Error Creating Registry Key

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by kroballs, May 20, 2006.

  1. kroballs

    kroballs Private E-2

    I am having a problem running anti-spyware, etc. When I run spysweeper the computer shutsdown. When I run trendmicro housecall it shuts down, etc. Same with spyware Doctor. I tried to run Read & Run me first but when I tried to install Spybot and got:

    Error creating registry key:
    HKEY_LOCAL_MACHINES\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2053-2644-20607942484F}
    RegCreateKeyEx failed; code 5.
    Access is Denied
    Abort, retry, or ignore.

    Not sure what to do to complete installtion of spybot and continue with READ & RUN ME FIRST.

    System is:
    HP Pavilion N5440 Laptop
    Windows XP SP2 OS
    846 MHz, 512 MB RAM

    Hope this is all you need. Just want to move forward on the READ & RUN ME FIRST to get rid of this malware. Any help would be greatly appreciated.
    J
     
  2. kroballs

    kroballs Private E-2

    ok I got spybot installed in safe mode.
    -I ran Ccleaner
    -I ran Microsoft Windows Malicious Software Removal Tool- No malicious software.
    -I ran Ad-Aware SE- 2MRU's & 10 cookies
    -I ran Spybot S&D- Computer shutdown while running (in safe mode)
    -I ran Microsoft Windows Defender- No problems
    -I ran CWShredder- None infected
    -I ran Kill2Me- No signs of infection.
    -I ran Bitdefender- Shutdown computer down in middle of scan. (in safe mode with networking).

    Don't know where to go from here can't get any logs to post. Any help would be appreciated.:mad:
     
  3. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Get through what ever you can. Post the logs that you have, HijackThis is necessary.
     
  4. kroballs

    kroballs Private E-2

    To get back to where I am:

    System is:
    HP Pavilion N5440 Laptop
    Windows XP SP2 OS
    846 MHz, 512 MB RAM
    Pentium III

    Just started getting in Macaffe numurous blocked attempts of trojan-cliker.win32.ub.ij

    Also Windows defender is giving me a Possible Hosts File Hijack (c:\windows\system32\drivers\etc\hosts.)

    I ran thru READ & RUN ME FIRST, here's a breakdown.

    CCleaner- ran and deleted some files not sure what.
    Windows Malicious Software Removal Tool- No Malicious Software found.
    Ad-Aware SE- 2 MRU'S & 10 Cookies.
    Spybot S&D- Computer shutdown (in safe mode) about 3/4 way thru scan.
    Windows Defender- Reported No problems.
    CWShredder- None Infected.
    Kill2Me- No signs of infection.
    Bitdefender- Computer shutdown (in safe mode with networking) during scan.
    Panda Active- Scanned My Computer (whoops) came up with 4 spyware & 1 hacking tool & potentially unwanted tools. When
    completed the program locked explorer and was unable to get report.
     
  5. kroballs

    kroballs Private E-2

    Sorry about double post had a problem
    To get back to where I am:

    System is:
    HP Pavilion N5440 Laptop
    Windows XP SP2 OS
    846 MHz, 512 MB RAM
    Pentium III

    Just started getting in Macaffe numurous blocked attempts of trojan-cliker.win32.ub.ij

    Also Windows defender is giving me a Possible Hosts File Hijack (c:\windows\system32\drivers\etc\hosts.)

    I ran thru READ & RUN ME FIRST, here's a breakdown.

    CCleaner- ran and deleted some files not sure what.
    Windows Malicious Software Removal Tool- No Malicious Software found.
    Ad-Aware SE- 2 MRU'S & 10 Cookies.
    Spybot S&D- Computer shutdown (in safe mode) about 3/4 way thru scan.
    Windows Defender- Reported No problems.
    CWShredder- None Infected.
    Kill2Me- No signs of infection.
    Bitdefender- Computer shutdown (in safe mode with networking) during scan.
    Panda Active- Scanned My Computer (whoops) came up with 4 spyware & 1 hacking tool & potentially unwanted tools. When
    completed the program locked explorer and was unable to get report.
    Panda Active- Scanned Local Disks and came up with 2 spywares as in report below.

    Hopefully everthing can point me in the right direction. Thank you.
    J
     

    Attached Files:

  6. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Follow the directions for
    Qoologic/Winsync/Kavsvc
    .

    There should be 3 logs. One each from FindQool, RK Tool, and WinPFind.
    Post them when finished.
     
  7. kroballs

    kroballs Private E-2

    Here they are:
    J
     

    Attached Files:

  8. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Download
    - Pocket Killbox

    Follow the Directions for the following:
    Running Hoster
    Look2Me VX2 Removal

    Copy the contents of the below quote box to Notepad, Save As FixReg.reg to your Desktop. Do not run it just yet. We will do that later in Safe Mode.
    Close Notepad.

    Scan with HijackThis and fix the following lines.
    Now run Pocket Killbox:

    Choose Tools -> Delete Temp Files and click the RED X.

    Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.
    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    Now boot into SAFE MODE

    Locate FixReg.reg on your Desktop; double-click on it and answer 'Yes' when asked if you want to merge with the registry

    Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)
    Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

    Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin


    And Click OK.

    REBOOT to Normal Mode.

    Post the log from the Look2Me removal procedure and a fresh HijackThis log.
     
  9. kroballs

    kroballs Private E-2

    Here's where I am:

    Running Hoster-Ran
    Look2Me VX2 Removal-Ran

    Do not have notepad so I copied the quotebox contents to wordpad?

    Scan with HijackThis and fix the following lines- Lines were all ok

    Pocket Killbox- Ran

    booted into SAFE MODE

    Located FixReg.reg on your Desktop; double-click on it and answer 'Yes' when asked if you want to merge with the registry - Received an error
    The specified file is not a registry script.You can only import binary registry files from within the registry editor.

    Opened Windows Explorer navigate and DELETEd the following:

    C:\WINDOWS\SYSTEM\SBUtils <<=== Delete the Folder
    C:\WINDOWS\keyboard91.dat <<=== No File
    C:\WINDOWS\SYSTEM32\wkhhmml.exe <<=== No File
    C:\WINDOWS\SYSTEM32\drivers\etc\hosts.bak <<=== host file not a host.bak file. Did not do anything wasn't sure whether to delete or not.
    C:\WINDOWS\system32\ckodm.dll <<=== No File

    Ran CCleaner. Deleted the contents of C:\WINDOWS\Prefetch

    Ran Cleanmgr

    Still getting Possible Hosts File Hijack (c:\windows\system32\drivers\etc\hosts.) in Windows defender. I'm Sure it is because I didn't delete the host file (wasn't host.bak)?

    Also log files from Look2Me removal procedure and a fresh HijackThis log.

    Thank you
    J
     

    Attached Files:

  10. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    You don't delete the hosts file it is a necessary file.

    Follow the directions for Using GetRunKey.

    Post runkey.txt when finished.
     
  11. kroballs

    kroballs Private E-2

    Runkey.txt attached:

    J
     

    Attached Files:

  12. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Do the following:
    Click Start -> Run.
    Type cmd and press ENTER

    At the command prompt
    Type NSCheck /uninstall and press ENTER

    If an uninstaller didn't run let me know.
     
  13. kroballs

    kroballs Private E-2

    I got a message that said:

    Windows cannot find 'NSCheck/Uninstall'. Make sure that you typed the name correctly, and then try again. To search for a file click the start button and then click search.
     
  14. kroballs

    kroballs Private E-2

    I also saw that when I Do Ctrl+Alt+delete, in the window i only have the programs running, I can't switch to processes or even shut down. No menu's at the top.
    Also because I don't like Mcafee should I uninstall it and install Advest or another AV? Also sice I am only using windows firewall shoud I download one, or should I wait until things get clean(hopefully). Because I am running off a cable modem wirelessly using a Netgear USB adapter do I even need a firewall. I was told by someone @ the cable company that the modem is a firewall in itself, especially being wireless?
     
  15. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    There are two schools of thought when running a router. One is that you don't need a firewall and the other is that you should run a software firewall. I subscribe to the second school of thought.

    Not all wireless routers are built equally; meaning that most low end consumer routers do not come with hardware firewalls.

    I am behind a Wireless NAT router with a hardware firewall; and I still run a software firewall. It's a bit redunant. I use a layered protection system, if you break through the first layer there is a second layer of protection there to stop you.

    Make you you do and understand the follow procedures:
    How to view hidden, system files & folders!
    Searching for Hidden Files on WinXP

    Copy the contents of the below quote box to Notepad, Save As FixReg.reg to your Desktop. Do not run it just yet we will do that in Safe Mode.
    Close Notepad.

    REBOOT to Safe Mode.

    Locate FixReg.reg on your Desktop. Double-click it and answer 'Yes' when asked if you want to merge with the Registry.

    Next open Windows Explorer and Delete the following:
    Close Windows Explorer.

    Next using the Search function in the Start Menu. Search for an Delete every occurance of the following:
    NOTE: make sure you follow Searching for Hidden Files on WinXP

    REBOOT
    to Normal Mode.

    Post a fresh HijackThis log.
     
  16. kroballs

    kroballs Private E-2

    Copied the contents of the quote box to Notepad, Saved As FixReg.reg to the Desktop.

    REBOOTed to Safe Mode.

    Located FixReg.reg on your Desktop. Double-click it and answer 'Yes' when asked if you want to merge with the Registry.
    Got error:The specified file is not a registry script.You can only import binary registry files from within the registry editor.

    Next open Windows Explorer and Deleted the following:


    C:\windows\system32\Downloaded Program Files\setup.exe-nofile
    C:\windows\system32\model.dat-no file
    C:\windows\system32\silc_dll.dll-no file
    C:\windows\system32\opnsqr.exe-no file
    C:\windows\system32\cosscfg.exe-no file
    C:\windows\system32\LDPackage.dll-no file
    C:\windows\system32\opls.dll -no file
    Also searched with explorer in advanced modejust incase I may have missed them no file came up for any of them in searches.

    Next using the Search function in the Start Menu. Search for an Delete every occurance of the following:
    Quote:
    Ossproxy.exe-no file
    Nscheck.exe-no file
    Okshook.dll-no file
    Csloa.dll -no file
    searched numerous times for each one no sign of any.

    Also I ran Hijack this and fixed the log from one of your previous posts, I misunderstood you. When you said to fix the lines I thought they were supposed to match what you wrote. I have fixed those lines & a new HJT log is below.
    J
     

    Attached Files:

  17. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    If the files aren't they aren't there. Your HijackThis log is clean.

    Do the following:
    Start -> Run
    type regedit
    click 'OK'

    Registry Editor will open navigate to the following key and complete ythe action indicated for each key/value. Some or All of these may not be present.
     
  18. kroballs

    kroballs Private E-2

    Registry Editor will open navigate to the following key and complete ythe action indicated for each key/value.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    C:\windows\system32\opnsqr.exe
    <<=== No file but odd file didn't start with C:windows file was %windir%\system32\sessmgr.exe

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    C:\windows\system32\opnsqr.exe
    <<=== No file same odd file %windir%\system32\sessmgr.exe

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    C:\windows\system32\opnsqr.exe
    <<=== no folder for ControlSet002

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    C:\windows\system32\opnsqr.exe
    <<=== No file same odd file %windir%\system32\sessmgr.exe

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
    C:\WINDOWS\Downloaded Program Files\setup.exe
    <<=== deleted folder

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    OSSProxy
    <<=== no file

    HEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/setup.exe <<=== deleted
     
  19. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

  20. kroballs

    kroballs Private E-2

    Before I do these I am still getting two things that come up:

    Still getting Possible Hosts File Hijack (c:\windows\system32\drivers\etc\hosts.) in Windows defender.

    & still getting in Macaffe numurous blocked attempts of trojan-clicker.win32.ub.ij
     
  21. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Follow the directions for Running Hoster.

    Post the McAfee log so I can see what it is finding.
     
  22. kroballs

    kroballs Private E-2

    I ran a Macafee scan and it shutdown the pc with only a little bit left. The scan had found nothing at that point, so I couldn't get a log. Didn't know where to look either. Looked in Macafee's folder but nothing there. . The numurous blocked attempts of trojan-clicker.win32.ub.ij I am to assume are blocks and are a good thing. Just annoying. anyway of stopping it?

    Possible Hosts File Hijack (c:\windows\system32\drivers\etc\hosts.) in Windows defender only occurs when I startup or reboot.

    At one point I had Surfside kick could this be residual as I only deleted it by deleting all the files that where created @ that time I got it.

    This very frustrating and I appreciate all your help.
     
  23. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

  24. kroballs

    kroballs Private E-2

    I ran Surf side removal and everything was gone except when I ran sskXP.exe it erased a whole buch of files.

    I then ran (in safe mode) a whole bunch of spyware. First I ran S&D and was able to complete it. There was 5 problems which were erased. Then ran spy sweeper with 6 cookies and nothing else. Also ran Ad-Aware and a few cookies and some MRU's.

    I then saw your post. So I started to run Spysweeper (normal mode) and in the first scan the computer shutdown about 5 minutes into the scan. Reran it again got about ten minutes into it and the computer locked up. So I don't have a log unless I do one in safe mode.

    Am still getting the
    1.) Possible Hosts File Hijack (c:\windows\system32\drivers\etc\hosts.) in Windows defender only occurs when I startup or reboot.

    2.) The numurous blocked attempts of trojan-clicker.win32.ub.ij. About every 15 minutes or so.

    3.) Also in Spysweeper startup shield I have a file called rttrd that just came about. Have enclosed ascreen shot of the detail screen below.

    4.) Still don't have full Windows Task Manager screen (no tabs for process,etc. and no drop down menu's i.e. File, Shutdown). The other user account the task manager is ok.

    Also enclosed is a new HJT log. In regards to uninstalling Macafee if I go that far I am going to reinstall Avast! (if that is ok) I tried on a computer and like it alot. I never liked Aol safety & security center. It is such a slow program like trying to steer a cruise ship. Hope this helps.
    J
     

    Attached Files:

  25. kroballs

    kroballs Private E-2

    I deleted Macafee and loaded Avast! It came up with a trojan during the boot time scan and 3 trojans & viruses during a regular scan. I have enclosed a screen shot of the virus chest for you to take a look at. Not sure if these files can be deleted or not. The boot time file said that it can't be rpaired? Also when I did a thorough scan it shut the computer down, twice. Also,enclosed is a new HJT log.
     

    Attached Files:

  26. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Empty the Virus Chest. Sacn again, with the exception of the stuff is system restore, what was found this time?
     
  27. kroballs

    kroballs Private E-2

    Deleted virus chest and Scanned again. Log is attached below. Ran Spysweeper after and log is attached below as well. You can see in the log the scans that were started and just stopped.

    I turned off the automatic startup of spysweeper and the windows defender has not come up with the Possible Hosts File Hijack (c:\windows\system32\drivers\etc\hosts.) It comes up when spysweeper starts. So I am to assume that it is considering spysweeper as the Possible Hosts File Hijack.

    Since I installed Avast! I haven't got any blocked attempts of trojan-clicker.win32.ub.ij.

    But in Spysweeper startup shield I still have a file called rttrd that just came about.

    Still don't have full Windows Task Manager screen (no tabs for process,etc. and no drop down menu's i.e. File, Shutdown). The other user account the task manager is ok.

    Enclosed a copy of Avast! log & Spysweeper log.

    J
     

    Attached Files:

  28. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Exit both SpySweeper and Windows Defender. Shut both of them down completely nothing running not even in the sytem tray.

    Now run Hoster and reset your hosts file to the MS default Hosts.

    Post a fresh HijackThis log.
     
  29. kroballs

    kroballs Private E-2

    Fresh Hijack this:

    Closed everything down in system tray. Closed avast! turned off Zone alarm, everything that I could. The computer is running great, other than the programs shutting down during scans.
     

    Attached Files:

  30. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Your HijackThis log is clean.

    What do you mean by programs shutdown during scans? The program doing the scan or a program that you are using during a scan?
     
  31. kroballs

    kroballs Private E-2

    The program that does the scan (i.e. Spysweeper) shutsdown the PC. I am wondering if the computer is overheating and shutting down?
     
  32. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Could be a problem with SpySweeper or hardware. If the computer only shuts down during a SpySweeper scan it may be an issue with SpySweeper. All your logs are coming back clean.
     
  33. kroballs

    kroballs Private E-2

    It has shutdown on previous scans of S&D Spybot, Spysweeper, Macafee (before I removed it). The computer runs great now. I will set new restore points. Anything else that I should do? Also what should I do with all these programs that I have downloaded. Is it ok to keep them for future use and will they use up much space? Thank you for all your help if I have any future problems with this same issue should I use this same thread or start a new one? Thank you again.
    J
     
  34. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    If it's shuting down on all your protection software it could be something that is hiding from view in all the other logs; or it could be RAM.

    Download Blacklight Beta from here:
    http://www.f-secure.com/blacklight/try.shtml
    • Hit I accept. It will take you to download page.
    • Download blbeta.exe and save it to the Desktop.
    • Once saved... double click blbeta.exe to install the program.
    • Click accept agreement and Click scan
      This app too may fire off a warning from antivirus. Let the driver load.
      Wait for it to finish.
    • If it displays any items...don't do anything with them yet. Just hit exit (close)
    • It will drop a log on Desktop that starts with fsbl....big number
    Please post contents of log.
     
  35. kroballs

    kroballs Private E-2

    Log posted below:

    No hidden items found during scan.

    The shutdown problem is has become spuradic(?), before it happened on every Spyware & S&D Spybot scans and then went to Macafee before I uninstalled it. Now sometimes it shutdowns and sometimes it completes scans, it completes it more often than not now.

    Also I forget about the Windows task manager problem. Is there a way to repair it to the original task manager, so I can see all processess and networking, etc.

    J
     

    Attached Files:

  36. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Nothing in BlackLight.

    Sounds like Task Manager is running in what is called "Tiny Footprint Mode".

    To switch Task Manager to its normal display mode, double-click the top border of the Task Manager window.

    If the fails do the following:
    Click Start, and then click Run.
    Type taskmgr.exe.
    Hold down CTRL+ALT+SHIFT at the same time, and while holding them down press ENTER.
     
  37. kroballs

    kroballs Private E-2

    You are good. That's what it was.

    Everything is running great. The problem with shutting down I think is related to temp. I downloaded Everest Home Edition to check temp during scans. It started at around 90. It shutdown once when I restarted it went to 151 when I rebooted. The second time it shutdown when I rebooted it was at aroound 170. I can't believe that is good. What can I do to a laptop to keep it cool? When I run scans I elevate it so air can get underneath it and it doesn't shutdown.

    Thank you for all your help.

    J
     
  38. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    You're Welcome.

    There are a couple of after market solutions to increase Air Flow for laptps. There is a rubber/plastic mat that you place your laptop on that raises it off the table top allowing more air to get to the laptop. Also there is a device called the laptop cooler which is a fan/cooling unit that you put under your laptop to help keep it cool.

    You may need to clean the dust from the air ducts and fans on your laptop. Which, would require you to open you laptop case, that's an adventure itself.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds