Main Area and Open Discussion > General Software Discussion

registry editor

(1/4) > >>

oversky:
From ntbtlog.txt (xp boot log file), I found out there is a driver file changed its name everytime I reboot.

Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\System32\Drivers\a5mzjxub.SYS
Loaded driver \SystemRoot\system32\DRIVERS\cfosspeed.sys

However, when I login xp, I can't find the suspect file.
This possible virus also appears in registry (HLKM/System/CurrentControlSet/Services/), and also changes its name when I reboot.
But no real filename is recorded in that registry item.

I have used NOD32 4RC and antivir (with updated virus code) to scan the hardrive in safe mode, but no luck.

When the computer is turned off, I think the virus write back its real name to registry so that xp know to run it when I boot up.
Is there a registry editor that can edit registry on another hard drive?

steeladept:
Have you tried a rootkit detector?  It may well be something NOD32 et. al. can't fix - or it may not really be a problem. 

As for the registry issue, I could be wrong, but I don't believe there is anything that can look at a registry that is not booted.  In other words, if you slave the drive to another computer and run regedit, it will show the existing registry and not the one on the slave drive.  To open the one on the slave drive, I *believe* that you must boot to it.

PhilB66:
Do you have cFosSpeed installed?

oversky:
Yes, I tried avira Avira AntiRootkit Tool, and I have cFosSpeed installed.

PhilB66:
I have cFosSpeed installed.
-oversky (February 22, 2009, 01:53 AM)
--- End quote ---

That's what you are looking for.

Navigation

[0] Message Index

[#] Next page