regsvr.exe (Microsoft Corparation) Virus

regsvr.exe / Winhelp.exe / rundll.exe /  (Microsoft Corparation)

regsvr.exe / Winhelp.exe / rundll.exe
===========================

File names

———–

Name : regsvr.exe
Name : winhelp.exe
Type of File : Application
Icon : Folder icon
size : 1.06 MB (1,114,588 bytes)
size on disk : 1.07 MB (1,122,304 bytes)
File version : 1.1.2.2
Description : Microsoft Corparation (its Microsoft Corp’a'ration not Microsoft Corporation)
Copyright :
Compiled Script : Microsoft Corporation
File Verion : 1,1,2,2
Language : English (United Kingdom)

Name : rundll.exe
Type of File : Application
Description : Generic Host Process for Win32 Services
Size : 161 KB (164,864 bytes)
size on disk : 168 KB (172,032 bytes)
File version : 3.8.0.7400
Company : Microsoft Corporation
Internal name : svchost-full-org
Language : English (United States)
Original name : svchost-full-org.exe

other supporting files, created during installation ofvirus

Name : MSINET.OCX
Type : ActiveX Control
Size : 60.5 KB (61,952 bytes)
Size on disk : 64.0 KB (65,536 bytes)
File version : 5.1.45.11
Description : Microsoft Internet Transfer Control DLL
Copyright : Copyright © 1987-1997 Microsoft Corp.
Comments : September 11, 1997
Company : Microsoft Corporation
File version : 5.01.4511
Internal name : MSINET.OCX

Name : ijl11pro.dll
Type : Application Extension
Size : 70.0 KB (71,680 bytes)
sixze on disk : 72.0 KB (73,728 bytes)
File version : 1.1.2.16
Description : Intel® JPEG Library – Retail Version
Copyright : Copyright © 1999
Comments : Intel® JPEG Library
Company : Intel Corporation
File version : 1.1.2
Internal name : Intel® JPEG Library
Original name : ijl11.dll

x—x—x

Recognized by KAV
—————–
not-a-virus:Monitor.Win32.007SpySoft.q rundll.exe
Worm.Win32.AutoIt.s regsvr.exe
x—x—x

Running Process
—————

regsvr.exe <user name> 1-30% 2 threads
rundll.exe <user name> 0% 4 threads
Winhelp.exe SYSTEM 1-40% 1 thread

x—x—x

Behind the Screen
—————–

Files Created:
…………..
I:DOCUME~1PIYUSH~1LOCALS~1Tempaut3.tmp
I:DOCUME~1PIYUSH~1LOCALS~1Tempaut4.tmp
I:DOCUME~1PIYUSH~1LOCALS~1Tempaut5.tmp
I:DOCUME~1PIYUSH~1LOCALS~1Tempaut6.tmp
I:WINDOWSwinhelp.ini
I:WINDOWSsystem32rundll.exe
I:WINDOWSsystem32ijl11pro.dll
I:WINDOWSsystem32MSINET.OCX
I:WINDOWSsystem32regsvr.exe
I:WINDOWSregsvr.exe
I:WINDOWSsystem32winhelp.exe
I:Documents and SettingsPiyush ChandraLocal SettingsTemp~DFD5E6.tmp
I:WINDOWSWinSxSx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
I:WINDOWSsystem32COMCTL32.OCX
I:WINDOWSsystem32stdole2.tlb
ModifyFile I:WINDOWSwinhelp.ini

Regsitries changed:
……………….
ModifyRegValue REGISTRYUSERS-1-5-21-1935655697-308236825-682003330-1003SoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2{79ebb8fd-f8e1-11dc-a1b1-806d6172696f}BaseClass
etc
ModifyRegValue REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell
CreateRegValue REGISTRYUSERS-1-5-21-1935655697-308236825-682003330-1003SoftwareMicrosoftWindowsCurrentVersionRunYahoo Messengger
CreateRegValue REGISTRYUSERS-1-5-21-1935655697-308236825-682003330-1003SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNofolderOptions
CreateRegValue REGISTRYUSERS-1-5-21-1935655697-308236825-682003330-1003SoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr
CreateRegValue REGISTRYUSERS-1-5-21-1935655697-308236825-682003330-1003SoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools
CreateRegValue REGISTRYMACHINESYSTEMControlSet001ServicesScheduleAtTaskMaxHours
ModifyRegValue REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonsystem
CreateDir C:WINNTsystem32ssdata
CreateDir C:RecycledWinLiveUpdate32scrdata
CreateDir C:RecycledWinLiveUpdate32
CreateRegValue REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionRunUser Themes
CreateRegKey REGISTRYMACHINESOFTWAREClassesTypeLib{48E59290-9880-11CF-9754-00AA00C00908}
etc
CreateRegKey REGISTRYMACHINESOFTWAREClassesCLSID{48E59293-9880-11CF-9754-00AA00C00908}Implemented Categories{40FC6ED5-2438-11CF-A3DB-080036F12502}
etc
CreateRegValue HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunUser “I:WINDOWSsystem32rundll.exe”

Registry access:
…………….
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings
HKLMSOFTWAREMicrosoftWindowsCurrentVersionShell Extensions
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorer
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce
HKLMSYSTEMControlSet001ControlNetworkProviderHwOrder
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionDrivers32
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings
HKLMSYSTEMControlSet001ServicesWinSock2Parameters
HKLMSOFTWAREMicrosoftTracingRASAPI32
HKLMSYSTEMControlSet001ServicesTcpipLinkage
HKLMSYSTEMControlSet001ServicesTcpipParameters
HKLMSYSTEMControlSet001ServicesNetBTParametersInterfaces
HKLMSYSTEMControlSet001Hardware Profiles001
HKCUSoftwareMicrosoftWindows NTCurrentVersionNetworkLocation Awareness

x—x—x

More behind the screen
———————-
The virus gets completely installed only after rebooting two times.

It uses cacls.exe to change some permission setting (not yet discovered)

It saves printscreen images in c:recycledWinLiveUpdate32 at an interval of 30 seconds
so it eats up the space for your c: if u are affected by this virus for long time

It saves some processes goining on the system in c:recycledWinLiveUpdate32scrdata in files namely Apps.data, Files.dat, Keys.data, scr.data, lgstat.ini

In simple words: it keeps a complete track about you computer.

Apps.data
………
Piyush Chandra|||2008-03-26 19:05:18|||Run|||Kaspersky Anti-Virus 6.0
Piyush Chandra|||2008-03-26 19:05:21|||Run|||Protection
Piyush Chandra|||2008-03-26 19:05:32|||Close|||Protection
Piyush Chandra|||2008-03-26 19:05:34|||Close|||Kaspersky Anti-Virus 6.0
Piyush Chandra|||2008-03-26 19:05:37|||Run|||Windows Task Manager
Piyush Chandra|||2008-03-26 19:06:04|||Run|||My Documents
etc

Files.dat
………
Piyush Chandra|||2008-03-26 19:31:55|||Create Dir|||H:MyDocsvirus collectionKnownregsvr.exe Worm.Win32.AutoIt.sVirusNew Folder
Piyush Chandra|||2008-03-26 19:32:00|||Rename Dir|||H:MyDocsvirus collectionKnownregsvr.exe Worm.Win32.AutoIt.sVirusNew Folder—>H:MyDocsvirus collectionKnownregsvr.exe Worm.Win32.AutoIt.sVirusrecycler files

etc

Keys.data
………
Piyush Chandra|||2008-03-26 19:10:03|||StartupMonitor Warning
{Enter}

scr.data
……..
Piyush Chandra|||2008-03-26 19:06:15|||Proactive Defense Alert|||C:RecycledWinLiveUpdate32scrdata2008032668776.jpg
Piyush Chandra|||2008-03-26 19:06:45|||Process Explorer – Sysinternals: www.sysinternals.com [PIYUSHPiyush Chandra]|||C:RecycledWinLiveUpdate32scrdata2008032668806.jpg
Piyush Chandra|||2008-03-26 19:07:16|||Process Explorer – Sysinternals: www.sysinternals.com [PIYUSHPiyush Chandra]|||C:RecycledWinLiveUpdate32scrdata2008032668836.jpg
Piyush Chandra|||2008-03-26 19:07:46|||~DFBFCB.tmp – Notepad|||C:RecycledWinLiveUpdate32scrdata2008032668866.jpg
Piyush Chandra|||2008-03-26 19:08:16|||Player

etc

Wanrning Messages
—————–

rundll.exe
Another program is currently using this file.

Kaspersky
Riskware: not-a-virus:Monitor.Win32.007SpySoft.q
File: I:WINDOWSsystem32rundll.exe

x—x—x

Solution:
———

Start > Run > type the following

(if you have a lappy, then copy taskkill.exe in your c:windowssystem32 folder)

End task
……..
taskkill /f /im regsvr.exe /t
taskkill /f /im rundll.exe /t
taskkill /f /im winhelp.exe /t

Registries
……….
at /delete /yes
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 0 /f
reg delete HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
reg delete HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer /v NoFolderOptions /f
reg delete HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun /v “Yahoo Messengger” /f
reg delete HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun /v “Yahoo Messengger” /f
reg add “HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon” /v System /t REG_SZ /d “” /f
reg add “HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon” /v shell /t REG_SZ /d “Explorer.exe” /f
reg delete “HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun” /v “User Themes” /f

Files
…..
cmd /k del “%USERPROFILE%Local SettingsTempaut*” /f
cmd /k del “%USERPROFILE%Local SettingsTemp~*” /f
cmd /k del “%WINDIR%System32rundll.exe” /f
cmd /k del “%WINDIR%winhelp.ini” /f
cmd /k del “%WINDIR%system32ijl11pro.dll” /f
cmd /k del “%WINDIR%system32MSINET.OCX” /f
cmd /k del “%WINDIR%system32regsvr.exe” /f
cmd /k del “%WINDIR%regsvr.exe” /f
cmd /k del “%WINDIR%system32winhelp.exe” /f
cmd /k del “C:WINNTsystem32ssdata”
cmd /k del “C:RecycledWinLiveUpdate32scrdata” /f /q
cmd /k del “C:RecycledWinLiveUpdate32″ /f /q
(and delete regsvr.exe, New Folder.exe and autorun.inf from pen drives)

Download:
———
Please download the Heal for regsvr.exe from here

http:\piyushlabs.googlepages.comHeal_regsvr1.0.zip

More Downloads

—————–

http://piyushlabs.wordpress.com/downloads/

80 Responses to “regsvr.exe (Microsoft Corparation) Virus”

  1. Sivakumar Says:
    13 September, 2008 at 10:02 am

    dear piyushlabs,
    every time when i logon into my PC a error displaying”WINDOWS CANNOT FIND RUNDLL.EXE,MAKE SURE YOU TYPED THE NAME CORRECYLY AND THEN TRY AGAIN.TO SEARCH FOR A FILE ,CLICK THE STAT BUTTON AND THEN CLICK SEARCH.
    OK
    please help me to reslove this problem

  2. Rajashekhar.M Says:
    15 September, 2008 at 7:32 am

    Hello sir
    whenever i stsrt the computer “regsvr.exe” missing error comming.
    please guide me how to overcome this problem.
    Regards
    Raj

  3. maneesh Says:
    23 September, 2008 at 10:12 pm

    thanks piyush realy nice work for them who dont know much about windows

  4. Kauleshwar Yadav Says:
    24 September, 2008 at 11:32 am

    Dear Sir,

    I have windows 2000 server , Whenever click on desktop/my computer/or any icon on desktop , display error regsvr.exe access to denied.

    Plz. suggest how can solve this problem on urgent basis.

    Thanx

    Kauleshwar

  5. isaiah Says:
    25 September, 2008 at 11:37 am

    thank u so much……………. really u r great….

  6. isha Says:
    14 October, 2008 at 10:49 pm

    Thanks. i guess it worked for me too. :)

  7. rupak Says:
    27 October, 2008 at 3:38 pm

    thank you piyush… its amazing..please advise me as to how to get rid of the virus on my pen drive. thanks once again for the helpfull website.

  8. Raj Says:
    5 November, 2008 at 12:34 pm

    How to use this program for Pen drvie

  9. mukesh Says:
    11 November, 2008 at 10:33 pm

    Thanks for all the help.
    it’s gone.
    Good it’s a freeware software and not a 60 day trial!.

  10. Yoga Says:
    13 November, 2008 at 7:15 am

    Hi,
    Thanks for all the help.
    Your Heal program and the steps you have mentioned in the blog helped me to remove the regsvr.exe and winhelp.exe.

  11. Rajguru Says:
    16 November, 2008 at 3:09 am

    Really lot a thanks to provide this software… i am getting this error msg in start up for being a long time… now its gone…. thank u………

  12. Paresh Says:
    17 November, 2008 at 2:48 pm

    Internet is chocked up. Is regsvr.exe so dangerous that it may change Internet Surfing settings. Plz tell me

  13. keval dodia Says:
    26 November, 2008 at 11:20 pm

    hello piyush
    i have p3 and windows xp . on my desktop i see the message,” regsvr.exe is curropt file”

  14. Venkatesh Says:
    30 November, 2008 at 8:21 am

    Hi Piyush,

    I’ve used one of your tools earlier and it worked and now I am here back to use one more.. but now, my lappy is so badly infected that I dont have permission to copy taskkill into my system32 and I dont even have permission to edit my registry. It says “registry editing has been disabled by your administrator” and when i try to copy taskkill to system32, it says “you need permission to perform this action”.

    I am using windows vista(32 bit) Home Premium on my HP laptop with Intel Core 2 Duo T7250 @ 2 GHz, 2GB RAM. This virus has been chewing my brain as it doesnt let me do things even in safe mode. Help in this regard would be appreciated.. Thanks :)

    -Venki

  15. gaurang Says:
    2 December, 2008 at 12:25 am

    Piyush………. thanks a ton… was really scared of this virus… great job man keep it up… and surely gonna visit ur website too… thanks again

  16. Syed Inayat Shah Says:
    13 December, 2008 at 8:44 pm

    Hello………

    dear i m facing a bad virus now a days……..that changes the directrory name. Virus is a folder named “k” wich is an exe. file.(worm.win32.auttit.t)

    plz send me the solution and that antivirus wich removes it .

    i will be thnkful………….

    thnx

  17. Rajiv Gupta Says:
    18 December, 2008 at 8:55 pm

    Thanks for solution for regsvr.exe an dother. please keep posting solutions.

  18. SouvagyaRanjan Says:
    19 December, 2008 at 5:53 pm

    sir please tellme how to remove reqsur.exe virous in step by step
    thank u

  19. Amrinder Says:
    30 December, 2008 at 3:01 pm

    i am very thank ful to this software and specially thanks to mr. gaurav ..

  20. Sudarsan Says:
    1 January, 2009 at 10:59 pm

    Thanks a lot…

« Older Comments

Comments are closed.