trojan program "Apher", which then, from a remote web site, loads worm's remaining components (a total of 13 files, including a full-fledged mIRC client for work with IRC channels).

"Randon" installs its components to the Windows system directory, registers its main file and the mIRC client in the Windows registry auto-run key, and then executes them. To keep its activities secret, "Randon" uses a special utility called "HideWindows", which is also part of the worm. b"HideWindows" renders the worm invisible to victims and its active processes can only be detected in the Windows task manager.

Fortunately "Randon" does not carry out any destructive functions. Collateral effects on infected machines include a high volume of redundant or excess traffic and the overflow of IRC channels. To defend against this worm it is enough to load an updated anti-virus program, install a personal firewall such as KasperskyR Anti-Hacker or use long access passwords.

The defense against "Randon" has already been added to the KasperskyR Anti-Virus databases.

A more detailed description of the "Randon" worm can be found in the Kaspersky Virus Encyclopedia. HNS copy: http://www.net-security.org/virus_item.php?id=4433

[source] -> HNS
 
Heres some more reading about the virus

Worm.Win32.Randon


Virus analysis provided by Kaspersky Lab


Randon is a Virus-Worm distributed via IRC-channels and LANs with shared resources.

When executed this worm installs its components into the subdirectory zxz and/or zx in the Windows system directory and registers its main file and the mIRC client in the Windows registry auto-run key (below):


HKLM\SoftwareMicrosoftWindowsCurrentVersionRunupdateWins

Randon then executes the above key and hides the process via the HideWIndows utility. Randon connects to the IRC-server and executes its scripts. In addition to DDoS attacks and IRC channel flooding, Randon scans port 445 of other IRC clients.

Distribution
Upon detection of an open port (445) the worm runs the batch files sencs.bat and incs.bat which try to locate open resources on the remote computer and connect to them using one of the following passwords:


"admin", "administrator", "root", "admin", "test", "test123", "temp",
"temp123", "pass", "password", "changeme"

If a connection is successful the worm opens a socket on port 445, transfers the trojan horse TrojanDownloader.WIn32.APher.gen and runs it. This trojan downloads a self-extracting archive of the worm's 'full' version from "www.q8kiss.net" and installs it in the system.
Additional information
The Randon worm consists of the following components:


Deta.exe - HideWindows utility (WIn32 exe file)
fControl.a - an IRC script (port scanning and infection remote computers)
IfCOntrol.a - an IRC script (IRC-channels flooding and DDoS attacks (pinging different addresses) )
incs.bat - BATCH file (lan resources password cracker)
Libparse.exe is "PrcView" utility (Win32 EXE file)
psexec.exe is "PsExec" utility (Win32 EXE file)
rcfg.ini - IRC INI file (loading other scripts)
rconnect.conf - configuration file
reader.w - list of nicknames used by worm to establish connection with IRC-channels
Sa.exe - TrojanDOwnloader.Win32.Apher
scontrol.a - helper IRC script.
sencs.bat - BAT file (this file is transfered to the remote computer to perform TrojanDownloader execution)
systrey.exe - renamed mIRC client (Wind32 EXE file).
 
OUCH!

Thanks for the info, I had managed to find absolutly nothing about it and was scratching my head.

Im thinking its time to put a firewall on my computer, I guess most of these problems come from users like myself who are too lazy to do so.

I was wracking my brain to figure out where I had picked it up, this windows install is about a week old. The only thing that had come to mind was when my bro-in-law decided to install Kazaa, but I tore a strip out of him and removed it about 4 hours later after I got home from work. He had managed to get 180+ virii (grammer?) on my old system that I don't watch well enough.

Thanks again!
C
 
You must log in or register to reply here.

Similar threads

c627627
How I modded my Windows 10 installation - How (not) to install Windows 10
Replies
2
Views
9K
c627627
c627627
Alaric
"Cortana, you're fired!"
36 37 38 39 40
Replies
786
Views
45K
petteyg359
petteyg359
c627627
How I modded my Windows 8 installation - How (not) to install Windows 8
Replies
9
Views
7K
theELVISCERATOR
theELVISCERATOR
c627627
How I modded my Windows 7 installation - How (not) to install Windows 7
2 3
Replies
56
Views
21K
Mpegger
Mpegger
c627627
How I modded my Windows Vista installation - How (not) to install Windows Vista
2
Replies
23
Views
9K
c627627
c627627
Back