What a mess. Help please.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by commus, Sep 29, 2004.

  1. commus

    commus Private E-2

    I am helping friend who seems to love going to places and clicking links when he sees things like "Free". He normally uses the computer for business but gets fored and starts browing more than just business associated sites. Okay...same sad story...right?

    Well. He installed a new printer then had problems and uninstalled it. When he tried to re-install it the machine started giving him the message "Registry editing has been disabled by the administrator".

    I had provided him with Avast Anti-Virus and Ad-Aware but he had not been running the Ad-Aware scans regularly on a free copy.

    I've run all the processes in your suggested area but it just keeps happening.

    I have run scans with Ad-Aware SE including VX2, SpyBot, About Buster, CWshredder, HSRemove, Kill2me, McAfee Avert. All except McAffee in safe mode with System Resotre turned off.

    I hope this is the correct area to post this problem.

    The machine is a Dell running XP Home.

    I have HJT available and can run the log at your request.

    Many, Many thanks.
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Click Start, Run and then enter gpedit.msc and click okay.
    Now select USER CONFIGURATION then ADMINISTRATIVE TEMPLATES then SYSTEM
    Now in the right pane find PREVENT ACCESS TO REGISTRY EDITING TOOLS and right click on it.
    Select Properties and change it from Enabled to Not Configured

    See if that helps!
     
  3. commus

    commus Private E-2

    This is an XP home operating system. Isn't gpedit.msc a part of XP Pro?

    I do not find it on the machine.

    Just to add a little more I am able to change the registry key with a third party registry editor but when the machine is re-booted the regedit is again blocked.

     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your right gpedit.msc is not in XP Home. I forgot about that. Need to explorer other ideas. Try the following

    Click Start, Run and copy and paste in the below command

    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

    Now click Start, Run and type Regedit to check if you're able to launch Registry Editor
     
  5. commus

    commus Private E-2

    Yes this does work when it is run; however, when the computer is restarted the original error message shows up again.

    The same problem as with the 3rd party registry editor.

    This is what makes me believe that there is a spyware in the computer.

    Any other advice?

    Many thanks.

    :rolleyes: :)
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do the following, copy & paste all the lines below the =========== into a filenamed EnableRegistryEdit.vbs
    Then locate that file with Windows Explorer and double click on it. Tell me how this works out.

    ==============
    'Enable Registry Editing'
    '© Veegertx - 4/7/2004
    'This code may be freely distributed/modified
    On Error Resume Next
    'Prevents errors from values that don't exist
    Set WshShell = WScript.CreateObject("WScript.Shell")
    'Delete DisableRegistryTools registry values
    WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
    WshShell.RegDelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
    'display message
    Message = "You should have access to Regedit now"
    X = MsgBox(Message, vbOKOnly, "Done")
    Set WshShell = Nothing
    Set fso = Nothing
     
  7. commus

    commus Private E-2

    Many thanks for your response.

    I'm afraid it is the same situation as before.

    When the script is run I am able to start regedit. But as soon as the machine is restarted it is gone again.



     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please post a current HijackThis scan as a .txt file attachment.
     
  9. commus

    commus Private E-2

    It is attached.



     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please get the proper version of HijackThis. The link is in the READ ME FIRST.
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are these items that you chose to setup:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:search
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.scanthenet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.viewpornkey.com/se.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.hand-book.com/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:search
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:search
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:search

    What do you expect your home page and search pages to be?
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! I'm going to assume that none of these are what you want because I believe some of them are part of the problem.

    So run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:search
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.scanthenet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.viewpornkey.com/se.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.hand-book.com/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:search
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:search
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:search
    O2 - BHO: (no name) - {E3BB58FA-9E29-5453-8515-DD85FF9C16C7} - C:\WINDOWS\system32\iemo32.dll
    O4 - HKLM\..\Run: [SyncUpd] regedit.exe -s C:\WINDOWS\sysreg.reg
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchmiracle.com
    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

    Now reboot in safe mode an use Windows Explorer to delete:
    C:\WINDOWS\system32\iemo32.dll
    C:\WINDOWS\sysreg.reg

    Now empty your recycle bin.

    Now reboot normal mode and tell me how things are working. Also reset your home page to what you would like to use.
     
  13. commus

    commus Private E-2

    Home page should be - http://sandiego.cox.net/
    Search should be - yahoo.com.

    Yep, he's been into porn again. He keeps clicking those links in spams. They just don't learn do they.
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Then fix all the stuff I gave you and then reset the home page when done.

    Let me know how it works out. Gotta get some sleep now! 3:00 am here.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds