Author Topic: registry changed (Read 3351 times)

sluggo123 · « **on:** October 09, 2007, 06:19:04 AM »

Windows XP Home edition all the latest updates and service packs
2.00 gigahertz AMD Athlon 64
100.02 Gigabytes Usable Hard Drive Capacity
52.51 Gigabytes Hard Drive Free Space

HL-DT-ST DVD-RW GWA-4082N [CD-ROM drive]

FUJITSU MHU2100AT [Hard drive] (100.03 GB) -- drive 0, s/n NQ07T592H764, rev 00000008, SMART Status: Healthy
Ram 1 GIG
Slot 'JP11' has 512 MB
Slot 'JP30' has 512 MB

My registry changed and I cannot think of anything that I did to change it.

Registry entry "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\sr\ImagePath" (system32\DRIVERS\sr.sys) :

Entry was changed to <\SystemRoot\system32\DRIVERS\sr.sys>

Should this be regarded as suspicious? I am not sure just what changed and what occurred here.

sluggo123

contrex · « **Reply #1 on:** October 09, 2007, 06:54:09 AM »

Yes, it should be regarded as supsicious. You may have the KurtAgent 1.0 Trojan (Trojan-PSW.Win32.Kurgent.10), which among other things, stealthily disables your System restore.

Read here

http://www.megasecurity.org/trojans/k/kurtagent/Kurtagent1.0.html

Check for these...

dropped files:
c:\WINDOWS\system32\directx32.exe Size: 448,506 bytes
c:\WINDOWS\system32\dxdlg.dat Size: 2,927 bytes
c:\WINDOWS\system32\dxdlg.dll Size: 96,256 bytes
c:\WINDOWS\system32\ka_keyg.dat Size: 0 bytes

deleted:
c:\WINDOWS\system32\Restore\MachineGuid.txt

added to registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "DirectX Plugin"
data: C:\WINDOWS\System32\directx32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore "DisableSR"
old data: 00, 00, 00, 00
new data: 01, 00, 00, 00

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr "ImagePath"
old data: System32\DRIVERS\sr.sys
new data: \SystemRoot\System32\DRIVERS\sr.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr "ImagePath"
old data: System32\DRIVERS\sr.sys
new data: \SystemRoot\System32\DRIVERS\sr.sys

Broni · « **Reply #2 on:** October 09, 2007, 02:03:20 PM »

Download HijackThis - http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html
Post its log at "Computer Viruses and Spyware"

sluggo123 · « **Reply #3 on:** October 16, 2007, 06:58:41 PM »

found an online virus checker, found the virus and cleared the problem. Thanks for your input. It as a virus, fact two viruses hanging out in the system restore area. Thanks again. Problem resolved.
sluggo123

patio · « **Reply #4 on:** October 16, 2007, 07:03:50 PM »

If you list your current protection package maybe we can make some suggestions...

sluggo123 · « **Reply #5 on:** October 16, 2007, 07:14:43 PM »

My current protection is:
Avast Free
A Squared Free
AVG Anti Root Kit Free
LavaSoft SE Personal
SpyBot search and destroy
ZoneAlarm

Broni · « **Reply #6 on:** October 16, 2007, 07:38:24 PM »

Quote

Problem resolved

Cool

patio · « **Reply #7 on:** October 16, 2007, 07:54:15 PM »

Quote from: sluggo123 on October 16, 2007, 07:14:43 PM

My current protection is:
Avast Free
A Squared Free
AVG Anti Root Kit Free
LavaSoft SE Personal
SpyBot search and destroy
ZoneAlarm

Nice well rounded package !
I was going to suggest AVG Anti-Spyware but a-squared does basically the same thing...

Computer Hope Forum

News: