I installed Visual Studio 8 (2005) and found that I liked my old version better. I removed VS8 and reinstalled VS6. However, the installer fails because it can not register the "PDM.DLL." This is the Program Debugger DLL. I used RegMon to see what was happening with the following result:


3575 22.11528969 regsvr32.exe:2608 OpenKey HKCR SUCCESS Access: 0x2000000
3576 22.11536980 regsvr32.exe:2608 CreateKey HKCR\ProcessDebugManager.7 ACCESS DENIED Access: 0x2 BIGGIN\0x34
3577 22.11540222 regsvr32.exe:2608 CreateKey HKCR\ProcessDebugManager.7 ACCESS DENIED Access: 0x2 BIGGIN\0x34
3578 22.11541367 regsvr32.exe:2608 CloseKey HKCR SUCCESS

I entered the registry and found that I can not change or alter either of these two keys:

ProcessDebugManager
ProcessDebugManager.7

Now, I recently removed an L2M infection, which did alter my administrative account keys. Is it possible that it still has me locked out of altering other things in my registry? :scratch:

Any help here would be GREATLY appreciated!!!!!!!!!!!

Also, I used RegMon to locate 3 other keys which had their administrative options altered. All of the keys were Debug associated (as was the SeDebugPrivilege key, which was altered by L2M). I reset all the keys to their normal settings and have had no further trouble.

However, I wonder what else the L2M infection might have screwed with. Does anyone have a detailed list of changes this infection causes?

Thanks in advance!

0x34 :bigthumb:

Hello.
Please see:
Before you post a log, and who will advise you. (http://forums.spybot.info/showthread.php?t=288)

Copy paste the hjt log into this topic and someone will assist you as soon as available.

Regards. :)

Here is my HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:05:42 PM, on 3/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe[/b]
C:\WINDOWS\system32\winlogon.exe[/b]
C:\WINDOWS\system32\services.exe[/b]
C:\WINDOWS\system32\lsass.exe[/b]
C:\WINDOWS\System32\Ati2evxx.exe[/b]
C:\WINDOWS\system32\svchost.exe[/b]
C:\WINDOWS\System32\svchost.exe[/b]
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[/b]
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[/b]
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[/b]
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[/b]
C:\WINDOWS\system32\spoolsv.exe[/b]
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[/b]
D:\Program Files\ewido anti-malware\ewidoctrl.exe[/b]
C:\Program Files\Norton AntiVirus\navapsvc.exe[/b]
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe[/b]
C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgSvr.exe[/b]
C:\WINDOWS\System32\svchost.exe[/b]
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE[/b]
C:\WINDOWS\System32\dllhost.exe[/b]
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[/b]
C:\Program Files\Microsoft Hardware\Mouse\point32.exe[/b]
D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[/b]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe[/b]
C:\WINDOWS\system32\ctfmon.exe[/b]
C:\Program Files\MSN Messenger\MsnMsgr.Exe[/b]
C:\Program Files\Messenger\msmsgs.exe[/b]
C:\WINDOWS\System32\svchost.exe[/b]
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe[/b]
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe[/b]
C:\Program Files\Belkin\Nostromo\nost_LM.exe[/b]
C:\WINDOWS\system32\devldr32.exe[/b]
C:\WINDOWS\system32\ntvdm.exe[/b]
[D:\Program Files\Microsoft Visual Studio\VB98\VB6.EXE[/b]
D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[/b]
D:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[/b]
C:\Program Files\Norton AntiVirus\OPScan.exe[/b]
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[/b]
C:\Documents and Settings\0x34\Desktop\Tools\HijackThis.exe[/b]

F2 - REG:system.ini: UserInit=userinit.exe[/b]
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll[/b]
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll[/b]
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll[/b]
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[/b]
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime[/b]
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe[/b]
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"[/b]
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[/b]
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"[/b]
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer[/b]
O4 - HKLM\..\Run: [Transparent] D:\Program Files\TweakNow PowerPack 2006\Transparent.exe 223[/b]
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe[/b]
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background[/b]
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background[/b]
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe[/b]
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe[/b]
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe[/b]
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe[/b]
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present[/b]
O8 - Extra context menu item: &NeoTrace It! - D:\PROGRA~1\NEOTRA~1\NTXcontext.htm[/b]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL[/b]
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe[/b]
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe[/b]
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - D:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)[/b]
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe[/b]
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe[/b]
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe[/b]
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[/b]
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe[/b]
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe[/b]
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE[/b]
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)[/b]
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe[/b]
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe[/b]
O23 - Service: Promise Array Message Server (RAIDmSvr) - Unknown owner - C:\Program Files\Promise Technology, Inc.\Promise Array Management\MsgSvr.exe[/b]
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe[/b]
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


NOTE** The L2M infection has been removed already (refer to http://forums.spybot.info/showthread.php?t=3045). I was just wondering what else the L2M infection might have screwed up in the registry and if anyone here has a detailed list of changes caused by this infection.

Thanks again!
0x34

Hi
DebugPrivilege should have been corrected when you ran l2mfix option two
"if anyone here has a detailed list of changes caused by this infection."

L2mfix corrects any changes, i do not have such a list

This topic will now be archived to prevent others with similar issues posting in it.
If you need it re-opened please send me a pm and provide a link to the thread.