Results 1 to 6 of 6

Thread: Can't alter registry key ???

  1. #1
    Junior Member
    Join Date
    Mar 2006
    Posts
    11

    Question Can't alter registry key ???

    I installed Visual Studio 8 (2005) and found that I liked my old version better. I removed VS8 and reinstalled VS6. However, the installer fails because it can not register the "PDM.DLL." This is the Program Debugger DLL. I used RegMon to see what was happening with the following result:


    3575 22.11528969 regsvr32.exe:2608 OpenKey HKCR SUCCESS Access: 0x2000000
    3576 22.11536980 regsvr32.exe:2608 CreateKey HKCR\ProcessDebugManager.7 ACCESS DENIED Access: 0x2 BIGGIN\0x34
    3577 22.11540222 regsvr32.exe:2608 CreateKey HKCR\ProcessDebugManager.7 ACCESS DENIED Access: 0x2 BIGGIN\0x34
    3578 22.11541367 regsvr32.exe:2608 CloseKey HKCR SUCCESS


    I entered the registry and found that I can not change or alter either of these two keys:

    ProcessDebugManager
    ProcessDebugManager.7


    Now, I recently removed an L2M infection, which did alter my administrative account keys. Is it possible that it still has me locked out of altering other things in my registry?

    Any help here would be GREATLY appreciated!!!!!!!!!!!

  2. #2
    Junior Member
    Join Date
    Mar 2006
    Posts
    11

    Default

    Also, I used RegMon to locate 3 other keys which had their administrative options altered. All of the keys were Debug associated (as was the SeDebugPrivilege key, which was altered by L2M). I reset all the keys to their normal settings and have had no further trouble.

    However, I wonder what else the L2M infection might have screwed with. Does anyone have a detailed list of changes this infection causes?

    Thanks in advance!

    0x34

  3. #3
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,492

    Default

    Hello.
    Please see:
    Before you post a log, and who will advise you.

    Copy paste the hjt log into this topic and someone will assist you as soon as available.

    Regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  4. #4
    Junior Member
    Join Date
    Mar 2006
    Posts
    11

    Default

    Here is my HiJackThis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:05:42 PM, on 3/20/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe[/b]
    C:\WINDOWS\system32\winlogon.exe[/b]
    C:\WINDOWS\system32\services.exe[/b]
    C:\WINDOWS\system32\lsass.exe[/b]
    C:\WINDOWS\System32\Ati2evxx.exe[/b]
    C:\WINDOWS\system32\svchost.exe[/b]
    C:\WINDOWS\System32\svchost.exe[/b]
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[/b]
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[/b]
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[/b]
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[/b]
    C:\WINDOWS\system32\spoolsv.exe[/b]
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[/b]
    D:\Program Files\ewido anti-malware\ewidoctrl.exe[/b]
    C:\Program Files\Norton AntiVirus\navapsvc.exe[/b]
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe[/b]
    C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgSvr.exe[/b]
    C:\WINDOWS\System32\svchost.exe[/b]
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE[/b]
    C:\WINDOWS\System32\dllhost.exe[/b]
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[/b]
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe[/b]
    D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[/b]
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe[/b]
    C:\WINDOWS\system32\ctfmon.exe[/b]
    C:\Program Files\MSN Messenger\MsnMsgr.Exe[/b]
    C:\Program Files\Messenger\msmsgs.exe[/b]
    C:\WINDOWS\System32\svchost.exe[/b]
    D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe[/b]
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe[/b]
    C:\Program Files\Belkin\Nostromo\nost_LM.exe[/b]
    C:\WINDOWS\system32\devldr32.exe[/b]
    C:\WINDOWS\system32\ntvdm.exe[/b]
    [D:\Program Files\Microsoft Visual Studio\VB98\VB6.EXE[/b]
    D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[/b]
    D:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[/b]
    C:\Program Files\Norton AntiVirus\OPScan.exe[/b]
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[/b]
    C:\Documents and Settings\0x34\Desktop\Tools\HijackThis.exe[/b]

    F2 - REG:system.ini: UserInit=userinit.exe[/b]
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll[/b]
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll[/b]
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll[/b]
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[/b]
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime[/b]
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe[/b]
    O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"[/b]
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[/b]
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"[/b]
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer[/b]
    O4 - HKLM\..\Run: [Transparent] D:\Program Files\TweakNow PowerPack 2006\Transparent.exe 223[/b]
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe[/b]
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background[/b]
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background[/b]
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe[/b]
    O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe[/b]
    O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe[/b]
    O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe[/b]
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present[/b]
    O8 - Extra context menu item: &NeoTrace It! - D:\PROGRA~1\NEOTRA~1\NTXcontext.htm[/b]
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL[/b]
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe[/b]
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe[/b]
    O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - D:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)[/b]
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe[/b]
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe[/b]
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe[/b]
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[/b]
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe[/b]
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe[/b]
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE[/b]
    O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)[/b]
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe[/b]
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe[/b]
    O23 - Service: Promise Array Message Server (RAIDmSvr) - Unknown owner - C:\Program Files\Promise Technology, Inc.\Promise Array Management\MsgSvr.exe[/b]
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe[/b]
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


    NOTE** The L2M infection has been removed already (refer to http://forums.spybot.info/showthread.php?t=3045). I was just wondering what else the L2M infection might have screwed up in the registry and if anyone here has a detailed list of changes caused by this infection.

    Thanks again!
    0x34
    Last edited by LonnyRJones; 2006-03-21 at 17:25. Reason: Edit to remove bold, Hard on the eyes

  5. #5
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi
    DebugPrivilege should have been corrected when you ran l2mfix option two
    "if anyone here has a detailed list of changes caused by this infection."

    L2mfix corrects any changes, i do not have such a list

  6. #6
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,492

    Default

    This topic will now be archived to prevent others with similar issues posting in it.
    If you need it re-opened please send me a pm and provide a link to the thread.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •