topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Friday March 29, 2024, 2:09 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: registry editor  (Read 10371 times)

oversky

  • Participant
  • Joined in 2008
  • *
  • default avatar
  • Posts: 19
    • View Profile
    • Donate to Member
registry editor
« on: February 21, 2009, 11:55 PM »
From ntbtlog.txt (xp boot log file), I found out there is a driver file changed its name everytime I reboot.

Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\System32\Drivers\a5mzjxub.SYS
Loaded driver \SystemRoot\system32\DRIVERS\cfosspeed.sys

However, when I login xp, I can't find the suspect file.
This possible virus also appears in registry (HLKM/System/CurrentControlSet/Services/), and also changes its name when I reboot.
But no real filename is recorded in that registry item.

I have used NOD32 4RC and antivir (with updated virus code) to scan the hardrive in safe mode, but no luck.

When the computer is turned off, I think the virus write back its real name to registry so that xp know to run it when I boot up.
Is there a registry editor that can edit registry on another hard drive?

steeladept

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,061
    • View Profile
    • Donate to Member
Re: registry editor
« Reply #1 on: February 22, 2009, 12:02 AM »
Have you tried a rootkit detector?  It may well be something NOD32 et. al. can't fix - or it may not really be a problem. 

As for the registry issue, I could be wrong, but I don't believe there is anything that can look at a registry that is not booted.  In other words, if you slave the drive to another computer and run regedit, it will show the existing registry and not the one on the slave drive.  To open the one on the slave drive, I *believe* that you must boot to it.

PhilB66

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,522
    • View Profile
    • Donate to Member
Re: registry editor
« Reply #2 on: February 22, 2009, 12:16 AM »
Do you have cFosSpeed installed?

oversky

  • Participant
  • Joined in 2008
  • *
  • default avatar
  • Posts: 19
    • View Profile
    • Donate to Member
Re: registry editor
« Reply #3 on: February 22, 2009, 01:53 AM »
Yes, I tried avira Avira AntiRootkit Tool, and I have cFosSpeed installed.

PhilB66

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,522
    • View Profile
    • Donate to Member
Re: registry editor
« Reply #4 on: February 22, 2009, 03:55 AM »
I have cFosSpeed installed.

That's what you are looking for.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: registry editor
« Reply #5 on: February 22, 2009, 05:10 AM »
Does cFosSpeed change it's driver name? My guess is that it's the "a5mzjxub.SYS" device that's bothering you... could be a rootkit, but dunno - do you have something like daemon-tools installed?
- carpe noctem

oversky

  • Participant
  • Joined in 2008
  • *
  • default avatar
  • Posts: 19
    • View Profile
    • Donate to Member
Re: registry editor
« Reply #6 on: February 22, 2009, 02:42 PM »
Sorry I didn't make my statement clear. It is a5mzjxub.SYS that bothers me. And yes, I have daemon tool installed. It installed sptd.sys on every early stage, the 5th shown in the ntbtlog.txt.

oversky

  • Participant
  • Joined in 2008
  • *
  • default avatar
  • Posts: 19
    • View Profile
    • Donate to Member
Re: registry editor
« Reply #7 on: February 22, 2009, 05:42 PM »
f0dder, you are my hero. Yes, it's daemon tool installed this strange device. Is this done by purpose?


Sorry I didn't make my statement clear. It is a5mzjxub.SYS that bothers me. And yes, I have daemon tool installed. It installed sptd.sys on every early stage, the 5th shown in the ntbtlog.txt.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: registry editor
« Reply #8 on: February 22, 2009, 06:47 PM »
f0dder, you are my hero. Yes, it's daemon tool installed this strange device. Is this done by purpose?

Sorry I didn't make my statement clear. It is a5mzjxub.SYS that bothers me. And yes, I have daemon tool installed. It installed sptd.sys on every early stage, the 5th shown in the ntbtlog.txt.
Yes, I believe it is - daemon-tools does a lot of stuff to try and avoid detection from game DRM crap. If you don't need this hiding capability, you can check out SlySoft's freeware Virtual CloneDrive or the freeware MagicDisc :)
- carpe noctem

dforionstar

  • Participant
  • Joined in 2009
  • *
  • default avatar
  • Posts: 3
    • View Profile
    • Donate to Member
Re: registry editor
« Reply #9 on: March 07, 2009, 04:04 PM »

Is there a registry editor that can edit registry on another hard drive?

Check out : http://regeditpe.sourceforge.net/ . Here is a what it does: "Registry Editor PE is an Open Source  plug-in for Bart's PE Builder which allows an administrator to easily edit registry hives and user profiles for any NT-based operating system which is not currently running."

Its a bit of work to set up BartPE, but it will allow you to edit a non-running registry, by hive.


f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: registry editor
« Reply #10 on: March 07, 2009, 04:09 PM »
Thanks for the link, that could turn out very useful!

IMHO BartPE was pretty easy to setup, and it can be pretty useful. I used it, for instance, to get all files in %SYSTEMROOT%\system32 NTFS compressed :)
- carpe noctem

dforionstar

  • Participant
  • Joined in 2009
  • *
  • default avatar
  • Posts: 3
    • View Profile
    • Donate to Member
Re: registry editor
« Reply #11 on: March 07, 2009, 04:13 PM »
Thanks for the link, that could turn out very useful!

You are most welcome. Do you have a favorite registry editor, besides the basic built-in one?

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: registry editor
« Reply #12 on: March 07, 2009, 04:24 PM »
You are most welcome. Do you have a favorite registry editor, besides the basic built-in one?
I haven't found one which I really like, but I do often miss features in the standard Windows regedit. I've tried Resplendence Registrar, but I don't like it enough to register, and find it's GUI a bit strange... but it's search&replace is definitely better than regedit :)
- carpe noctem

PhilB66

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,522
    • View Profile
    • Donate to Member
Re: registry editor
« Reply #13 on: March 07, 2009, 09:30 PM »

xtabber

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 618
    • View Profile
    • Donate to Member
Re: registry editor
« Reply #14 on: March 07, 2009, 09:44 PM »
I've been quite satisfied with Reg Organizer ( http://www.chemtable.com/organizer.htm )  currently $39.95.

TucknDar

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 1,133
    • View Profile
    • Donate to Member
Re: registry editor
« Reply #15 on: March 08, 2009, 04:09 AM »
I'm very happy with Registry Workshop. Does what I need, and a lot more. It's shareware, with "Free updates in the lifetime of the product."