regsvr.exe (Microsoft Corparation) Virus

regsvr.exe / Winhelp.exe / rundll.exe /  (Microsoft Corparation)

regsvr.exe / Winhelp.exe / rundll.exe
===========================

File names

———–

Name : regsvr.exe
Name : winhelp.exe
Type of File : Application
Icon : Folder icon
size : 1.06 MB (1,114,588 bytes)
size on disk : 1.07 MB (1,122,304 bytes)
File version : 1.1.2.2
Description : Microsoft Corparation (its Microsoft Corp’a’ration not Microsoft Corporation)
Copyright :
Compiled Script : Microsoft Corporation
File Verion : 1,1,2,2
Language : English (United Kingdom)

Name : rundll.exe
Type of File : Application
Description : Generic Host Process for Win32 Services
Size : 161 KB (164,864 bytes)
size on disk : 168 KB (172,032 bytes)
File version : 3.8.0.7400
Company : Microsoft Corporation
Internal name : svchost-full-org
Language : English (United States)
Original name : svchost-full-org.exe

other supporting files, created during installation ofvirus

Name : MSINET.OCX
Type : ActiveX Control
Size : 60.5 KB (61,952 bytes)
Size on disk : 64.0 KB (65,536 bytes)
File version : 5.1.45.11
Description : Microsoft Internet Transfer Control DLL
Copyright : Copyright © 1987-1997 Microsoft Corp.
Comments : September 11, 1997
Company : Microsoft Corporation
File version : 5.01.4511
Internal name : MSINET.OCX

Name : ijl11pro.dll
Type : Application Extension
Size : 70.0 KB (71,680 bytes)
sixze on disk : 72.0 KB (73,728 bytes)
File version : 1.1.2.16
Description : Intel® JPEG Library – Retail Version
Copyright : Copyright © 1999
Comments : Intel® JPEG Library
Company : Intel Corporation
File version : 1.1.2
Internal name : Intel® JPEG Library
Original name : ijl11.dll

x—x—x

Recognized by KAV
—————–

not-a-virus:Monitor.Win32.007SpySoft.q rundll.exe
Worm.Win32.AutoIt.s regsvr.exe
x—x—x

Running Process
—————

regsvr.exe <user name> 1-30% 2 threads
rundll.exe <user name> 0% 4 threads
Winhelp.exe SYSTEM 1-40% 1 thread

x—x—x

Behind the Screen
—————–

Files Created:
…………..

I:DOCUME~1PIYUSH~1LOCALS~1Tempaut3.tmp
I:DOCUME~1PIYUSH~1LOCALS~1Tempaut4.tmp
I:DOCUME~1PIYUSH~1LOCALS~1Tempaut5.tmp
I:DOCUME~1PIYUSH~1LOCALS~1Tempaut6.tmp
I:WINDOWSwinhelp.ini
I:WINDOWSsystem32rundll.exe
I:WINDOWSsystem32ijl11pro.dll
I:WINDOWSsystem32MSINET.OCX
I:WINDOWSsystem32regsvr.exe
I:WINDOWSregsvr.exe
I:WINDOWSsystem32winhelp.exe
I:Documents and SettingsPiyush ChandraLocal SettingsTemp~DFD5E6.tmp
I:WINDOWSWinSxSx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
I:WINDOWSsystem32COMCTL32.OCX
I:WINDOWSsystem32stdole2.tlb
ModifyFile I:WINDOWSwinhelp.ini

Regsitries changed:
……………….

ModifyRegValue REGISTRYUSERS-1-5-21-1935655697-308236825-682003330-1003SoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2{79ebb8fd-f8e1-11dc-a1b1-806d6172696f}BaseClass
etc
ModifyRegValue REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell
CreateRegValue REGISTRYUSERS-1-5-21-1935655697-308236825-682003330-1003SoftwareMicrosoftWindowsCurrentVersionRunYahoo Messengger
CreateRegValue REGISTRYUSERS-1-5-21-1935655697-308236825-682003330-1003SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNofolderOptions
CreateRegValue REGISTRYUSERS-1-5-21-1935655697-308236825-682003330-1003SoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr
CreateRegValue REGISTRYUSERS-1-5-21-1935655697-308236825-682003330-1003SoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools
CreateRegValue REGISTRYMACHINESYSTEMControlSet001ServicesScheduleAtTaskMaxHours
ModifyRegValue REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonsystem
CreateDir C:WINNTsystem32ssdata
CreateDir C:RecycledWinLiveUpdate32scrdata
CreateDir C:RecycledWinLiveUpdate32
CreateRegValue REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionRunUser Themes
CreateRegKey REGISTRYMACHINESOFTWAREClassesTypeLib{48E59290-9880-11CF-9754-00AA00C00908}
etc
CreateRegKey REGISTRYMACHINESOFTWAREClassesCLSID{48E59293-9880-11CF-9754-00AA00C00908}Implemented Categories{40FC6ED5-2438-11CF-A3DB-080036F12502}
etc
CreateRegValue HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunUser “I:WINDOWSsystem32rundll.exe”

Registry access:
…………….

HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings
HKLMSOFTWAREMicrosoftWindowsCurrentVersionShell Extensions
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorer
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce
HKLMSYSTEMControlSet001ControlNetworkProviderHwOrder
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionDrivers32
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings
HKLMSYSTEMControlSet001ServicesWinSock2Parameters
HKLMSOFTWAREMicrosoftTracingRASAPI32
HKLMSYSTEMControlSet001ServicesTcpipLinkage
HKLMSYSTEMControlSet001ServicesTcpipParameters
HKLMSYSTEMControlSet001ServicesNetBTParametersInterfaces
HKLMSYSTEMControlSet001Hardware Profiles001
HKCUSoftwareMicrosoftWindows NTCurrentVersionNetworkLocation Awareness

x—x—x

More behind the screen
———————-

The virus gets completely installed only after rebooting two times.

It uses cacls.exe to change some permission setting (not yet discovered)

It saves printscreen images in c:recycledWinLiveUpdate32 at an interval of 30 seconds
so it eats up the space for your c: if u are affected by this virus for long time

It saves some processes goining on the system in c:recycledWinLiveUpdate32scrdata in files namely Apps.data, Files.dat, Keys.data, scr.data, lgstat.ini

In simple words: it keeps a complete track about you computer.

Apps.data
………

Piyush Chandra|||2008-03-26 19:05:18|||Run|||Kaspersky Anti-Virus 6.0
Piyush Chandra|||2008-03-26 19:05:21|||Run|||Protection
Piyush Chandra|||2008-03-26 19:05:32|||Close|||Protection
Piyush Chandra|||2008-03-26 19:05:34|||Close|||Kaspersky Anti-Virus 6.0
Piyush Chandra|||2008-03-26 19:05:37|||Run|||Windows Task Manager
Piyush Chandra|||2008-03-26 19:06:04|||Run|||My Documents
etc

Files.dat
………

Piyush Chandra|||2008-03-26 19:31:55|||Create Dir|||H:MyDocsvirus collectionKnownregsvr.exe Worm.Win32.AutoIt.sVirusNew Folder
Piyush Chandra|||2008-03-26 19:32:00|||Rename Dir|||H:MyDocsvirus collectionKnownregsvr.exe Worm.Win32.AutoIt.sVirusNew Folder—>H:MyDocsvirus collectionKnownregsvr.exe Worm.Win32.AutoIt.sVirusrecycler files

etc

Keys.data
………

Piyush Chandra|||2008-03-26 19:10:03|||StartupMonitor Warning
{Enter}

scr.data
……..

Piyush Chandra|||2008-03-26 19:06:15|||Proactive Defense Alert|||C:RecycledWinLiveUpdate32scrdata2008032668776.jpg
Piyush Chandra|||2008-03-26 19:06:45|||Process Explorer – Sysinternals: http://www.sysinternals.com [PIYUSHPiyush Chandra]|||C:RecycledWinLiveUpdate32scrdata2008032668806.jpg
Piyush Chandra|||2008-03-26 19:07:16|||Process Explorer – Sysinternals: http://www.sysinternals.com [PIYUSHPiyush Chandra]|||C:RecycledWinLiveUpdate32scrdata2008032668836.jpg
Piyush Chandra|||2008-03-26 19:07:46|||~DFBFCB.tmp – Notepad|||C:RecycledWinLiveUpdate32scrdata2008032668866.jpg
Piyush Chandra|||2008-03-26 19:08:16|||Player

etc

Wanrning Messages
—————–

rundll.exe
Another program is currently using this file.

Kaspersky
Riskware: not-a-virus:Monitor.Win32.007SpySoft.q
File: I:WINDOWSsystem32rundll.exe

x—x—x

Solution:
———

Start > Run > type the following

(if you have a lappy, then copy taskkill.exe in your c:windowssystem32 folder)

End task
……..

taskkill /f /im regsvr.exe /t
taskkill /f /im rundll.exe /t
taskkill /f /im winhelp.exe /t

Registries
……….

at /delete /yes
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 0 /f
reg delete HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
reg delete HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer /v NoFolderOptions /f
reg delete HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun /v “Yahoo Messengger” /f
reg delete HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun /v “Yahoo Messengger” /f
reg add “HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon” /v System /t REG_SZ /d “” /f
reg add “HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon” /v shell /t REG_SZ /d “Explorer.exe” /f
reg delete “HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun” /v “User Themes” /f

Files
…..

cmd /k del “%USERPROFILE%Local SettingsTempaut*” /f
cmd /k del “%USERPROFILE%Local SettingsTemp~*” /f
cmd /k del “%WINDIR%System32rundll.exe” /f
cmd /k del “%WINDIR%winhelp.ini” /f
cmd /k del “%WINDIR%system32ijl11pro.dll” /f
cmd /k del “%WINDIR%system32MSINET.OCX” /f
cmd /k del “%WINDIR%system32regsvr.exe” /f
cmd /k del “%WINDIR%regsvr.exe” /f
cmd /k del “%WINDIR%system32winhelp.exe” /f
cmd /k del “C:WINNTsystem32ssdata”
cmd /k del “C:RecycledWinLiveUpdate32scrdata” /f /q
cmd /k del “C:RecycledWinLiveUpdate32” /f /q
(and delete regsvr.exe, New Folder.exe and autorun.inf from pen drives)

Download:
———

Please download the Heal for regsvr.exe from here

http:\piyushlabs.googlepages.comHeal_regsvr1.0.zip

More Downloads

—————–

https://piyushlabs.wordpress.com/downloads/

82 Responses to “regsvr.exe (Microsoft Corparation) Virus”

  1. regsvr.exe / rundll.exe / ‘Microsoft CorpAration’ virus details & heal uploaded « : : : Piyush Labs : : : Says:

    […] here is the solution… https://piyushlabs.wordpress.com/regsvr/ Possibly related posts: (automatically generated)Hunt and Delete Virus Filesthree nasty viruses in […]

  2. balakrishnan Says:

    thanks lot

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: