Re: Behavior of Randex variant.

From: Phil Weldon (notdisclosed_at_example.com)
Date: 04/07/04


Date: Wed, 07 Apr 2004 04:51:32 GMT

Is it possible that "regedlt.exe" is a typo? It is difficult to search
for information if the file name is wrong (unless it is jdgmgr.exe, which
has references on the internet that are so numerous that almost any spelling
will get a few hits.) The typo thing was preventing one poster from
figuring out that Visual Basic version 6.0 runtime files were needed.

-- 
Phil Weldon, pweldonatmindjumpdotcom
For communication,
replace "at" with the 'at sign'
replace "mindjump" with "mindspring."
replace "dot" with "."
"Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message
news:efGWAOFHEHA.4088@TK2MSFTNGP10.phx.gbl...
> You may have multiple problems, and they may not all be what are classed
as
> viruses.
>
> I've read another thread by you elsewhere, and I wonder whether this
> regedlt.exe isn't commercial spyware, rather than a virus.
>
> If you can get through some successive boots, including opening IE--try
> setting the home page to blank and setting all security and search options
> to the defaults--and not get a virus flagged by McAfee with current
> definitions, then I'd recommend getting HijackThis and posting to one of
the
> spyware forums to see if you can get the regedlt.exe thing sorted out.
>
> www.aumha.org's freeware list is a good place to get HijackThis, and some
> guidance about how to use it and where to post the logs.
>
> I've read Symantec's descriptions of what they claim are what McAfee calls
> w32/randbot (they actually have two completely different critters they
> describe that way--google on randbot and symantec!)--and they just don't
> resemble this regedlt thing, as far as I can see.
>
>
>
> "P. Qwan" <prahqwan@hotmail.com> wrote in message
> news:0%Gcc.2751$hd3.1864@nwrddc03.gnilink.net...
> > Update - the latest MacAfee virus definitions (as of 4/6), running in
safe
> > mode, found  and removed "backdooratv" and "w23randbot.worm".   Then was
> > able to boot up normally.   However, the very next boot up, same
problem:
> > laptop gets through log-in screen, "loading personal settings" screen,
and
> > welcome wave, then it hangs with hour-glass cursor and blue screen
> > (Windows
> > background color).  Able to bring up task manager at this point and
verify
> > that regedlt.exe is running as a process.
> >
> > Boot into safe mode again, and run MacAfee.  This time it doesn't find
> > anything...
> >
> >
> > "P. Qwan" <prahqwan@hotmail.com> wrote in message
> > news:eQocc.2345$bd4.205@nwrddc01.gnilink.net...
> >> I intially posted a message in the 2000/General news group, because I
> >> thought this problem was software related.  It turns out that it's
> > possibly
> >> a new variant of Randex.   Here is some information I copied from the
> > thread
> >> in 2000/General
> >>
> >> **************************************************
> >>
> >> Norman.no are the only one that responded to the virus with the
following
> >> sandbox analysis:
> >>
> >>  [ General information ]
> >>
> >>     * File length:        52224 bytes.
> >>     * Total emulation cycles required:      6847347.
> >>
> >>  [ Changes to filesystem ]
> >>     * Creates file C:\WINDOWS\SYSTEM\regedlt.exe.
> >>
> >>  [ Changes to registry ]
> >>     * Creates value "tsx"="regedlt.exe" in key
> >> "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
> >>     * Creates key
> >> "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce".
> >>     * Creates value "tsx"="regedlt.exe" in key
> >> "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce".
> >>     * Creates value "tsx"="regedlt.exe" in key
> >> "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
> >>     * Creates value "tsx"="regedlt.exe" in key
> >> "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
> >>     * Creates value "tsx"="regedlt.exe" in key
> >> "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce".
> >>
> >>  [ Network services ]
> >>     * Attempts to resolve name "streethawkz.ma.cx".
> >>     * Connect port 6667 [DGRAM], IP 193.75.75.100.
> >>     * Connects to IRC Server.
> >>     * Connect port 113 [DGRAM], IP 0.0.0.0.
> >>
> >>  [ Process/window information ]
> >>     * Creates a mutex tsk.
> >>
> >> This is what Symantec sees it as:
> >>
> >> Subject: Virus Found NAV
> >>
> >> Alert: Virus Found
> >> Computer: CFL2
> >> File Path: C:\WINNT\system32\regedlt.exe Virus Name: W32.Randex.gen
> >> Date: 04/05/04
> >> Time: 02:48:07 PM
> >> User: Administrator
> >> Severity: Critical
> >> Source: Norton AntiVirus Corporate Edition
> >>
> >>
> >> *************************************************************
> >>
> >> I first saw the problem on a Dell Laptop running Win2000.  It has
MacAfee
> >> virus scanner, but the virus definition files were not up-to-date. It
is
> >> a
> >> personal use lap top that connects to the Internet via ATT Dial-Up.
> >>
> >> When "regedlt.exe" keys are present in the registry, the laptop hangs
> > during
> >> boot-up, I assume because at that point it has no internet connection.
> >> It
> >> gets past the log-in screen, the "loading personal preferences screen",
> > and
> >> the "ta-da" welcome.  Then it stops with a blue screen (Windows
> >> background
> >> color) and an hour-glass cursor.  I am able to Ctrl-Alt-Delete and
bring
> > up
> >> Task Manager.  One of the processes listed is "regedlt.exe".
> >>
> >> I can shut down and boot up in Safe Mode at this point, delete all the
> >> "regedlt.exe" keys, and it will boot up normally.  Then this is how it
> > goes:
> >>
> >> 1.  If I clean the registry of the regedlt.exe keys, boot up,  connect
to
> >> ATT, and do not start Internet Explorer, then the keys are not created
> >> again.  I can then
> >> reboot with no problem.
> >>
> >> 2. If I start IE and navigate to any page,  then close IE down and
check
> > the
> >> registry, the regedlt.exe keys are not there.  But if I reboot at that
> >> point, the regedlt.exe keys are added, and it hangs.
> >>
> >> So it seems to be activated by IE somehow.  I am not a computer
> >> professional, so I could be missing something.
> >>
> >> I installed a new copy of MacAfee on this laptop, downloaded the latest
> >> virus definitions (as of 4/5) and it didn't detect any viruses.  Of
> > course,
> >> this is with the regedlt.exe keys deleted, because it wont boot up when
> > they
> >> are present.
> >>
> >> P. Qwan
> >>
> >>
> >>
> >
> >
>
>


Relevant Pages

  • Re: Windows will not boot under any circumstances!
    ... That lag in your Virus Scan reminded me of a Virus I once saw. ... I was interested to see if your computer could Boot from other media. ... want to see if your laptop will boot. ... Recovery Process from the Partition get before it fails? ...
    (microsoft.public.windows.mediacenter)
  • Re: Administrator password required, but I never set one!
    ... hooked it up to my laptop via USB cable? ... your laptop needs to have updated virus definitions.) ... Then, "Strike F1 to retry boot, F2 for setup utility". ... I tried using the Windows Recovery Console, but it asked for an administrator password. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Desktop is not appearing
    ... > Whenever I boot my laptop, ... > and I thought this must be a virus file and I have renamed ... > screen with the mouse pointer on it. ... I have tried all the boot options ...
    (microsoft.public.windowsxp.general)
  • Behavior of Randex variant.
    ... Subject: Virus Found NAV ... When "regedlt.exe" keys are present in the registry, ... I can shut down and boot up in Safe Mode at this point, ...
    (microsoft.public.security.virus)
  • Re: Administrator password required, but I never set one!
    ... your laptop needs to have updated virus definitions.) ... Then, "Strike F1 to retry boot, F2 for setup utility". ... I tried using the Windows Recovery Console, but it asked for an administrator password. ...
    (microsoft.public.windowsxp.security_admin)