Change from %SystemRoot% to %fystemRoot%

[spazntwitch]

Heads up! One of my client's computer had some major issues and I wanted to bring them to your attention. You may want to add the following registry changes to your MalwareBytes search engine:

HKLM\SYSTEM\ControlSet001\Services\BITS (Background Intelligent Transfer Services)

ImagePath changed to: %fystemRoot%\System32\svchost.exe -k netsvcs

Start changed to: 0x00000004 (4) -- disabled

HKLM\SYSTEM\ControlSet001\Services\wuauserv (Automatic Updates)

ImagePath changed to: %fystemRoot%\System32\svchost.exe -k netsvcs

Start changed to: 0x00000004 (4) -- disabled

HKLM\SYSTEM\ControlSet003\Services\BITS (Background Intelligent Transfer Services)

ImagePath changed to: %fystemRoot%\System32\svchost.exe -k netsvcs

Start changed to: 0x00000004 (4) -- disabled

HKLM\SYSTEM\ControlSet003\Services\wuauserv (Automatic Updates)

ImagePath changed to: %fystemRoot%\System32\svchost.exe -k netsvcs

Start changed to: 0x00000004 (4) -- disabled

Notice how it changed the 'S' in %SystemRoot% to an 'f' and disabled the services. It also made it so that no changes were saved using the Services.msc add-in by making those registry keys read only.

One of the first clues something was wrong was the fact that HijackThis listed BITS and Automatic Updates as an O23 Service but had the file path as only "C:\Windows".

Here's hoping you'll get the changes added. Just wanted to make your EXCELLENT product even better.

[AdvancedSetup]

Thank you very much for taking the time out to report this.

[KnotBeer]

Okay, so what if when you GO to these keys in Registry Editor and you try to fix this, an error dialog pops up:

Title: Error Editing Value

Text: (BIG RED X PICTURE) Cannot edit ImagePath: Error writing the value's new contents.

This problem became apparent when one of our users (at work) came to me and said they were getting pop ups. Well, we use Sophos Enterprise here and also MalwareBytes (great for those little things). Well, our AV policy is not very tight, it lets stuff run so we don't have 200 people a day asking us if they can run wuauclt.exe or not. I'm sure you can understand. But anyway... I found that this virus(es) messed with winsock, so I found a post somewhere else saying to use 'netsh winsock reset' and that worked so now I can actually GO to the website and download definitions.

Well, I want to get Automatic Updates working again mainly so he doesn't see a stupid bubble pop up every time he logs in. SOMETHING is keeping me from changing this registry value. What can it possibly be?

Heads up! One of my client's computer had some major issues and I wanted to bring them to your attention. You may want to add the following registry changes to your MalwareBytes search engine:

HKLM\SYSTEM\ControlSet001\Services\BITS (Background Intelligent Transfer Services)

ImagePath changed to: %fystemRoot%\System32\svchost.exe -k netsvcs

Start changed to: 0x00000004 (4) -- disabled

HKLM\SYSTEM\ControlSet001\Services\wuauserv (Automatic Updates)

ImagePath changed to: %fystemRoot%\System32\svchost.exe -k netsvcs

Start changed to: 0x00000004 (4) -- disabled

HKLM\SYSTEM\ControlSet003\Services\BITS (Background Intelligent Transfer Services)

ImagePath changed to: %fystemRoot%\System32\svchost.exe -k netsvcs

Start changed to: 0x00000004 (4) -- disabled

HKLM\SYSTEM\ControlSet003\Services\wuauserv (Automatic Updates)

ImagePath changed to: %fystemRoot%\System32\svchost.exe -k netsvcs

Start changed to: 0x00000004 (4) -- disabled

Notice how it changed the 'S' in %SystemRoot% to an 'f' and disabled the services. It also made it so that no changes were saved using the Services.msc add-in by making those registry keys read only.

One of the first clues something was wrong was the fact that HijackThis listed BITS and Automatic Updates as an O23 Service but had the file path as only "C:\Windows".

Here's hoping you'll get the changes added. Just wanted to make your EXCELLENT product even better.

[AdvancedSetup]

It can be that your system is Infected and needs to be cleaned first.

Hello and Welcome to Malwarebytes.org

If you're having Malware related issues with your computer that you're unable to resolve.

1. Please read and follow the instructions provided here: I'm infected - What do I do now?
2. If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
   
3. When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.
   

• Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  
• Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  
• Using these other tools often makes the cleanup task more difficult and time consuming.
  
• If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  
• Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  
• There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review
  

• NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.
  

[spazntwitch]

Okay, so what if when you GO to these keys in Registry Editor and you try to fix this, an error dialog pops up:

Title: Error Editing Value

Text: (BIG RED X PICTURE) Cannot edit ImagePath: Error writing the value's new contents.

This problem became apparent when one of our users (at work) came to me and said they were getting pop ups. Well, we use Sophos Enterprise here and also MalwareBytes (great for those little things). Well, our AV policy is not very tight, it lets stuff run so we don't have 200 people a day asking us if they can run wuauclt.exe or not. I'm sure you can understand. But anyway... I found that this virus(es) messed with winsock, so I found a post somewhere else saying to use 'netsh winsock reset' and that worked so now I can actually GO to the website and download definitions.

Well, I want to get Automatic Updates working again mainly so he doesn't see a stupid bubble pop up every time he logs in. SOMETHING is keeping me from changing this registry value. What can it possibly be?

To modify those keys, you need to right-click them and choose Permissions. From there, add yourself with full control and then close the dialog box. You can now change the permissions.

[AdvancedSetup]

That may or may not work. It really depends on if there is Malware actively monitoring it and removing your permissions as soon as you change them.

[spazntwitch]

That may or may not work. It really depends on if there is Malware actively monitoring it and removing your permissions as soon as you change them.

True, I had already removed all of the malware prior to performing this action. Anyway, good luck in getting it to work!

[Aspirina]

Hello, I had the same problem and I solved it. It is a malware that installs itself in the folder %Systemroot%\system32\drivers and in this case the file was called 3d16ee25.sys. I don't know if it copies itself with the same name or uses a random one. The file registers itself as a system service in \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and it is really easy to find because if you step on its key you won't be able to read it. Anyway, you can restart your system in safe mode and easily remove the key. Be sure you don't have any other malware/downloader that can install it again but since I removed it i haven't had any other problem. If you don't disable this malware, it will keep on installing malware on your computer, so every time you perform a normal scan for virus you will find some.

Please let me know if this worked for you.

I kept the file of the malware so if some1 tells me where to upload it for analysis, I will appreciate.

[Aspirina]

Here is what you should do:

to check the name of the malware file (in case the malware uses a random name when installing) you should do this

- Go to Start -> Run and type REGEDIT.EXE

- Find this key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and walk over the keys you find here with the Down Arrow button of your keyboard. You will easily find it because you will get a popup from regedit telling you that the key can't be read. Write down the name of the key and then do the following (you can close regedit for now):

- Run Malwarebytes' Anti-Malware or some antimalware tool.

- Remove everything you find (if you have this malware, then you will find seneka and some other nasty stuff like crypts.dll).

- If it asks for restart to fix everything click on Yes.

- Restart your system in Safe Mode.

- Go to Start -> Run and type REGEDIT.EXE (again)

- Go to Edit -> Search and search for fystemroot in the registry (be sure to find EVERY match)

- In every key you find the value, you have to go to Edit -> Permissions and set permissions (total control) for you (administrator) then apply and double click on the key, replace %fystemroot% with %Systemroot% every time and then restart your computer normally.

- Just in case... run your antimalware program again, because the downloader can install it again after you removed the malware the first time, as it can download it and you won't notice (before starting in safe mode).

Well I wrote this because I couldn't find anything about before so I hope it works for you too. By the way.. malwarebytes anti-malware halts my system badly when performing a full scan in both drives (sometimes it finishes the full scan of the smaller partition completely but not always, so i think it may be the amount of files and the memory of my computer or something that can make the whole system freeze.) - Ah and I don't speak English very well so I hope you understand everything. I tried to do .. not my best but... I tried (?)

[Brianzx7]

Aspirina - What was the point of finding the reg key that you can't see and writing down the name of it?

~B

Here is what you should do:

to check the name of the malware file (in case the malware uses a random name when installing) you should do this

- Go to Start -> Run and type REGEDIT.EXE

- Find this key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and walk over the keys you find here with the Down Arrow button of your keyboard. You will easily find it because you will get a popup from regedit telling you that the key can't be read. Write down the name of the key and then do the following (you can close regedit for now):

- Run Malwarebytes' Anti-Malware or some antimalware tool.

- Remove everything you find (if you have this malware, then you will find seneka and some other nasty stuff like crypts.dll).

- If it asks for restart to fix everything click on Yes.

- Restart your system in Safe Mode.

- Go to Start -> Run and type REGEDIT.EXE (again)

- Go to Edit -> Search and search for fystemroot in the registry (be sure to find EVERY match)

- In every key you find the value, you have to go to Edit -> Permissions and set permissions (total control) for you (administrator) then apply and double click on the key, replace %fystemroot% with %Systemroot% every time and then restart your computer normally.

- Just in case... run your antimalware program again, because the downloader can install it again after you removed the malware the first time, as it can download it and you won't notice (before starting in safe mode).

Well I wrote this because I couldn't find anything about before so I hope it works for you too. By the way.. malwarebytes anti-malware halts my system badly when performing a full scan in both drives (sometimes it finishes the full scan of the smaller partition completely but not always, so i think it may be the amount of files and the memory of my computer or something that can make the whole system freeze.) - Ah and I don't speak English very well so I hope you understand everything. I tried to do .. not my best but... I tried (?)

[Aspirina]

Aspirina - What was the point of finding the reg key that you can't see and writing down the name of it?

~B

That's the name of the file of the virus. Just take a note of the name of the key and then do a simple search with search of windows (you know how to do that) and then you can remove the file. Anyway you should first disable the virus from that key before deleting it. If you start Windows in Safe Mode you can access to that key and delete it because the malware won't load at start. And don't forget to set the keys you change to the normal permissions they have (that is total control for Administrators) with regedit.

[Aspirina]

Here I go again:

Here is what you should do:

to check the name of the malware file (in case the malware uses a random name when installing) you should do this

- Go to Start -> Run and type REGEDIT.EXE

- Find this key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and walk over the keys you find here with the Down Arrow button of your keyboard. You will easily find it because you will get a popup from regedit telling you that the key can't be read. Write down the name of the key and then do the following (you can close regedit for now):

- Run Malwarebytes' Anti-Malware or some antimalware tool.

- Remove everything you find (if you have this malware, then you will find seneka and some other nasty stuff like crypts.dll).

- If it asks for restart to fix everything click on Yes.

- Restart your system in Safe Mode.

- Go to Start -> Run and type REGEDIT.EXE (again)

HERE you should search in regedit for the key I told you to write down and delete it. Maybe you have to set total control permissions for this key but you can do it with regedit.

- Go to Edit -> Search and search for fystemroot in the registry (be sure to find EVERY match)

- In every key you find the value, you have to go to Edit -> Permissions and set permissions (total control) for you (administrator) then apply and double click on the key, replace %fystemroot% with %Systemroot% every time and then restart your computer normally.

- Just in case... run your antimalware program again, because the downloader can install it again after you removed the malware the first time, as it can download it and you won't notice (before starting in safe mode).

Well I wrote this because I couldn't find anything about before so I hope it works for you too. By the way.. malwarebytes anti-malware halts my system badly when performing a full scan in both drives (sometimes it finishes the full scan of the smaller partition completely but not always, so i think it may be the amount of files and the memory of my computer or something that can make the whole system freeze.) - Ah and I don't speak English very well so I hope you understand everything. I tried to do .. not my best but... I tried (?)

[Aspirina]

I think this downloader has downloaded another downloader that is still active and I didn't find it yet (I just noticed it). Malwarebytes didn't detected it either. Somebody should let the downloader downloading to watch the other stuff it downloads to make the Anti-Malware detect them too. I will try to find it and upload it.

[crazyboy]

I had the same issue, been reading up on BITS and Auto update errors all night, this post definaly helped after i noticed the "S" in System was changed to an "F"..

Thx

[tintilla]

I have also this VIRUS but if i chance alll the site also in folder 001 till 003 and i restart it ITS AGAIN BACK and i can't also almost any .exe HOW I MUST SCANN NOW??

Edited March 13, 2009 by AdvancedSetup
Removed inappropriate language

[AdvancedSetup]

Hello and Welcome to Malwarebytes.org

If you're having Malware related issues with your computer that you're unable to resolve.

1. Please read and follow the instructions provided here: I'm infected - What do I do now?
2. If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
   
3. When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.
   

• Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  
• Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  
• Using these other tools often makes the cleanup task more difficult and time consuming.
  
• If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  
• Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  
• There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review
  

• NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.
  

[hcova]

1) I have the same problem.

In my case the malware es called 4ebde4e8.sys.

The question is How Can I remove it.

Can MalwareBytes do that using the today new database version 1856?

or Do I need to follow the Aspirine solution?

2)Until now anybody, has tried using another antispyware - malware to solve this issue?

3) This infection slow my computer when I try to connect my computer to internet. Load a web page take a lot.

However, sometimes everything is with the normal speed.

It seems that the malware stops to slow my computer.....for a while

Best regards

HCOVA

[Aspirina]

This is a new malware so any antimalware program won't find it for a while. And you should get it out fast before it installs a new rootkit that I have, almost indetectable B) I can't find it I only know its possible names but I can't find a way to get a copy of it's contents because it changes its name a lot so I can't do anything.

[hcova]

Aspirina:

I tried to copy paste the malware you mention. This is located in C:\WINDOWS\System32\Drivers.....has you told us.

It can not be copied in the usual way.

The other characteristic is that it updates by itself in real time. I can see in windows explorer its "Date Modified" field. It has same creation date that the computer clock. !!!!! It is in a loop.

Question:

1) What can i do to avoid a spread of this malware in my computer. To avoid it installs a new rootkit.

2) Do you recommend me to keep the computer ON always? Avoid to shut down it.?

I am ver afraid of this issue, because I could loss my computer......i think

I am using NOD32 and PCtools Spyware Doctor.

Best regards

HCOVA

[Aspirina]

Are you trying to delete it when running Windows in safe mode? If you try to delete it running normal you won't be able to do it, if you have administrator privileges you should be able to delete it in safe mode or copy, and if you can't then try with some tool for file deleting, like the one included in malwarebytes antimalware or the secure shredder bundled with spybot s&d. But if you don't delete it in safe mode it will deploy again.

[hcova]

If I can delete it from the safe mode, could it eliminate the malware forever?

Do I need to run anything else in safe mode? for example NOD32 or SpywareDoctor or any other?

(SpywareDoctor do not recommend to run it in safe mode....i do not why)

Thanks for your help.

HCOVA

[Aspirina]

Run everything you can in safe mode to detect any other malware, and you should be clean, unless your antimalware doesn't work in safe mode. In that case run in normal mode, disconnect from the internet, run everything you have to remove malware and get online again. If you have any doubts you can run another kind of program to check. There are some to detect rootkits or to detect changes in the registry or files etc. If you think you're still infected and you want to reduce risk, you can work offline and at least you won't get more infected. Look for antirootkits in the web you will find some. I detected the one I have with one of those but they're not providing info enough to get rid of it but at least I know I have something and what I don't have...

[AdvancedSetup]

Hello and Welcome to Malwarebytes.org

If you're having Malware related issues with your computer that you're unable to resolve.

1. Please read and follow the instructions provided here: I'm infected - What do I do now?
2. If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
   
3. When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.
   

• Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  
• Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  
• Using these other tools often makes the cleanup task more difficult and time consuming.
  
• If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  
• Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  
• There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review
  

• NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.
  

[hcova]

Hi Aspirina:

Thanks God it seems I solved the issue. Sorry, Microsoft site solved the issue. I run the MS onecare Full Service Scan and it found an infection.

After clean the infection the problem was solved. At least I have not found any "*.sys" malware at C:\WINDOWS\system32\drivers.

Of course I am not sure if the computer is completelly clean but I can access the web without any problem.

Onecare website:

onecare.live.com/site/en-US/default.htm

Thanks a lot Aspirina for your support.

Best Regards

HCOVA