Boot Problem / Registry Question

[P. Qwan]

Hello,

I have a friend with a Dell Laptop running Windows 2000. He said he was
having problems with so I went over to his house to take a look at it. I
turned it on and it seemed to be booting normally. It got past the log in
screen, the screen that says, "Loading your personal settings...", and the
"welcome" sound effect, but it stopped there with a blue background and an
hour glass cursor (which I was able to move around with the mouse).
Subsequent reboots yielded the same result. While at this blue screen, I am
able to ctrl-alt-del to get bring up Task Manager. It will boot up in Safe
Mode. I tried to boot up with "Last Known Good Configuration", but it did
the same thing.

I was looking in the Run folder in the Registry (while in Safe mode) to see
what was being loaded at boot up. I recognized most of the entries, except
one called "tsx" with a value of "regedlt.exe". The letter between the "d"
and "t" is an "l", as in lamb, not a capital "I". I did a search on the
file and it is one of the Windows folders. Also, it's listed as a process
that is running when I look in Task Manager. This same entry is also in
the Run Once, and Run Services folders.

I did a search on the file on the web and in newsgroups, and didn't get any
results. (Google asked me if I meant "regedit".)

I am wondering if anyone has heard of this file? Is the problem likely to
be one of the files being loaded in the Run folder of the registry? I did a
search on each file being loaded, and they were all present on the c: drive.

My friend said the last thing he did before he powered off was check stock
prices at a web site. He is also doing his taxes and may have downloaded
files from the online tax service.

Well, any help would be appreciated.

P. Qwan

 

[Pegasus \(MVP\)]

Hello,

I have a friend with a Dell Laptop running Windows 2000. He said he was
having problems with so I went over to his house to take a look at it. I
turned it on and it seemed to be booting normally. It got past the log in
screen, the screen that says, "Loading your personal settings...", and the
"welcome" sound effect, but it stopped there with a blue background and an
hour glass cursor (which I was able to move around with the mouse).
Subsequent reboots yielded the same result. While at this blue screen, I am
able to ctrl-alt-del to get bring up Task Manager. It will boot up in Safe
Mode. I tried to boot up with "Last Known Good Configuration", but it did
the same thing.

I was looking in the Run folder in the Registry (while in Safe mode) to see
what was being loaded at boot up. I recognized most of the entries, except
one called "tsx" with a value of "regedlt.exe". The letter between the "d"
and "t" is an "l", as in lamb, not a capital "I". I did a search on the
file and it is one of the Windows folders. Also, it's listed as a process
that is running when I look in Task Manager. This same entry is also in
the Run Once, and Run Services folders.

I did a search on the file on the web and in newsgroups, and didn't get any
results. (Google asked me if I meant "regedit".)

I am wondering if anyone has heard of this file? Is the problem likely to
be one of the files being loaded in the Run folder of the registry? I did a
search on each file being loaded, and they were all present on the c: drive.

My friend said the last thing he did before he powered off was check stock
prices at a web site. He is also doing his taxes and may have downloaded
files from the online tax service.

Well, any help would be appreciated.

P. Qwan

Since you can boot in Safe Mode, the damage is done by
a driver or by a program loaded at boot time. Run msconfig.exe
(http://www.svrops.com/svrops/dwnldoth.htm) and disable all
non-essential startup tasks until you find the culprit. Have you
scanned the PC with an updated virus scanner?

 

[P. Qwan]

Thanks for your help. I downloaded msconfig.exe and ran it in Safe Mode.
The first thing I disabled was the regedlt.exe entry on the Startup tab. I
rebooted after doing so and the problem was still there. I noticed that
regedlt.exe was still listed as a process running in Task Manager, even
though I had disabled it.

I went back into Safe Mode and started Msconfig again. When I looked at the
Startup tab, there were two new entries for regedlt.exe, and both were
selected. The two new entries were in HK Local Machine and HK Current User,
if I remember correctly. Well this made me very suspicious, so I decided to
just delete all regedlt.exe entries in the registry, and the file itself.

Well, after I did that, the problem was gone and it booted up normally,
except for some error messages saying that a file called "N" couldn't be
located. I rebooted again just to make sure and it came up normal again.
Then I asked my friend to log on to his ISP and make sure that was OK. He
logged on, and started IE. His home page was set to the Stocks page he had
told me about earlier. I forget now what the name of it was, but I think it
was a Yahoo page. He browsed that for awhile and everything ran normal.

Then we rebooted the laptop one more time and, low and behold, the original
problem was back. I checked the registry and the regedlt.exe entries were
back again.

I scanned the regedlt file for a virus, but it came back clean, although my
friend said it had been awhile since he had updated his virus definitions.

So, I'm guessing the web site is making the changes somehow. I told him he
needs the Ad Aware plug in that prevents that.

Thanks again for your help.

P. Qwan

 

[Pegasus \(MVP\)]

If your friend wants to live dangerously by not updating
his virus scanner at least weekly then he should be
prepared for his machine to be infected.

To prevent regedlt.exe from ever running again, find out
where it is normally stored (e.g. in c:\winnt), then
create a folder of the same name (e.g. c:\winnt\regedlt.exe).

 

[ingers]

Hi.

We had the same problem last week.

It is a worm and it has been submitted to a couple of the antivirus
companies.

Norman.no are the only one that responded to the virus with the following
sandbox analysis:

[ General information ]

* File length: 52224 bytes.
* Total emulation cycles required: 6847347.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\regedlt.exe.

[ Changes to registry ]
* Creates value "tsx"="regedlt.exe" in key
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates key
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce".
* Creates value "tsx"="regedlt.exe" in key
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce".
* Creates value "tsx"="regedlt.exe" in key
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
* Creates value "tsx"="regedlt.exe" in key
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates value "tsx"="regedlt.exe" in key
"HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce".

[ Network services ]
* Attempts to resolve name "streethawkz.ma.cx".
* Connect port 6667 [DGRAM], IP 193.75.75.100.
* Connects to IRC Server.
* Connect port 113 [DGRAM], IP 0.0.0.0.

[ Process/window information ]
* Creates a mutex tsk.

I believe that Symantec Antivirus with updates from the last couple of
days are able to find the virus... but I have not found any detailed
reference to it...

Good luck!

 

[ingers]

This is what Symantec sees it as:

Subject: Virus Found NAV

Alert: Virus Found
Computer: CFL2
File Path: C:\WINNT\system32\regedlt.exe Virus Name: W32.Randex.gen
Date: 04/05/04
Time: 02:48:07 PM
User: Administrator
Severity: Critical
Source: Norton AntiVirus Corporate Edition

 

[M Stolecki]

We had a problem with this virus this weekend as well.

It was connecting to different set of IP address though:
64.251.27.2 and 218.55.182.49 on port 6667

The email I got from McAfee said it was a variant of w32/randbot.worm

McAfee came out with an extra dat on Saturday to detect it. You should
be able to download it from their site.

Hope this helps

 

[P. Qwan]

Thanks for the update. Those are the keys that were being added. I am
guessing the reason it causes his laptop to hang up during start up is he
has no network connection at that point. I'm a little worried though,
because I brought his laptop to my house over the weekend to see if I could
resolve the problem, and at one point I had it connected to my DSL line.
So, it's possible that it was connected to the internet with the worm
active. I am behind a router though. Should I be concerned?

I guess I should ask this question in the Virus newsgroup.

P. Qwan

 

[ingers]

I wouldnt worry too much. What we saw is that is generates a SYN so it
would perhaps make your router awfully slow. Then again it tries to
connect to IRC probably to download another payload or possibly create a
backdoor into the system...?
We have not seen any secondary reactions after we removed it so it looks
good and promising just removing it by itself.
The oddity of this worm is how little is has been documented and hence
counteractions have been taken. I know a few antivirus tools manages to
detect it, but it seens to be a secondary effect out of similar worms. I
have not seen any direct reference to it and its payload in the antivirus
descriptions...

You mentioned initially that it might have been downloaded from a stock
webpage.
Any further reference that might enlight how you got it would be
interesting.

Again, good luck as well as a very happy easter!

 

[ingers]

I wouldnt worry too much. What we saw is that is generates a SYN so it
would perhaps make your router awfully slow. Then again it tries to
connect to IRC probably to download another payload or possibly create a
backdoor into the system...?
We have not seen any secondary reactions after we removed it so it looks
good and promising just removing it by itself.
The oddity of this worm is how little is has been documented and hence
counteractions have been taken. I know a few antivirus tools manages to
detect it, but it seens to be a secondary effect out of similar worms. I
have not seen any direct reference to it and its payload in the antivirus
descriptions...

You mentioned initially that it might have been downloaded from a stock
webpage.
Any further reference that might enlight how you got it would be
interesting.

Again, good luck as well as a very happy easter!

 

[P. Qwan]

You mentioned initially that it might have been downloaded from a stock

webpage.
Any further reference that might enlight how you got it would be
interesting.

That was my error. I initially thought that because he said the last thing
he did before the problem occured was browse the page, and then it got
re-infected when we revisted the page after I removed the registry keys.
But it turns out just starting Internet Explorer somehow activates it. He
was probably intially infected via e-mail, because a few months ago, he had
the Randex virus, and that E-Anthology mess.

This is how the virus is affecting his laptop:

1. If I clean the registry of the regedlt.exe keys, boot up, connect to
ATT, and do not start IE, then the keys are not created again. I can then
reboot with no problem.

2. If I start IE and navigate to any page, then close IE down and check the
registry, the regedlt.exe keys are not there. But if I reboot at that
point, the regedlt.exe keys are added, and it hangs up.


I'm not that computer literate, so maybe I am missing something. I told him
he should just buy a new version of MacAfee, because he can't update the
virus patterns with his old version because it won't connect to the server
for some reason.

P. Qwan

 

[ingers]

This is what F-Secure has to say about the worm:

This file is a new variant of SDBot backdoor. Our F-Secure Anti-Virus
can detect and remove this malware, see the report:

--------------------------------------------
Scanning Report
07 April 2004 17:05:03 - 17:05:07

Target: C:\1
Result: 1 virus found

* C:\1\regedlt.ex Infection: Backdoor.IRCBot.gen Action: Renamed.
--------------------------------------------

This backdoor can spread via LAN to computers that have open shares. So
to disinfect it you will need to do the following:

1. Kill LAN network connections and disconnect Internet completely
2. Disinfect all computers (infected files should be renamed or deleted)
3. Restart cleaned computers
4. Doublecheck if the infection was cleaned
5. Re-enable network connections

 

[ingers]

Here is an excellent rundown of the w32.randex.pi worm and its doing from
Symantec - updated today:

http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.pi.html

 

[P. Qwan]

I started a thread in the ms/virus group. The latest virus defintions (as
of 4/6) from MacAfee found backdoor.atv and w32randbot.worm. (I may have
the spelling of those wrong, because I was told the results of the scan over
the phone.) However, the very next boot-up, the laptop hung again, and the
regedlt.exe keys were back A subsequent run of MacAfee in safe mode didn't
find anything.