Security Alert!!! Registry Errors

[RajanPERT 0]

Please help me.

1.

Event Type: Information

Event Source: Application Popup

Event Category: None

Event ID: 26

Date: 8/26/2005

Time: 10:50:03 PM

User: N/A

Computer: PERT

Description:

Application popup: Messenger Service : Message from SYSTEM to ALERT on 8/26/2005 10:50:02 PM

!!!SECURITY ALERT!!!

Windows has detected registry errors on your computer!

Registry errors can cause potential data loss.

Windows recommends an immediate system scan.

Visit: http://www.winregfix.com for a FREE registry scan.

2.

Event Type: Information

Event Source: Application Popup

Event Category: None

Event ID: 26

Date: 8/26/2005

Time: 2:40:23 PM

User: N/A

Computer: PERT

Description:

Application popup: Messenger Service : Message from SYSTEM to ALERT on 8/26/2005 2:40:22 PM

STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.

Windows has found 47 CRITICAL SYSTEM ERRORS!

To fix the errors please do the following:

1. Download Repair Registry Pro from: http://www.regfixup.com

2. Install Repair Registry Pro

3. Run Repair Registry Pro

4. Reboot your computer

FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!

I got these message or same many messages related to the registry error with different website name. This messages only present when I am online and using Internet explorer; the WinWord shortcut from Start Menu is also deleted. I got these message after every 1 or 2 min.

Please help me.

[Chirag 5]

This is a virus which i had on my machine some time back. U'd need an updated version of antivirus(I used AVG) and preferably lavasoft ad-aware to remove stupid spywares from ur machine.

[Vishal Gupta 4]

Or the BEST solution is use Firefox...

It'll automatically block such Ads.

[Chirag 5]

naah.. its not the pop ups which is an issue wid him, its the spyware which runs in the background in the comp. So after installing Lavasoft Ad-aware, scan ur machine after logging in the SAFE MODE of the OS. That ways, it keeps the least number of proggies running and also these spywares dont run and can be effectively deleted or quarantined. This was told to me by Manoj, which really helped me.

[RajanPERT 0]

Please send me the location of the any spyware or antivirus (which are small in size). which i can download from internet. Presently i didnot have any antivirus in my system.

Thanks

[Chirag 5]

Presently i didnot have any antivirus in my system.

39130[/snapback]

wow!

vishal, kindly help him with the links quickly.

[Vishal Gupta 4]

Rajanpert!

If u r using windows XP, then d/l and install SP2 and all updates.

Then d/l ne of following free anti virus s/w, both work gr8:

Download AVG

Download Avast

And don't forget to install Microsoft AntiSpyware:

Microsot Anti Spyware

[RajanPERT 0]

I understand your laughing, but I am using my system without any ant virus more than one year and I did not face any problem till now. Now I have too solved my problem. This may be a virus but I did not know its name but it create a file named seeve.exe in the windows folder and activate this file through the registry startup section. I clean all the file and information related to the virus from the set and did not found any popup till now about 5 min.

But when I start the system. It automatically access the r connect dialer and a website named o.dynamicip.us is requested the connection to the internet. Any body know where these entries are saved in the Windows XP system.

Thanks for comment

Take Care!

[ashoksoft 83]

hey btw did u try http://www.trendmicro.com/housecall ?

u might have something of intrest there..

Cheers

Ashok

[Vishal Gupta 4]

Type msconfig in Run dialog box, and goto Startup tab, and check whether is ne suspicious application listed there (like one u mentioned seeve.exe).

If yes, then simply uncheck it, apply and restart ur comp in Safe mode and delete that file from Windows folder.

It should solve the problem!!!

[RajanPERT 0]

Presently as i know no suspicious application is running. I also check my Windows Task Manager. But when I start the system. It automatically access the r connect dialer and a website named o.dynamicip.us is requested the connection to the internet. Any body know where these entries are saved in the Windows XP system.

But i am sure The r connect dialer become active after the web request.

[Vishal Gupta 4]

Try one thing!

Right-click on Internet Explorer icon on desktop and select Properties.

And set Blank Page as the Home page.

Now goto Connections tab, and select Never Dial a connection.

Hope It'll help u...

[RajanPERT 0]

These settings are already checked. U did not understand. when we start our system (by restart or after properly shutdown). The desktop is not appear i got the r connect dialer window (it is not running, only dialog box). In which a message display that some program or application request the connection with the web (Which i described in previous post). It does not related to the IE anyway as i think. When i checked the never asked me until next login. It does not ask me. My system is working fine.

I am not have knowledge in the field of connection to the internet (its procedure). means which files are used in this process.

Can u please give me the download location of the Adware. which described by the Chirag. It may solve the problem.

[ashoksoft 83]

Rajanparet .... for Lavasoft ad-aware try this http://www.lavasoftusa.com/software/adaware

Cheers

Ashok

[RajanPERT 0]

Thanks for your all support. My Problem finally solved.

Very Very Thanks!

[ssr 10]

By how from some antispyware or u manully did something?

[RajanPERT 0]

First Sorry for not describe problem's solution.

The Process are described step by step.

1. Seeve.exe is not responsible for all of these activities. It is only a network related file in the WinXP. These activities are done by the Trojan Horse and attack by the Symantec Companies Ad ware attack (You Surprised, But i have a batch file).

2. These attacks are start on Date 26-08-2005 at 11.00 AM. When my brother access something from a user group (I don't know what, because he did not describe me properly.) He got popup of registry warning and when he try to access the website which are described in the warning. He are redirected to www.windowsup.nt (like something) and attack of about 7 Trojan horse are start.

3. The system is fully functional, but when we access the Internet, the following popup displayed with different websites name, which domain name is not assigned to anybody, as i think.

4. I checked the my windows and System32 directory for the new file which are created after the attack is begin and also send a message to the RIMWEB for the help. In first, through out checked, i found the file seeve.exe behaved something differently. Because it modified to 26 Aug. I removed this file, but it is created again.

5. I know it is a system file. But according their behave i checked it in msconfig and i found it is managed by the registry value. I searched in the registry and rename its entry from the registry editor by the help of regedit.

6. When next time i accessed the internet, the message is not displayed. But a new problem is started. Which i restart the computer, the some program are try to access the internet with different website name.

7. I again search the computer for the new changing. I move all the files which are created after 26 Aug. (Not all the file, only from system32 directory.)

8. I again checked the msconfig after the message of Vishal and finally i get a entry of a file named syshost.exe (A popular Trojan horse as i know). I remove all its system entries.

9. My problem solved properly. I send the message of problem solution.

10. But when after two restart (due to light problem). I have another round of attack which is more powerful then previous.

11. My system start to get very slow speed and when i start Firefox. it automatically connected to the Symantec website with the system scan web page. When I checked the settings of Firefox and also the Internet Explorer. I found two webs as a trusted sites. But these entries are not done by me.

12. After these i finally download the AVG free edition, and scan my system. I found 7 Trojan horse and these files are successfully healed by AVG.

13. But a file named Orans.sys is not properly healed. When AVG delete it, it created again. I search its all entries but did not find nothing.

14. After that i download Lava Soft's Ad Aware and take complete scan. It only solved Symantec problem. But problem is not solved. Because the Trojan Horse: Agent CX (Orans.sys) is not removed.

15. I take help of Kaspersky Antivirus and Kaspersky Anti - Hacker. After running the shield of these two. I manually run the AVG on Orans.sys and successfully remove the file.

16. This step is followed by me at 10 pm today and after two restart, Orans.sys is not created again. I finally Uninstall the Kaspersky Anti Virus from my system.

I think the problem is now completely solved. I also search the system for new changed and find a file named z.bat which are install by the Symantec. I removed it.

Finally, I think, it over. Thanks for Support.

Take Care!

[RajanPERT 0]

Finally, It’s all over!

I get the solution of the last Trojan Horse AgentCX present in my system. Which create a file named Orans.sys in the Windows\system32 folder. This is the solution:

1) Click Start >> Run.

2) Type services.msc and press enter.

3) In the list of services find the service named 'netinfo'.

Right Click it Click Properties (Or double click it)

4) Change the startup type of it to Disabled.

5) Restart your computer

6) after restarting Click Start >> Run,

7) Type, "sc delete netinfo" (without quotes) in Open Text Box and press Enter.

8) Now open My Computer Go to C:\WINDOWS\system32 and delete the file

orans.sys if it still exists.

More comments and Solution are invited.

Thanks and Take Care!