regsvr.exe rosource drainer

Status
Not open for further replies.
R

ritish

Journeyman
dear friends,
off lately my cpu usage is showing 100% always when I havn't installed any big software and antivirus.
when I go to task manager>processes i find two regsvr.exe image name eating away around 100% of the cpu usage. As a result of this my lappy works very slow, even if it has a 2gb RAM.
pls help to get rid of the problem
 
alexanderthegreat

alexanderthegreat

Overlord v2.0
That might be a virus. In most cases it is a trojan masquerading as the regsvr32.exe. On the other hand, sometimes, it may be launched by an innocent program running in the background. I recommend that you post a hijackthis log.
 
OP
R

ritish

Journeyman
the hijackthis log:-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:47:16 PM, on 5/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\VistaDrive\VistaDrive.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Philips\SA19XX\Philips Device Manager\Bin\DeviceManager.exe
C:\WINDOWS\system32\28463\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Zoom Player\zplayer.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = *go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *shyam.com.np/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = *go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = *go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = *go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = *go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = shyam.com.np
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\VirusRemoval.vbs
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [PhilipsDM\SA1916] C:\Program Files\Philips\SA19XX\Philips Device Manager\Bin\DeviceManager.exe OS_STARTUP
O4 - HKLM\..\Run: [svchost Agent] C:\WINDOWS\system32\28463\svchost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Msn Messsenger] C:\WINDOWS\system32\regsvr.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{87878BBE-DD03-4F5E-AE6B-C1BB689C2BFC}: NameServer = 203.187.217.203 203.187.215.35
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4690 bytes
 
M

mrintech

Technomancer
Analyse your Hijack this log file here: *www.hijackthis.de/ You can see there are some unknown/nasty processes running on your system

Have a Full Scan with Updated Definition using: *www.superantispyware.com/download.html

Do report back
 
alexanderthegreat

alexanderthegreat

Overlord v2.0
Those two 'regsvr.exe's are not listed in the Running Processes list. Nevertheless, they might have been executed by MSN messenger or Zoom Player.

However, what caught my attention were these two lines:-
C:\WINDOWS\system32\28463\svchost.exe
and
O4 - HKLM\..\Run: [svchost Agent] C:\WINDOWS\system32\28463\svchost.exe
Click to expand...
'svchost.exe' is a Windows process which exists in the System32 folder, not the System32\28463\ folder. You'd better fix this in HijackThis. Try to delete this file manually (NOT the System32 one! Delete the System32\28463\svchost.exe file). After that, run a virus scan.

About your regsvr.exe problem, search for regsvr.exe on your PC. Delete all instances which are not present in the C:\Windows\System32 folder. Also, scan the one present in C:Windows\System32 folder with a good antivirus.

If all is clean, try to exit MSN messenger and Zoom Player and then check the task manager for any remaining 'regsvr.exe' precesses.

One more thing, this seems weird:-
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\wscript.exe C:\WINDOWS\system32\VirusRemoval.vbs
Click to expand...
Check your startup list. I reckon you might find a few surprises. Oh, and upgrade to SP3! It's more secure.
 
Last edited:
Disc_Junkie

Disc_Junkie

Call me D_J!
Yes, it's malware!! You should ckeck the drives with Malwarebytes Antimalware and Trojan Remover! Also delete the autorun.inf files in the partitions if there is any!!

Trojan Remover: www.softpedia.com/get/Antivirus/Trojan-Remover.shtml

Malwarebytes Antimalware: www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
 
OP
R

ritish

Journeyman
the two regsvr.exe is not showing in hijackthis tool becoz I hav deleted the two images by ending the processes. Now when I am doing a search for regsvr.exe no search search result found shows. But on restart it again comes..
 
M

mrintech

Technomancer
*www.superantispyware.com/download.html

Update it to latest definition and than go for full scan. Do report back after scan :)
 
mittyr

mittyr

silentFOX
@ritish

The geniune file is "Regsvr32.exe"

If you are not getting startup errors like "Windows cannot find regsvr.exe" or errors in startup of any other programs, its fine.

"Trojan Remover" was a good suggestion. Hard to get past its boot-time scan. If you still got problem after scan suggest you give it a try.
 
Status
Not open for further replies.
Top Bottom