Solve : registry changed?

1.	Solve : registry changed?
Answer» Windows XP Home edition all the latest updates and service packs 2.00 GIGAHERTZ AMD Athlon 64 100.02 Gigabytes USABLE Hard Drive Capacity 52.51 Gigabytes Hard Drive Free Space HL-DT-ST DVD-RW GWA-4082N [CD-ROM drive] FUJITSU MHU2100AT [Hard drive] (100.03 GB) -- drive 0, s/n NQ07T592H764, rev 00000008, SMART Status: Healthy Ram 1 GIG Slot 'JP11' has 512 MB Slot 'JP30' has 512 MB My registry changed and I cannot think of anything that I did to change it. Registry entry "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\sr\ImagePath" (system32\DRIVERS\sr.sys) : Entry was changed to <\SystemRoot\system32\DRIVERS\sr.sys&GT; Should this be regarded as suspicious? I am not sure just what changed and what occurred here. sluggo123 Yes, it should be regarded as supsicious. You may have the KurtAgent 1.0 Trojan (Trojan-PSW.Win32.Kurgent.10), which among other things, stealthily disables your System restore. Read here http://www.megasecurity.org/trojans/k/kurtagent/Kurtagent1.0.html Check for these... dropped files: c:\WINDOWS\system32\directx32.exe Size: 448,506 bytes c:\WINDOWS\system32\dxdlg.dat Size: 2,927 bytes c:\WINDOWS\system32\dxdlg.dll Size: 96,256 bytes c:\WINDOWS\system32\ka_keyg.dat Size: 0 bytes deleted: c:\WINDOWS\system32\Restore\MachineGuid.txt added to registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "DirectX PLUGIN" data: C:\WINDOWS\System32\directx32.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore "DisableSR" old data: 00, 00, 00, 00 new data: 01, 00, 00, 00 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr "ImagePath" old data: System32\DRIVERS\sr.sys new data: \SystemRoot\System32\DRIVERS\sr.sys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr "ImagePath" old data: System32\DRIVERS\sr.sys new data: \SystemRoot\System32\DRIVERS\sr.sys Download HijackThis - http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html Post its log at "Computer Viruses and Spyware"found an online virus checker, found the virus and cleared the problem. Thanks for your input. It as a virus, fact two viruses hanging out in the system restore area. Thanks again. Problem resolved. sluggo123If you list your current protection package maybe we can make some suggestions... My current protection is: Avast Free A Squared Free AVG Anti Root Kit Free LavaSoft SE Personal SpyBot search and destroy ZoneAlarmQuote Problem resolved Cool Quote from: sluggo123 on October 16, 2007, 07:14:43 PM My current protection is: Avast Free A Squared Free AVG Anti Root Kit Free LavaSoft SE Personal SpyBot search and destroy ZoneAlarm Nice well rounded package ! I was going to suggest AVG Anti-Spyware but a-squared does basically the same thing...

Answer»

Windows XP Home edition all the latest updates and service packs
2.00 GIGAHERTZ AMD Athlon 64
100.02 Gigabytes USABLE Hard Drive Capacity
52.51 Gigabytes Hard Drive Free Space

HL-DT-ST DVD-RW GWA-4082N [CD-ROM drive]

FUJITSU MHU2100AT [Hard drive] (100.03 GB) -- drive 0, s/n NQ07T592H764, rev 00000008, SMART Status: Healthy
Ram 1 GIG
Slot 'JP11' has 512 MB
Slot 'JP30' has 512 MB

My registry changed and I cannot think of anything that I did to change it.

Registry entry "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\sr\ImagePath" (system32\DRIVERS\sr.sys) :

Entry was changed to <\SystemRoot\system32\DRIVERS\sr.sys&GT;

Should this be regarded as suspicious? I am not sure just what changed and what occurred here.
sluggo123
Yes, it should be regarded as supsicious. You may have the KurtAgent 1.0 Trojan (Trojan-PSW.Win32.Kurgent.10), which among other things, stealthily disables your System restore.

Read here

http://www.megasecurity.org/trojans/k/kurtagent/Kurtagent1.0.html

Check for these...

dropped files:
c:\WINDOWS\system32\directx32.exe Size: 448,506 bytes
c:\WINDOWS\system32\dxdlg.dat Size: 2,927 bytes
c:\WINDOWS\system32\dxdlg.dll Size: 96,256 bytes
c:\WINDOWS\system32\ka_keyg.dat Size: 0 bytes

deleted:
c:\WINDOWS\system32\Restore\MachineGuid.txt

added to registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "DirectX PLUGIN"
data: C:\WINDOWS\System32\directx32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore "DisableSR"
old data: 00, 00, 00, 00
new data: 01, 00, 00, 00

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr "ImagePath"
old data: System32\DRIVERS\sr.sys
new data: \SystemRoot\System32\DRIVERS\sr.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr "ImagePath"
old data: System32\DRIVERS\sr.sys
new data: \SystemRoot\System32\DRIVERS\sr.sys
Download HijackThis - http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html
Post its log at "Computer Viruses and Spyware"found an online virus checker, found the virus and cleared the problem. Thanks for your input. It as a virus, fact two viruses hanging out in the system restore area. Thanks again. Problem resolved.
sluggo123If you list your current protection package maybe we can make some suggestions...
My current protection is:
Avast Free
A Squared Free
AVG Anti Root Kit Free
LavaSoft SE Personal
SpyBot search and destroy
ZoneAlarmQuote

Problem resolved

Cool Quote from: sluggo123 on October 16, 2007, 07:14:43 PM

My current protection is:
Avast Free
A Squared Free
AVG Anti Root Kit Free
LavaSoft SE Personal
SpyBot search and destroy
ZoneAlarm

Nice well rounded package !
I was going to suggest AVG Anti-Spyware but a-squared does basically the same thing...

Solve : registry changed?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment