1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Restoring Scanreg?

Discussion in 'Virus & Other Malware Removal' started by Ander, Feb 13, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Ander

    Ander Thread Starter

    Joined:
    Feb 13, 2003
    Messages:
    80
    Hi everybody,

    Tonight I ran SpyBot (as you may know, a great free trojan-scanning program---http://security.kolla.de) on my Windows XP Pro system. It found a key-logger program called HotKeysHook ([email protected]@@k.DLL).

    I had it fix the trojan, of course; then I went onto the Web to find some information about it. It turned out to be relatively harmless; however, it overwrote (replaced) my original Scanreg.exe, which Windows runs on each boot to check the registry's integrity.

    Should I restore Scanreg from my Win XP disc? If so, how do you do that? And will I need to re-register it, add it as a Startup program, etc.? Thanks for your help!
     
  2. steamwiz

    steamwiz

    Joined:
    Oct 4, 2002
    Messages:
    2,773
  3. Ander

    Ander Thread Starter

    Joined:
    Feb 13, 2003
    Messages:
    80
    Wow, that was fast! Thanks, steamwiz.

    Trend Micro's HotKeysHook page says:

    > To restore SCANREGW.EXE, the easiest way is to copy it
    > from another computer with the same operating system,
    > or reinstall from backup.

    Okay, I can ask a friend for the file. And I see that Scanregw.exe is still in my registry, so it'll auto-run. (I should've checked that before posting, shouldn't I?) So that should solve the problem. Thanks for your help!

    Cheers, Ander
     
  4. tpb

    tpb

    Joined:
    Feb 27, 2001
    Messages:
    573
    If I'm not mistaken, Windows XP does not have or use scanreg.exe or scanregw.exe.

    That entry in the registry may be the trojan entry.
     
  5. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Ander, tpb is right. Do you have XP and are you getting a missing file message on startup or when trying to run other programs?

    If so there is a registry repair that needs to be done.

    Neither scanreg.exe nor scanregw.exe should be in a WinXP system.


    I think we better verify just what you have and what you are seeing before proceeding

    You should give us a post of your startup configuration by using the StartupList application from the site below. Just download, unzip and run it, then copy/paste the results to a reply.

    http://www.lurkhere.com/~nicefiles/
     
  6. Ander

    Ander Thread Starter

    Joined:
    Feb 13, 2003
    Messages:
    80
    You're right---XP doesn't use those files. (I've dropped Trend Micro a note, suggesting they add OS-specific info to their HotKeysHook page.)

    I did, however, find a Scanreg.ini in my Windows folder. I'll paste it below; it doesn't look suspicious. (Maybe the trojan included it just to be tidy. :?)

    My XP Pro registry has these scanreg*.* references:

    (1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSInfo\Tools\ScanReg :
    0 scanreg*.*
    [That may have been me searching for the file...]

    (2) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSInfo\Tools\ScanReg:
    command (REG_SZ) scanregw.exe

    (3) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-
    ScanRegistry (REG_SZ) C:\WINDOWS\scanregw.exe /autorun
    [2 occurrences]

    Should I just delete those keys? (I'm not getting any startup error messages.)

    As you recommended, I downloaded and ran StartupList. Its results (also pasted below) did not include any of the keys above. I recognized everything it did find.

    Cheers, Ander

    "Well I can get the 'a'---but how do I put the circle around it?"

    - - - - -

    === Contents of Windows\Scanreg.ini: ===

    ;
    ; Scanreg.ini for making system backups.
    ;

    ;Registry backup is skipped altogether if this is set to 0
    Backup=1

    ;Registry automatic optimization is skipped if this is set to 0
    Optimize=1

    ScanregVersion=0.0001
    MaxBackupCopies=5

    ;Backup directory where the cabs are stored is
    ; <windir>\sysbckup by default. Value below overrides it.
    ; It must be a full path. ex. c:\tmp\backup
    ;
    BackupDirectory=

    ; Additional system files to backup into cab as follows:
    ; Filenames are separated by ','
    ; dir code can be:
    ; 10 : windir (ex. c:\windows)
    ; 11 : system dir (ex. c:\windows\system)
    ; 30 : boot dir (ex. c:\)
    ; 31 : boot host dir (ex. c:\)
    ;
    ;Files=[dir code,]file1,file2,file3
    ;Files=[dir code,]file1,file2,file3



    === StartupList utility's report: ===

    --------------------------------------------------------

    StartupList report, 2/23/2003, 1:01:31 AM
    StartupList version: 1.51
    Started from : H:\StartupList.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\ZoneLabs\MINILOG.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\PC Alert III\alert.exe
    C:\Program Files\ZoneAlarm\zonealarm.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\EditPad\EditPad.exe
    C:\Program Files\KeyNote\keynote.exe
    C:\Program Files\Mozilla\mozilla.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\2xExplorer\2xExplorer.exe
    C:\Program Files\Norton AntiVirus\QSERVER.EXE
    H:\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Rollo G. Fisk\Start Menu\Programs\Startup]
    PC Alert III v3.4.60.lnk = C:\Program Files\PC Alert III\alert.exe
    ZoneAlarm.lnk = C:\Program Files\ZoneAlarm\zonealarm.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    SystemTray = SysTray.Exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    TClockEx = C:\Program Files\TClockEx\TCLOCKEX.EXE

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRA~1\FRESHD~1\fdcatch.dll - {206E52E0-D52E-11D4-AD54-0000E86C26F6}
    (no name) - C:\PROGRA~1\WID1B9~1\WINDOW~1.DLL - {B5B57F4F-EFA5-11D4-A971-444553540000}
    (no name) - C:\PROGRA~1\STARDO~1\SDIEInt.dll - {FFFFFEF0-5B30-21D4-945D-000000000000}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [InstallFromTheWeb ActiveX Control]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\IFTW.DLL
    CODEBASE = http://tw.msi.com.tw/autobios/client/iftwclix.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37665.1062384259

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    End of report, 3,932 bytes
    Report generated in 0.062 seconds

    StartupList report, 2/23/2003, 1:01:31 AM
    StartupList version: 1.51
    Started from : H:\StartupList.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\ZoneLabs\MINILOG.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\PC Alert III\alert.exe
    C:\Program Files\ZoneAlarm\zonealarm.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\EditPad\EditPad.exe
    C:\Program Files\KeyNote\keynote.exe
    C:\Program Files\Mozilla\mozilla.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\2xExplorer\2xExplorer.exe
    C:\Program Files\Norton AntiVirus\QSERVER.EXE
    H:\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Rollo G. Fisk\Start Menu\Programs\Startup]
    PC Alert III v3.4.60.lnk = C:\Program Files\PC Alert III\alert.exe
    ZoneAlarm.lnk = C:\Program Files\ZoneAlarm\zonealarm.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    SystemTray = SysTray.Exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    TClockEx = C:\Program Files\TClockEx\TCLOCKEX.EXE

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRA~1\FRESHD~1\fdcatch.dll - {206E52E0-D52E-11D4-AD54-0000E86C26F6}
    (no name) - C:\PROGRA~1\WID1B9~1\WINDOW~1.DLL - {B5B57F4F-EFA5-11D4-A971-444553540000}
    (no name) - C:\PROGRA~1\STARDO~1\SDIEInt.dll - {FFFFFEF0-5B30-21D4-945D-000000000000}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [InstallFromTheWeb ActiveX Control]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\IFTW.DLL
    CODEBASE = http://tw.msi.com.tw/autobios/client/iftwclix.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37665.1062384259

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    End of report, 3,932 bytes
    Report generated in 0.062 seconds
     
  7. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    That's interesting, was your XP version an upgrade from a 9x/ME operating system ?

    I actually have no such folder:

    KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSInfo\Tools -- just a "Toolsets"

    I'm sure anything relating to scanreg should be safe to delete, especially anything in a run- folder, which is not the way XP disables startup entries -- it uses

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

    You can probably just delete that run- folder itself.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Restoring Scanreg
  1. Chekamoon
    Replies:
    1
    Views:
    303
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/118559

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice