Second, I understand that in this forum, you're suppose to have a Hijack Log, but as part of the solution suggested by Darth, I have another type of log to show the problem...Please bear with me.
Problem:
Something, at boot time, is replacing c:\winnt\system32\regsvr32.exe with a 0 byte length, regsvr32.exe. This causes a few problems when trying to install some applications.
I downloaded an application, filemon.exe, to trace any modifications to regsvr32.exe and had it start at boot. The following is the output of the log:
1 6:12:32 PM DeleteSatellite:804 IRP_MJ_CREATE C:\WINNT\system32\regsvr32.exe SUCCESS Options: OpenIf Access: All
2 6:12:32 PM DeleteSatellite:804 IRP_MJ_CLOSE C:\WINNT\system32\regsvr32.exe SUCCESS
3 6:12:32 PM DeleteSatellite:804 IRP_MJ_CLEANUP C:\WINNT\system32\regsvr32.exe SUCCESS
4 6:12:32 PM DeleteSatellite:804 IRP_MJ_CLOSE C:\WINNT\system32\regsvr32.exe SUCCESS
5 6:12:32 PM DeleteSatellite:804 IRP_MJ_CREATE C:\WINNT\system32\regsvr32.exe SUCCESS Options: Open Access: All
6 6:12:32 PM DeleteSatellite:804 IRP_MJ_CLOSE C:\WINNT\system32\regsvr32.exe SUCCESS
7 6:12:32 PM DeleteSatellite:804 FASTIO_QUERY_STANDARD_INFO C:\WINNT\system32\regsvr32.exe SUCCESS Length: 0
8 6:12:32 PM DeleteSatellite:804 IRP_MJ_CLEANUP C:\WINNT\system32\regsvr32.exe SUCCESS
9 6:12:32 PM DeleteSatellite:804 IRP_MJ_CLOSE C:\WINNT\system32\regsvr32.exe SUCCESS
10 6:12:32 PM DeleteSatellite:804 IRP_MJ_CREATE C:\WINNT\system32\regsvr32.exe SUCCESS Options: Open Access: All
11 6:12:32 PM DeleteSatellite:804 IRP_MJ_CLOSE C:\WINNT\system32\regsvr32.exe SUCCESS
12 6:12:32 PM DeleteSatellite:804 IRP_MJ_CLEANUP C:\WINNT\system32\regsvr32.exe SUCCESS
13 6:12:32 PM DeleteSatellite:804 IRP_MJ_CLOSE C:\WINNT\system32\regsvr32.exe SUCCESS
14 6:12:32 PM DeleteSatellite:804 IRP_MJ_CREATE C:\WINNT\system32\regsvr32.exe SUCCESS Options: OpenIf Access: All
15 6:12:32 PM DeleteSatellite:804 IRP_MJ_CLOSE C:\WINNT\system32\regsvr32.exe SUCCESS
16 6:15:05 PM explorer.exe:1536 FASTIO_QUERY_OPEN C:\WINNT\system32\regsvr32.exe SUCCESS Attributes: A
17 6:15:05 PM explorer.exe:1536 FASTIO_QUERY_OPEN C:\WINNT\system32\regsvr32.exe SUCCESS Attributes: A
18 6:15:05 PM AVGUARD.EXE:820 IRP_MJ_CREATE C:\WINNT\SYSTEM32\REGSVR32.EXE SUCCESS Options: Open Access: All
19 6:15:05 PM AVGUARD.EXE:820 IRP_MJ_CREATE C:\WINNT\SYSTEM32\REGSVR32.EXE SUCCESS Options: Open Access: All
20 6:15:05 PM AVGUARD.EXE:820 IRP_MJ_QUERY_VOLUME_INFORMATION C:\WINNT\SYSTEM32\REGSVR32.EXE SUCCESS FileFsVolumeInformation
21 6:15:05 PM AVGUARD.EXE:820 IRP_MJ_QUERY_INFORMATION C:\WINNT\SYSTEM32\REGSVR32.EXE SUCCESS FileInternalInformation
22 6:15:05 PM AVGUARD.EXE:820 FASTIO_QUERY_STANDARD_INFO C:\WINNT\SYSTEM32\REGSVR32.EXE SUCCESS Length: 0
23 6:15:05 PM AVGUARD.EXE:820 IRP_MJ_CLEANUP C:\WINNT\SYSTEM32\REGSVR32.EXE SUCCESS
24 6:15:05 PM AVGUARD.EXE:820 IRP_MJ_CLOSE C:\WINNT\SYSTEM32\REGSVR32.EXE SUCCESS
25 6:15:05 PM AVGUARD.EXE:820 IRP_MJ_CLOSE C:\WINNT\system32\regsvr32.exe SUCCESS
26 6:15:05 PM AVGUARD.EXE:820 IRP_MJ_CREATE C:\WINNT\SYSTEM32\REGSVR32.EXE SUCCESS Options: Open Access: All
27 6:15:05 PM AVGUARD.EXE:820 IRP_MJ_QUERY_VOLUME_INFORMATION C:\WINNT\SYSTEM32\REGSVR32.EXE SUCCESS FileFsVolumeInformation
28 6:15:05 PM AVGUARD.EXE:820 IRP_MJ_QUERY_INFORMATION C:\WINNT\SYSTEM32\REGSVR32.EXE SUCCESS FileInternalInformation
29 6:15:05 PM AVGUARD.EXE:820 FASTIO_QUERY_STANDARD_INFO C:\WINNT\SYSTEM32\REGSVR32.EXE SUCCESS Length: 0
30 6:15:05 PM AVGUARD.EXE:820 IRP_MJ_CLEANUP C:\WINNT\SYSTEM32\REGSVR32.EXE SUCCESS
31 6:15:05 PM AVGUARD.EXE:820 IRP_MJ_CLOSE C:\WINNT\SYSTEM32\REGSVR32.EXE SUCCESS
32 6:15:05 PM AVGUARD.EXE:820 FASTIO_QUERY_STANDARD_INFO C:\WINNT\SYSTEM32\REGSVR32.EXE SUCCESS Length: 0
33 6:15:05 PM AVGUARD.EXE:820 IRP_MJ_CLEANUP C:\WINNT\SYSTEM32\REGSVR32.EXE SUCCESS
34 6:15:05 PM AVGUARD.EXE:820 IRP_MJ_CLOSE C:\WINNT\SYSTEM32\REGSVR32.EXE SUCCESS
35 6:15:05 PM explorer.exe:1536 IRP_MJ_CREATE C:\WINNT\system32\regsvr32.exe SUCCESS Options: Open Access: All
36 6:15:05 PM explorer.exe:1536 IRP_MJ_CREATE C:\WINNT\system32\regsvr32.exe SUCCESS Options: Open Access: All
37 6:15:05 PM explorer.exe:1536 IRP_MJ_QUERY_VOLUME_INFORMATION C:\WINNT\system32\regsvr32.exe SUCCESS FileFsVolumeInformation
38 6:15:05 PM explorer.exe:1536 IRP_MJ_QUERY_INFORMATION C:\WINNT\system32\regsvr32.exe SUCCESS FileInternalInformation
39 6:15:05 PM explorer.exe:1536 FASTIO_QUERY_STANDARD_INFO C:\WINNT\system32\regsvr32.exe SUCCESS Length: 0
40 6:15:05 PM explorer.exe:1536 IRP_MJ_CLEANUP C:\WINNT\system32\regsvr32.exe SUCCESS
41 6:15:05 PM explorer.exe:1536 IRP_MJ_CLOSE C:\WINNT\system32\regsvr32.exe SUCCESS
42 6:15:05 PM explorer.exe:1536 IRP_MJ_CLOSE C:\WINNT\system32\regsvr32.exe SUCCESS
43 6:15:05 PM explorer.exe:1536 IRP_MJ_CREATE C:\WINNT\system32\regsvr32.exe SUCCESS Options: Open Access: All
44 6:15:05 PM explorer.exe:1536 IRP_MJ_QUERY_VOLUME_INFORMATION C:\WINNT\system32\regsvr32.exe SUCCESS FileFsVolumeInformation
45 6:15:05 PM explorer.exe:1536 IRP_MJ_QUERY_INFORMATION C:\WINNT\system32\regsvr32.exe SUCCESS FileInternalInformation
46 6:15:05 PM explorer.exe:1536 FASTIO_QUERY_STANDARD_INFO C:\WINNT\system32\regsvr32.exe SUCCESS Length: 0
47 6:15:05 PM explorer.exe:1536 IRP_MJ_CLEANUP C:\WINNT\system32\regsvr32.exe SUCCESS
48 6:15:05 PM explorer.exe:1536 IRP_MJ_CLOSE C:\WINNT\system32\regsvr32.exe SUCCESS
49 6:15:05 PM explorer.exe:1536 FASTIO_QUERY_BASIC_INFO C:\WINNT\system32\regsvr32.exe SUCCESS Attributes: A
50 6:15:05 PM explorer.exe:1536 IRP_MJ_SET_INFORMATION C:\WINNT\system32\regsvr32.exe SUCCESS FileBasicInformation
51 6:15:05 PM explorer.exe:1536 IRP_MJ_READ C:\WINNT\system32\regsvr32.exe END OF FILE Offset: 0 Length: 12
52 6:15:05 PM explorer.exe:1536 IRP_MJ_CLEANUP C:\WINNT\system32\regsvr32.exe SUCCESS
53 6:15:05 PM explorer.exe:1536 IRP_MJ_CLOSE C:\WINNT\system32\regsvr32.exe SUCCESS
Line 7 shows a "Length:0" which I assume is where the change to a 0 byte regsvr32.exe is taking place. So I think this DeleteSatellite process, i.e. SpyCatcher, is doing the dirtwork.
Can anyone give me an idea of why/whats going on? What should I do about it?
What can I do about it?
Thanks...
Duane
Sign In
Create Account
