Just today somehow I aquired a really nasty trojan-like intruder that goes by the name of "RegistryManager.exe" It blockes taskmgr.exe(CRTL-ALT-DEL) from opening, prevents msconfig from opening, shuts down norton auto protect, and also blocks regedit from opening. I am able to kill the process as it comes up because I copied taskmgr.exe and renamed the copy to taskmgr.com which allowed me to open it up. Even after killing thr process and going through the entire registry searching for and deleting values for "RegistryManage" and "Register Manager" this process still pops up. Also deleting the startup for it in msconfig has no effect, as it starts up regardless. I searched google and found nothing on this process, so I assume it's brand new. If anyone has any ideas on how I could possibly rid my system of this nasty trojan, please respond as I feel this is only going to spread more quickly.
Until then I will be running in Safe Mode to prevent any further issues.

Hi Brennan,

Smart move on your part to rename taskmgr.

I would have named it something.exe because mix-n-match extensions can have unpredictable consequences.

The next thing I would do is explore to c:\ and serach for all exe files. Then sort by date. With luck, any rpoblem EXEs will be later than legit files.

It may very well be that the offending EXE has a bogus time/date stamp, which will make things harder.

Also, there may be an EXE, COM, PIF or SCR which is creating the bad EXE, but does not bear the same name.

HTH

M2

Sounds like a job for HiJack This . Should help you find all the programs starting. If you can find all of the suspects and kill them at one time, you should be able to stop it from Safe Mode.

Look for any BHO that it might have came in on.

You might want to download, unzip on a different machine and copy it to a diskette to get it into your system.

It would be interesting to know if it is HijackThis aware also. Be sure to copy the suspect modules and upload them to the VirusTotal.com site for scanning as soon as you can to see which AV programs identify it.

Alright I've tried searching my system drive for the said file types and nothing comes up. Searching for just files modified within the last day with a wildcard turn up way too many results. Also, this problem doesn't happen in safe mode at all, just in normal mode. How would hijack this help me identify what programs are starting the process? Another thing, do you think it may have spawned itself into another process? Anyways I will keep trying and hoping that something comes through. Thanks again.

"Alright I've tried searching my system drive for the said file types and nothing comes up."

If you search for EXE and nothing comes up, likely you need to set folder options to not hide anything.

M2

I should have been more specific, The said file types that were modified in the last day. It is searching in hidden files and folders, and in system folders. Should I remove the time requirement? It seems to spawn completley randomly, and I have no idea what process starts it. I will continue to look for solutions, and thank you all for your suggestions and help.

Hi,

I would not restrict the search to date.

Find ALL the EXEs on c:.

There's a bunch.

Then sort by date and look around the date that the troubles started.

M2

Well I tried out Microsoft AntiSpyware and it claims it blocked RegistryManage.exe from the startup list, but I rebooted and it started up as normal. While RegistryManage.exe is a running process, HIJACKTHIS WILL NOT OPEN at all, having the same problem as taskmgr.exe, etc. I copied hijack and ran with the suspected process running and at the bottom of this post is what came up, just thought I'd let you know it is also blocking hijack from opening. On another note I searched my system drive for *.exe and sorted by date modified. The only things there were the bad process, and a few .zip files in system32 folder. Any ideas?

Logfile of HijackThis v1.99.1
Scan saved at 12:36:52 PM, on 3/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\taskmgr.com
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\System32\RegistryManage.exe
C:\Copy of HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "c:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Register Manager] RegistryManage.exe
O4 - HKLM\..\RunServices: [Register Manager] RegistryManage.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Register Manager] RegistryManage.exe
O4 - HKCU\..\RunServices: [Register Manager] RegistryManage.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = colorado.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = colorado.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = colorado.edu
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\System32\DPWLEvHd.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CdrSrv - Unknown owner - c:\recycle\services.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: HdcSrv - Unknown owner - c:\recycle\services.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Well after some researching the system drive for newly modified files, I noticed something that was recently modified in my WINDOWS folder, called "sjkhj32.exe" I checked the properties of this file, and this was found in the Comment tab;

";The comment below contains SFX script commands

Path=c:\recycle
Setup=hide.exe install.bat
Silent=1
Overwrite=2"

So this seems odd, so I go to the specified folder, and notice some very interesting files in there. Here is what was in this folder:

files(folder)
bwcfg.dll
cygcyrpt-0.dll
cygwin1.dll
hide.exe
install.bat
services.exe
smss.exe
svchost.exe
svcx.exe
svcx.reg
windrc.dll
winsgn.dll
winsrvcrond.dll

Just to note, some of these files had properties that said they were last modified BEFORE they were created. Other files had weird subtitles, like "FTP Serv-U Daemon, Cat Soft" I did some research on google and found this quote on a webpage about the "smss.exe" process; "Note: The smss.exe file is located in the c:\windows\System32 folder. In other cases, smss.exe is a virus, spyware, trojan or worm!"

Based on this information, I think I may have narrowed this down to where it is spawning from, but that still doesn't help me fix it. With hijackthis I ticked any entires having to do with registrymanage.exe, deleted all other traces of registrymanage.exe, rebooted, and it was still there. I thought that the discovery of this new information might help someone help me find out a way to finally disable this sob. Thanks again.

Hi Brennan,

Stick with it.

I've got to sleep.

Check you tomorrow.

M2

Well, I don't know why it took me until now to notice this, but when RegistryManager.exe is running, in my networking tab in taskmgr it is showing a significant amount of upload. I'm starting to wonder what it is uploading, and how long I can keep trying before I format.

I'm starting to wonder what it is uploading

It may be seeking new victims, or it may have turned your computer into a spam-bot.

There are places things can load from which aren't covered by HijackThis or msconfig. Before you format, it would be worth posting your log to SpywareWarrior.com. They can walk you through using other programs to root out the bad registry entries and files.

That being said, you could try the following to see if it makes a difference...

While in Safe Mode, run HijackThis and check the four 04 entries for registrymanage.exe. Also check the entry:

O23 - Service: HdcSrv - Unknown owner - c:\recycle\services.exe

and click the 'Fix Checked' button.

Then rename the c:\recycle folder to something else like c:\recycleBAK. It would probably be safe to delete it, but just rename it for now. Don't touch c:\recycler if you see it... that one's good.

Also search for and delete registrymanage.exe and you can probably also delete the sjkhj32.exe. Then reboot normally and see what happens.

---

BTW, if you haven't turned off your System Restore yet, if you actually do one to a date before the infection, it will likely clear the whole mess. If it doesn't work, you'll at least be no worse off then when you started.

start>programs>accessories>system tools>system restore

If you do the restore and it works, you should then purge it by turning it off, rebooting, and then turning it back on again, since any restore points created after the infection will be infected.

ran a search for cygwin1.dll at sarc.com
and got 13 hits for various irc and backdoor trojans.
17 results found, for smss.exe

maybe download stinger.exe from macafee, run in safemode.
disable system restore, reboot run antivirus
and other trojan cleaners. untill it's clean.
then enable system restore again.
another good trojan remover is tds-3
link for that at
http://www.computing.net/security/wwwboard/tools.html

you also need a firewall, so you can block outgoing connections this trojan is making.
you might need to install it from safemode to get it going.

Shortly after my last post I essentially did what HiJinx said to do, I deleted the sjkhj32.exe file and the c:\recycle\ directory. removed all instances of the registrymanage.exe and variations in the registry, deleted registrymanage.exe from system32 and rebooted. When I came back into windows the process didn't start right away like it always had before, all the files and entries that I deleted were still gone. And they have been ever since, which is almost 11 hours. I hope that anyone who finds themself with this annoying trojan can also get out of it without needing a format. Thank you to everyone who posted your thoughts on the matter, without those I would have formatted in the begining.

"also blocking hijack from opening."
That tells Me why I can't find anything
on the problem you had.

Did you upload the files like Jack
suggested so others will get help with
the new virus/trojan/worm?

This may be a new virus that McAfee and Symantec has yet to post an update for. You may have notice the increase in network traffic from your machine. I hear that it can generate 40,000 hits per second. Most likely your Windows is not updated to Service Pack 2 if you use Windows XP.

You should probably go to c:\windows\prefetch and delete all the files there. If you run a search on your machine, you will only find registrymanage there.

Other instances of this virus I've seen use volumecontrol.exe.

After deleting all the files in the prefetch folder. Go to regedit and search for all registry values of registrymanage.exe. delete all of them. delete only the values, not the entire key. you may cause windows not to start if you try to delete the whole key.

Well after this happened I got SP2 and zonealarm firewall. Zonealarm is showing that people on my internal network keep trying to access me via various TCP ports all originating from port 445 of their system. Is this the type of traffic that you were talking about? Also a question for Abnormal, since I already deleted the files is there anything I can upload to a site about this virus? If so what site should I upload it to? To alex, when I return to my machine I will take a look at what you mentioned. Thanks.

Brennan,
they need the files to write removal instructions or a fix tool. Your post of what you found should help others. You exposed this

O4 - HKLM\..\Run: [Register Manager] RegistryManage.exe
O4 - HKLM\..\RunServices: [Register Manager] RegistryManage.exe

as a bad file. At least its out of the closet.

port 445 is among the usual suspects.

M2

"Well after this happened I got SP2 and zonealarm firewall. Zonealarm is showing that people on my internal network keep trying to access me via various TCP ports all originating from port 445 of their system. Is this the type of traffic that you were talking about? Also a question for Abnormal, since I already deleted the files is there anything I can upload to a site about this virus? If so what site should I upload it to? To alex, when I return to my machine I will take a look at what you mentioned. Thanks. "

Well, if you are excessively getting accessed on that port, then it's probably virus traffic on your network attempting to infect your machine. The traffic I mentioned is coming from your machine. At least that's what I suspect it to be.

I just got notified that registrymanage.exe is still unknown to McAfee so they have yet to identify the virus if it is one.

As for what port 445 does, check this out: http://www.petri.co.il/what_is_port_445_in_w2kxp.htm

Hey !

I Believe You have tried many ways to remove that trojan. Here is another one :

Download Avast Antivirus from www.avast.com
(free for home use) and run a scheduled avast boot scan, it will delete all the virus effected files.

Bye!

I know You do not want to here this but ,
When in doubt, Reinstall

I agree with Greensystemsgo

If you decide to reinstall then backup your files regularly and store them in another hd, so whenever disaster strike, you are prepared to face it.

Expert™