Author Topic: registry editor (Read 11102 times)

oversky · « **on:** February 21, 2009, 11:55 PM »

From ntbtlog.txt (xp boot log file), I found out there is a driver file changed its name everytime I reboot.

Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\System32\Drivers\a5mzjxub.SYS
Loaded driver \SystemRoot\system32\DRIVERS\cfosspeed.sys

However, when I login xp, I can't find the suspect file.
This possible virus also appears in registry (HLKM/System/CurrentControlSet/Services/), and also changes its name when I reboot.
But no real filename is recorded in that registry item.

I have used NOD32 4RC and antivir (with updated virus code) to scan the hardrive in safe mode, but no luck.

When the computer is turned off, I think the virus write back its real name to registry so that xp know to run it when I boot up.
Is there a registry editor that can edit registry on another hard drive?

steeladept · « **Reply #1 on:** February 22, 2009, 12:02 AM »

Have you tried a rootkit detector? It may well be something NOD32 et. al. can't fix - or it may not really be a problem.

As for the registry issue, I could be wrong, but I don't believe there is anything that can look at a registry that is not booted. In other words, if you slave the drive to another computer and run regedit, it will show the existing registry and not the one on the slave drive. To open the one on the slave drive, I *believe* that you must boot to it.

PhilB66 · « **Reply #2 on:** February 22, 2009, 12:16 AM »

Do you have cFosSpeed installed?

oversky · « **Reply #3 on:** February 22, 2009, 01:53 AM »

Yes, I tried avira Avira AntiRootkit Tool, and I have cFosSpeed installed.

PhilB66 · « **Reply #4 on:** February 22, 2009, 03:55 AM »

I have cFosSpeed installed.
-oversky (February 22, 2009, 01:53 AM)

That's what you are looking for.

f0dder · « **Reply #5 on:** February 22, 2009, 05:10 AM »

Does cFosSpeed change it's driver name? My guess is that it's the "a5mzjxub.SYS" device that's bothering you... could be a rootkit, but dunno - do you have something like daemon-tools installed?

oversky · « **Reply #6 on:** February 22, 2009, 02:42 PM »

Sorry I didn't make my statement clear. It is a5mzjxub.SYS that bothers me. And yes, I have daemon tool installed. It installed sptd.sys on every early stage, the 5th shown in the ntbtlog.txt.

oversky · « **Reply #7 on:** February 22, 2009, 05:42 PM »

f0dder, you are my hero. Yes, it's daemon tool installed this strange device. Is this done by purpose?

Sorry I didn't make my statement clear. It is a5mzjxub.SYS that bothers me. And yes, I have daemon tool installed. It installed sptd.sys on every early stage, the 5th shown in the ntbtlog.txt.
-oversky (February 22, 2009, 02:42 PM)

f0dder · « **Reply #8 on:** February 22, 2009, 06:47 PM »

f0dder, you are my hero. Yes, it's daemon tool installed this strange device. Is this done by purpose?

Sorry I didn't make my statement clear. It is a5mzjxub.SYS that bothers me. And yes, I have daemon tool installed. It installed sptd.sys on every early stage, the 5th shown in the ntbtlog.txt.
-oversky (February 22, 2009, 02:42 PM)
-oversky (February 22, 2009, 05:42 PM)

Yes, I believe it is - daemon-tools does a lot of stuff to try and avoid detection from game DRM crap. If you don't need this hiding capability, you can check out SlySoft's freeware Virtual CloneDrive or the freeware MagicDisc

dforionstar · « **Reply #9 on:** March 07, 2009, 04:04 PM »

Is there a registry editor that can edit registry on another hard drive?
-oversky (February 21, 2009, 11:55 PM)

Check out : http://regeditpe.sourceforge.net/ . Here is a what it does: "Registry Editor PE is an Open Source plug-in for Bart's PE Builder which allows an administrator to easily edit registry hives and user profiles for any NT-based operating system which is not currently running."

Its a bit of work to set up BartPE, but it will allow you to edit a non-running registry, by hive.

f0dder · « **Reply #10 on:** March 07, 2009, 04:09 PM »

Thanks for the link, that could turn out very useful!

IMHO BartPE was pretty easy to setup, and it can be pretty useful. I used it, for instance, to get all files in %SYSTEMROOT%\system32 NTFS compressed

dforionstar · « **Reply #11 on:** March 07, 2009, 04:13 PM »

Thanks for the link, that could turn out very useful!
-f0dder (March 07, 2009, 04:09 PM)

You are most welcome. Do you have a favorite registry editor, besides the basic built-in one?

f0dder · « **Reply #12 on:** March 07, 2009, 04:24 PM »

You are most welcome. Do you have a favorite registry editor, besides the basic built-in one?
-dforionstar (March 07, 2009, 04:13 PM)

I haven't found one which I really like, but I do often miss features in the standard Windows regedit. I've tried Resplendence Registrar, but I don't like it enough to register, and find it's GUI a bit strange... but it's search&replace is definitely better than regedit

PhilB66 · « **Reply #13 on:** March 07, 2009, 09:30 PM »

Have a look at RegAlyzer.

Features

Screenshots

xtabber · « **Reply #14 on:** March 07, 2009, 09:44 PM »

I've been quite satisfied with Reg Organizer ( http://www.chemtable.com/organizer.htm ) currently $39.95.

TucknDar · « **Reply #15 on:** March 08, 2009, 04:09 AM »

I'm very happy with Registry Workshop. Does what I need, and a lot more. It's shareware, with "Free updates in the lifetime of the product."

Author Topic: registry editor (Read 11102 times)

oversky

registry editor

steeladept

Re: registry editor

PhilB66

Re: registry editor

oversky

Re: registry editor

PhilB66

Re: registry editor

f0dder

Re: registry editor

oversky

Re: registry editor

oversky

Re: registry editor

f0dder

Re: registry editor

dforionstar

Re: registry editor

f0dder

Re: registry editor

dforionstar

Re: registry editor

f0dder

Re: registry editor

PhilB66

Re: registry editor

xtabber

Re: registry editor

TucknDar

Re: registry editor