need help w/ hard to kill trojan

**yettyn** · 2008-02-26, 18:12

I reinstalled with the repair option, it went almost fine. I got some kind of COM+ error during install, but just an OK button so install continue - it couldn't register COM+ I think it was or at least similar. I am then not able to login to my usual account due to "account restrictions" it says, same if booting into safe mode but there it also give me the Administrator account to select and it let me in with my old password and that's were I am now. I haven't tried yet but probably it will let me in at Administrator also in Safe mode with Network.

I thought before I do anything studid now I shall wait for your advice - but don't take to long ;-) The other account is also of admin type, but it has a zero string password, which is stupid I know. It was set up for convinience by the lazy part of me and it has to change of course. But now, I have lots of programs installed in the account so if it can be made functional again it would be great.

I read that Almanahe.D take advantage of a blank or weak password, and as it was flagged before I probably should start from Administrator account now and make sure to clean all such out, well I wait for you to play the ball.

**steamwiz** · 2008-02-26, 22:15

HI

1. The first thing you need to do is visit Windows update & get as least all the critical/security updates ....

2. Then make sure you have an anti-virus installed ... AVG free will be fine, and then run a scan with it ....

3. Make sure you have a 2-way firewall installed...

4. run some on-line virus scanners, at least 2 or 3 ...

Run Bit Defender first ...

http://www.bitdefender.fr/VIRUS-1000...lmanahe.D.html

Bit Defender ... http://www.bitdefender.com/scan8/ie.html
Housecall ... http://housecall.trendmicro.com/
Panda http://www.pandasecurity.com/usa/hom...a=particulares
eset ... http://www.eset.eu/online-scanner
Kaspersky ... http://www.kaspersky.com/virusscanner

5. Do some Malware scans ...

spybot
adaware
superantispyware

6. Run & post a Combofix log ... Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/comb...o-use-combofix

Let me know of any problems along the way ...

Post any logs which show problems ...

steam

**yettyn** · 2008-02-26, 23:26

It seem like I still have a serious problem, I cannot run IE only FF but the latter is no good for windows update

I tried to install Windows Installer but it goes to some point and I get an "access denied" error and it roll back everything.

Also as I reinstalled from XP SP2 CD now IE6 is installed. it starts but when I try to go to windowsupdate.microsoft.com I get a message "This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel". But what to associate with?

Installing IE7 also does not work, it prompt me to restart to role back changes as well and to click a troubleshoot url, whuch doesn't work as IE doesn't work.

I wonder if it can have anything to do with the COM+ error flagged during setup? or can it possibly be this http://windowssecrets.com/2007/09/27...ents-XP-repair but that fail too "DllRegisterServer in wuapi.dll failed. REturn code was: 0x80070005" does it turn on any light?

If I just get beyond this I should be pretty well on my own through the scans etc.

**yettyn** · 2008-02-27, 00:04

I managed to get IE to start and open WU but there it ends as it fail to install Windows Installed 3.1 - something must be missing or screwed in registry. Appearently folder options had been messed with, and I assume it's something similar here.

**yettyn** · 2008-02-27, 00:33

Ok I think I figured it out basically, the virus changed permision on certain keys. Question is if there is a some what easy was to change them back in batch or it has to be done one by one?

Like IE7 install wrote a log with unwriteable keys.

**steamwiz** · 2008-02-27, 00:41

The trouble with a repair install in your case is that windows doesn'trepair the registry ... just the core files ... Those erunt backups may help ... ?

You should know more about COM+ than me as far as I'm aware it's used when developing application programs.

Can't think of anything else to suggest ... my brains gone dead & I'm tired so I'm off to bed...

good luck

steam

**yettyn** · 2008-02-27, 12:45

Yes I know what COM+ is

just wondered if it could affect the system start up in some way, and you know more about that area... anyhow, I have had some progress.

Obviously a lot of places in registry have had their permissions changed and possibly even keys deleted, and maybe more keys/values added. I was able to correct most of this with info from this page:
http://winonline.blogspot.com/2005/1...ssions-to.html

I didn't follow instructions exactly though as I couldn't run msi files and install the tool, but it's just a command line exe anyway... so I used 7z (superior winzip replacement) to unpack the msi package into it's own folder under C:\Program Files and then I created the bat file there and simply double clicked it. Worked as a charm! Howerver there was 6 items that couldn't be reset nor deleted. I am working on that part now.

But after this I was able to install Windows Installer 3.1 and I was also able to install IE7 (although I had to do it twice to get a complete success) which on first install told me to go to WU after restart and there is 87 patches waithing for me but they all fail to install. The WU fix in above post didn't work first due to permission issues, regsvr32 failed, but after resetting registry permissions I could reg those wu*.dll files but WU still fails. I doesn't say why really but from trying to do other installs, like with IE online scans, I am told it cannot be run in Safe Mode.

So there are the main obstacles now, to get Windows understand it actually not is in Safe Mode, and fix, delete probably, that 6 regkeys. As the tool runs in a cmd window it's hard to get any info out but I was able to copy this last part [TO much text so in next post] from the buffer by running just the first line in the bat file, maybe it give you a hint.

Now as I am somewhat runnable again I will get that file uploaded as well, as it may hold answers to manys questions.

**yettyn** · 2008-02-27, 12:46

SYSTEM\CurrentControlSet\Services\WZCSVC\Enum : delete Perm. ACE 1 builtin\admin
istrators
SYSTEM\CurrentControlSet\Services\WZCSVC\Enum : new ace for builtin\administrato
rs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC\Enum : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov : delete Perm. ACE 1 builtin\administr
ators
SYSTEM\CurrentControlSet\Services\xmlprov : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters : delete Perm. ACE 1 builti
n\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters : new ace for builtin\admin
istrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters : 2 chan
ge(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups : delete Perm.
ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups : new ace for
builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Branding : del
ete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Branding : new
ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Branding : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Branding\http:
//www.microsoft.com/provisioning/Branding : delete Perm. ACE 1 builtin\administr
ators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Branding\http:
//www.microsoft.com/provisioning/Branding : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Branding\http://www.microsoft.com/provisioning/Branding : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection : d
elete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection : n
ew ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Connection : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\htt
p://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1 : delete Perm.
ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\htt
p://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1 : new ace for b
uiltin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Connection\http://www.microsoft.com/provisionin...ctionPropertie
sV1 : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\htt
p://www.microsoft.com/provisioning/EapConnectionPropertiesV1 : delete Perm. ACE
1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\htt
p://www.microsoft.com/provisioning/EapConnectionPropertiesV1 : new ace for built
in\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Connection\http://www.microsoft.com/provisionin...onPropertiesV1
: 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\htt
p://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1 : delete Perm.
ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\htt
p://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1 : new ace for
builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Connection\http://www.microsoft.com/provisionin...ectionProperti
esV1 : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\htt
p://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1 : delete Perm. A
CE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\htt
p://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1 : new ace for bu
iltin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Connection\http://www.microsoft.com/provisionin...tionProperties
V1 : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Help : delete
Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Help : new ace
for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Help : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Help\http://ww
w.microsoft.com/provisioning/Help : delete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Help\http://ww
w.microsoft.com/provisioning/Help : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Help\http://www.microsoft.com/provisioning/Help : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Locations : de
lete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Locations : ne
w ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Locations : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Locations\http
://www.microsoft.com/provisioning/Locations : delete Perm. ACE 1 builtin\adminis
trators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Locations\http
://www.microsoft.com/provisioning/Locations : new ace for builtin\administrators

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Locations\http://www.microsoft.com/provisioning/Locations : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Master : delet
e Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Master : new a
ce for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Master : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Master\http://
www.microsoft.com/provisioning/Master : delete Perm. ACE 1 builtin\administrator
s
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Master\http://
www.microsoft.com/provisioning/Master : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Master\http://www.microsoft.com/provisioning/Master : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Register : del
ete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Register : new
ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Register : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Register\http:
//www.microsoft.com/provisioning/Register : delete Perm. ACE 1 builtin\administr
ators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Register\http:
//www.microsoft.com/provisioning/Register : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Register\http://www.microsoft.com/provisioning/Register : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\SSID : delete
Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\SSID : new ace
for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\SSID : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\SSID\http://ww
w.microsoft.com/provisioning/SSID : delete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\SSID\http://ww
w.microsoft.com/provisioning/SSID : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\SSID\http://www.microsoft.com/provisioning/SSID : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User : delete
Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User : new ace
for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\User : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://ww
w.microsoft.com/provisioning/BaseEapUserPropertiesV1 : delete Perm. ACE 1 builti
n\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://ww
w.microsoft.com/provisioning/BaseEapUserPropertiesV1 : new ace for builtin\admin
istrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\User\http://www.microsoft.com/provisionin...erPropertiesV1 : 2 chan
ge(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://ww
w.microsoft.com/provisioning/EapUserPropertiesV1 : delete Perm. ACE 1 builtin\ad
ministrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://ww
w.microsoft.com/provisioning/EapUserPropertiesV1 : new ace for builtin\administr
ators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\User\http://www.microsoft.com/provisionin...erPropertiesV1 : 2 change(s
)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://ww
w.microsoft.com/provisioning/MsChapV2UserPropertiesV1 : delete Perm. ACE 1 built
in\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://ww
w.microsoft.com/provisioning/MsChapV2UserPropertiesV1 : new ace for builtin\admi
nistrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\User\http://www.microsoft.com/provisionin...erPropertiesV1 : 2 cha
nge(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://ww
w.microsoft.com/provisioning/MsPeapUserPropertiesV1 : delete Perm. ACE 1 builtin
\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://ww
w.microsoft.com/provisioning/MsPeapUserPropertiesV1 : new ace for builtin\admini
strators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\User\http://www.microsoft.com/provisionin...erPropertiesV1 : 2 chang
e(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\WirelessProfil
e : delete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\WirelessProfil
e : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\WirelessProfile : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\WirelessProfil
e\http://www.microsoft.com/provisioning/WirelessProfile : delete Perm. ACE 1 bui
ltin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\WirelessProfil
e\http://www.microsoft.com/provisioning/WirelessProfile : new ace for builtin\ad
ministrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\WirelessProfile\http://www.microsoft.com/provisioning/WirelessProfile : 2 c
hange(s)
SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51B238242A17} : delet
e Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51B238242A17} : new a
ce for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51
B238242A17} : 2 change(s)
SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51B238242A17}\Paramet
ers : delete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51B238242A17}\Paramet
ers : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51
B238242A17}\Parameters : 2 change(s)
SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51B238242A17}\Paramet
ers\Tcpip : delete Perm. ACE 2 builtin\administrators
SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51B238242A17}\Paramet
ers\Tcpip : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51
B238242A17}\Parameters\Tcpip : 2 change(s)
SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-1903A31FA824} : delet
e Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-1903A31FA824} : new a
ce for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-19
03A31FA824} : 2 change(s)
SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-1903A31FA824}\Paramet
ers : delete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-1903A31FA824}\Paramet
ers : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-19
03A31FA824}\Parameters : 2 change(s)
SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-1903A31FA824}\Paramet
ers\Tcpip : delete Perm. ACE 2 builtin\administrators
SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-1903A31FA824}\Paramet
ers\Tcpip : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-19
03A31FA824}\Parameters\Tcpip : 2 change(s)
SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3} : delet
e Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3} : new a
ce for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A
6328408ED3} : 2 change(s)
SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}\Paramet
ers : delete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}\Paramet
ers : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A
6328408ED3}\Parameters : 2 change(s)
SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}\Paramet
ers\Tcpip : delete Perm. ACE 2 builtin\administrators
SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}\Paramet
ers\Tcpip : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A
6328408ED3}\Parameters\Tcpip : 2 change(s)
SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-180588B8ACDD} : delet
e Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-180588B8ACDD} : new a
ce for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-18
0588B8ACDD} : 2 change(s)
SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-180588B8ACDD}\Paramet
ers : delete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-180588B8ACDD}\Paramet
ers : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-18
0588B8ACDD}\Parameters : 2 change(s)
SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-180588B8ACDD}\Paramet
ers\Tcpip : delete Perm. ACE 2 builtin\administrators
SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-180588B8ACDD}\Paramet
ers\Tcpip : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-18
0588B8ACDD}\Parameters\Tcpip : 2 change(s)
SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0194C37955F} : delet
e Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0194C37955F} : new a
ce for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0
194C37955F} : 2 change(s)
SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0194C37955F}\Paramet
ers : delete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0194C37955F}\Paramet
ers : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0
194C37955F}\Parameters : 2 change(s)
SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0194C37955F}\Paramet
ers\Tcpip : delete Perm. ACE 2 builtin\administrators
SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0194C37955F}\Paramet
ers\Tcpip : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0
194C37955F}\Parameters\Tcpip : 2 change(s)

Elapsed Time: 00 00:05:52
Done: 280633, Modified 280627, Failed 6, Syntax errors 0
Last Done : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86
-4C69-A2EC-E0194C37955F}\Parameters\Tcpip
Last Failed: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Win
logon\Credentials - Unexpected disposition in CObjRegKey::InitObj RegCreateKeyEx
. Delete the key please !.. : 5 Access is denied.

**yettyn** · 2008-02-27, 16:27

I found a very suspisous registry entry, the key HKEY_LOCAL_MACHINE\SAM\SAM with several sub keys that certainly is invalid. Question is just if all the sub keys can be deleted or parts are needed. When comparing with my (uninfected) notebook I only have HKEY_LOCAL_MACHINE\SAM\SAM there with no sub keys. The sub keys all have binary data in it. Here is a shorter sample of a regexport
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SAM\SAM]
"C"=hex:07,00,01,00,00,00,00,00,98,00,00,00,02,00,01,00,01,00,14,80,78,00,00,\
00,88,00,00,00,14,00,00,00,44,00,00,00,02,00,30,00,02,00,00,00,02,c0,14,00,\
0e,00,05,01,01,01,00,00,00,00,00,01,00,00,00,00,02,c0,14,00,ff,ff,1f,00,01,\
01,00,00,00,00,00,05,07,00,00,00,02,00,34,00,02,00,00,00,00,00,14,00,31,00,\
02,00,01,01,00,00,00,00,00,01,00,00,00,00,00,00,18,00,3f,00,0f,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00

[HKEY_LOCAL_MACHINE\SAM\SAM\Domains]
@=hex(0):

[HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account]
"F"=hex:02,00,01,00,00,00,00,00,5c,24,7c,7e,85,d5,c3,01,82,04,00,00,00,00,00,\
00,00,00,00,00,40,de,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,80,\
00,cc,1d,cf,fb,ff,ff,ff,00,cc,1d,cf,fb,ff,ff,ff,00,00,00,00,00,00,00,00,27,\
04,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,03,00,00,00,01,00,\
00,00,01,00,01,00,01,00,00,00,38,00,00,00,ee,ef,8c,47,f0,c7,64,99,c9,84,cb,\
90,7c,cb,e6,cb,f1,55,6c,56,a8,8c,58,d0,96,4a,db,08,07,70,cc,8d,bc,5a,d6,68,\
bc,d9,40,79,a5,a6,e6,38,f4,63,69,53,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00
"V"=hex:00,00,00,00,e0,00,00,00,02,00,01,00,e0,00,00,00,18,00,00,00,00,00,00,\
00,f8,00,00,00,00,00,00,00,00,00,00,00,f8,00,00,00,00,00,00,00,00,00,00,00,\
01,00,14,80,c0,00,00,00,d0,00,00,00,14,00,00,00,44,00,00,00,02,00,30,00,02,\
00,00,00,02,c0,14,00,7a,04,05,01,01,01,00,00,00,00,00,01,00,00,00,00,02,c0,\
14,00,ff,ff,1f,00,01,01,00,00,00,00,00,05,07,00,00,00,02,00,7c,00,05,00,00,\
00,00,00,14,00,85,03,02,00,01,01,00,00,00,00,00,01,00,00,00,00,00,00,18,00,\
85,03,02,00,01,02,00,00,00,00,00,05,20,00,00,00,21,02,00,00,00,00,18,00,df,\
07,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,18,00,d5,03,\
02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,00,00,18,00,d5,03,02,\
00,01,02,00,00,00,00,00,05,20,00,00,00,24,02,00,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,\
04,00,00,00,00,00,05,15,00,00,00,d5,cb,5c,58,fd,43,46,1e,07,e5,3b,2b

[HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Aliases]
@=hex(6):

Please advice?

**steamwiz** · 2008-02-27, 20:36

Don't touch anything in the SAM key ...

[HKEY_LOCAL_MACHINE\SAM\SAM]

I don't see anything wrong with those sub keys values ( I'm not 100%, but I am 99% sure they are OK) touch them & you may not get into any of your accounts ...

Your notebook shows this only ... [HKEY_LOCAL_MACHINE\SAM]

Because the rest of the key is hidden ...

Do this & you will see a lot more :-

right-click the second SAM Key, choose "Permissions" highlight the "Administrator" and click the "Full Control" box, click "Apply" and "OK", then close and re-open Regedit.

Thread: need help w/ hard to kill trojan

Thread Tools

Display

Repair reinstall

Some progress

cmd window dump

Posting Permissions