need help w/ hard to kill trojan

Repair reinstall

I reinstalled with the repair option, it went almost fine. I got some kind of COM+ error during install, but just an OK button so install continue - it couldn't register COM+ I think it was or at least similar. I am then not able to login to my usual account due to "account restrictions" it says, same if booting into safe mode but there it also give me the Administrator account to select and it let me in with my old password and that's were I am now. I haven't tried yet but probably it will let me in at Administrator also in Safe mode with Network.

I thought before I do anything studid now I shall wait for your advice - but don't take to long ;-) The other account is also of admin type, but it has a zero string password, which is stupid I know. It was set up for convinience by the lazy part of me and it has to change of course. But now, I have lots of programs installed in the account so if it can be made functional again it would be great.

I read that Almanahe.D take advantage of a blank or weak password, and as it was flagged before I probably should start from Administrator account now and make sure to clean all such out, well I wait for you to play the ball.
 
HI

1. The first thing you need to do is visit Windows update & get as least all the critical/security updates ....

2. Then make sure you have an anti-virus installed ... AVG free will be fine, and then run a scan with it ....

3. Make sure you have a 2-way firewall installed...

4. run some on-line virus scanners, at least 2 or 3 ...

Run Bit Defender first ...

http://www.bitdefender.fr/VIRUS-1000219-fr--Win32.Almanahe.D.html

Bit Defender ... http://www.bitdefender.com/scan8/ie.html
Housecall ... http://housecall.trendmicro.com/
Panda http://www.pandasecurity.com/usa/homeusers/solutions/activescan/?sitepanda=particulares
eset ... http://www.eset.eu/online-scanner
Kaspersky ... http://www.kaspersky.com/virusscanner

5. Do some Malware scans ...

spybot
adaware
superantispyware

6. Run & post a Combofix log ... Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Let me know of any problems along the way ...

Post any logs which show problems ...

steam
 
Last edited:
It seem like I still have a serious problem, I cannot run IE only FF but the latter is no good for windows update :sad:

I tried to install Windows Installer but it goes to some point and I get an "access denied" error and it roll back everything.

Also as I reinstalled from XP SP2 CD now IE6 is installed. it starts but when I try to go to windowsupdate.microsoft.com I get a message "This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel". But what to associate with?

Installing IE7 also does not work, it prompt me to restart to role back changes as well and to click a troubleshoot url, whuch doesn't work as IE doesn't work.

I wonder if it can have anything to do with the COM+ error flagged during setup? or can it possibly be this http://windowssecrets.com/2007/09/27/03-Stealth-Windows-update-prevents-XP-repair but that fail too "DllRegisterServer in wuapi.dll failed. REturn code was: 0x80070005" does it turn on any light?

If I just get beyond this I should be pretty well on my own through the scans etc.
 
I managed to get IE to start and open WU but there it ends as it fail to install Windows Installed 3.1 - something must be missing or screwed in registry. Appearently folder options had been messed with, and I assume it's something similar here.
 
Ok I think I figured it out basically, the virus changed permision on certain keys. Question is if there is a some what easy was to change them back in batch or it has to be done one by one?

Like IE7 install wrote a log with unwriteable keys.
 
The trouble with a repair install in your case is that windows doesn'trepair the registry ... just the core files ... Those erunt backups may help ... ?

You should know more about COM+ than me as far as I'm aware it's used when developing application programs.

Can't think of anything else to suggest ... my brains gone dead & I'm tired so I'm off to bed...

good luck

steam
 
Some progress

Yes I know what COM+ is :crowned: just wondered if it could affect the system start up in some way, and you know more about that area... anyhow, I have had some progress.

Obviously a lot of places in registry have had their permissions changed and possibly even keys deleted, and maybe more keys/values added. I was able to correct most of this with info from this page:
http://winonline.blogspot.com/2005/11/reset-entire-registry-permissions-to.html

I didn't follow instructions exactly though as I couldn't run msi files and install the tool, but it's just a command line exe anyway... so I used 7z (superior winzip replacement) to unpack the msi package into it's own folder under C:\Program Files and then I created the bat file there and simply double clicked it. Worked as a charm! Howerver there was 6 items that couldn't be reset nor deleted. I am working on that part now.

But after this I was able to install Windows Installer 3.1 and I was also able to install IE7 (although I had to do it twice to get a complete success) which on first install told me to go to WU after restart and there is 87 patches waithing for me but they all fail to install. The WU fix in above post didn't work first due to permission issues, regsvr32 failed, but after resetting registry permissions I could reg those wu*.dll files but WU still fails. I doesn't say why really but from trying to do other installs, like with IE online scans, I am told it cannot be run in Safe Mode.

So there are the main obstacles now, to get Windows understand it actually not is in Safe Mode, and fix, delete probably, that 6 regkeys. As the tool runs in a cmd window it's hard to get any info out but I was able to copy this last part [TO much text so in next post] from the buffer by running just the first line in the bat file, maybe it give you a hint.

Now as I am somewhat runnable again I will get that file uploaded as well, as it may hold answers to manys questions.
 
cmd window dump

SYSTEM\CurrentControlSet\Services\WZCSVC\Enum : delete Perm. ACE 1 builtin\admin
istrators
SYSTEM\CurrentControlSet\Services\WZCSVC\Enum : new ace for builtin\administrato
rs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC\Enum : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov : delete Perm. ACE 1 builtin\administr
ators
SYSTEM\CurrentControlSet\Services\xmlprov : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters : delete Perm. ACE 1 builti
n\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters : new ace for builtin\admin
istrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters : 2 chan
ge(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups : delete Perm.
ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups : new ace for
builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Branding : del
ete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Branding : new
ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Branding : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Branding\http:
//www.microsoft.com/provisioning/Branding : delete Perm. ACE 1 builtin\administr
ators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Branding\http:
//www.microsoft.com/provisioning/Branding : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Branding\http://www.microsoft.com/provisioning/Branding : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection : d
elete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection : n
ew ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Connection : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\htt
p://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1 : delete Perm.
ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\htt
p://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1 : new ace for b
uiltin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Connection\http://www.microsoft.com/provisioning/BaseEapConnectionPropertie
sV1 : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\htt
p://www.microsoft.com/provisioning/EapConnectionPropertiesV1 : delete Perm. ACE
1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\htt
p://www.microsoft.com/provisioning/EapConnectionPropertiesV1 : new ace for built
in\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Connection\http://www.microsoft.com/provisioning/EapConnectionPropertiesV1
: 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\htt
p://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1 : delete Perm.
ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\htt
p://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1 : new ace for
builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Connection\http://www.microsoft.com/provisioning/MsChapV2ConnectionProperti
esV1 : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\htt
p://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1 : delete Perm. A
CE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\htt
p://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1 : new ace for bu
iltin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Connection\http://www.microsoft.com/provisioning/MsPeapConnectionProperties
V1 : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Help : delete
Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Help : new ace
for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Help : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Help\http://ww
w.microsoft.com/provisioning/Help : delete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Help\http://ww
w.microsoft.com/provisioning/Help : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Help\http://www.microsoft.com/provisioning/Help : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Locations : de
lete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Locations : ne
w ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Locations : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Locations\http
://www.microsoft.com/provisioning/Locations : delete Perm. ACE 1 builtin\adminis
trators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Locations\http
://www.microsoft.com/provisioning/Locations : new ace for builtin\administrators

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Locations\http://www.microsoft.com/provisioning/Locations : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Master : delet
e Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Master : new a
ce for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Master : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Master\http://
www.microsoft.com/provisioning/Master : delete Perm. ACE 1 builtin\administrator
s
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Master\http://
www.microsoft.com/provisioning/Master : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Master\http://www.microsoft.com/provisioning/Master : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Register : del
ete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Register : new
ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Register : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Register\http:
//www.microsoft.com/provisioning/Register : delete Perm. ACE 1 builtin\administr
ators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Register\http:
//www.microsoft.com/provisioning/Register : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Register\http://www.microsoft.com/provisioning/Register : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\SSID : delete
Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\SSID : new ace
for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\SSID : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\SSID\http://ww
w.microsoft.com/provisioning/SSID : delete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\SSID\http://ww
w.microsoft.com/provisioning/SSID : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\SSID\http://www.microsoft.com/provisioning/SSID : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User : delete
Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User : new ace
for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\User : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://ww
w.microsoft.com/provisioning/BaseEapUserPropertiesV1 : delete Perm. ACE 1 builti
n\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://ww
w.microsoft.com/provisioning/BaseEapUserPropertiesV1 : new ace for builtin\admin
istrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\User\http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1 : 2 chan
ge(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://ww
w.microsoft.com/provisioning/EapUserPropertiesV1 : delete Perm. ACE 1 builtin\ad
ministrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://ww
w.microsoft.com/provisioning/EapUserPropertiesV1 : new ace for builtin\administr
ators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\User\http://www.microsoft.com/provisioning/EapUserPropertiesV1 : 2 change(s
)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://ww
w.microsoft.com/provisioning/MsChapV2UserPropertiesV1 : delete Perm. ACE 1 built
in\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://ww
w.microsoft.com/provisioning/MsChapV2UserPropertiesV1 : new ace for builtin\admi
nistrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\User\http://www.microsoft.com/provisioning/MsChapV2UserPropertiesV1 : 2 cha
nge(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://ww
w.microsoft.com/provisioning/MsPeapUserPropertiesV1 : delete Perm. ACE 1 builtin
\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://ww
w.microsoft.com/provisioning/MsPeapUserPropertiesV1 : new ace for builtin\admini
strators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\User\http://www.microsoft.com/provisioning/MsPeapUserPropertiesV1 : 2 chang
e(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\WirelessProfil
e : delete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\WirelessProfil
e : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\WirelessProfile : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\WirelessProfil
e\http://www.microsoft.com/provisioning/WirelessProfile : delete Perm. ACE 1 bui
ltin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\WirelessProfil
e\http://www.microsoft.com/provisioning/WirelessProfile : new ace for builtin\ad
ministrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\WirelessProfile\http://www.microsoft.com/provisioning/WirelessProfile : 2 c
hange(s)
SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51B238242A17} : delet
e Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51B238242A17} : new a
ce for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51
B238242A17} : 2 change(s)
SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51B238242A17}\Paramet
ers : delete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51B238242A17}\Paramet
ers : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51
B238242A17}\Parameters : 2 change(s)
SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51B238242A17}\Paramet
ers\Tcpip : delete Perm. ACE 2 builtin\administrators
SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51B238242A17}\Paramet
ers\Tcpip : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51
B238242A17}\Parameters\Tcpip : 2 change(s)
SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-1903A31FA824} : delet
e Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-1903A31FA824} : new a
ce for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-19
03A31FA824} : 2 change(s)
SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-1903A31FA824}\Paramet
ers : delete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-1903A31FA824}\Paramet
ers : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-19
03A31FA824}\Parameters : 2 change(s)
SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-1903A31FA824}\Paramet
ers\Tcpip : delete Perm. ACE 2 builtin\administrators
SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-1903A31FA824}\Paramet
ers\Tcpip : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-19
03A31FA824}\Parameters\Tcpip : 2 change(s)
SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3} : delet
e Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3} : new a
ce for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A
6328408ED3} : 2 change(s)
SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}\Paramet
ers : delete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}\Paramet
ers : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A
6328408ED3}\Parameters : 2 change(s)
SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}\Paramet
ers\Tcpip : delete Perm. ACE 2 builtin\administrators
SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}\Paramet
ers\Tcpip : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A
6328408ED3}\Parameters\Tcpip : 2 change(s)
SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-180588B8ACDD} : delet
e Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-180588B8ACDD} : new a
ce for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-18
0588B8ACDD} : 2 change(s)
SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-180588B8ACDD}\Paramet
ers : delete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-180588B8ACDD}\Paramet
ers : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-18
0588B8ACDD}\Parameters : 2 change(s)
SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-180588B8ACDD}\Paramet
ers\Tcpip : delete Perm. ACE 2 builtin\administrators
SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-180588B8ACDD}\Paramet
ers\Tcpip : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-18
0588B8ACDD}\Parameters\Tcpip : 2 change(s)
SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0194C37955F} : delet
e Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0194C37955F} : new a
ce for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0
194C37955F} : 2 change(s)
SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0194C37955F}\Paramet
ers : delete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0194C37955F}\Paramet
ers : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0
194C37955F}\Parameters : 2 change(s)
SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0194C37955F}\Paramet
ers\Tcpip : delete Perm. ACE 2 builtin\administrators
SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0194C37955F}\Paramet
ers\Tcpip : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0
194C37955F}\Parameters\Tcpip : 2 change(s)


Elapsed Time: 00 00:05:52
Done: 280633, Modified 280627, Failed 6, Syntax errors 0
Last Done : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86
-4C69-A2EC-E0194C37955F}\Parameters\Tcpip
Last Failed: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Win
logon\Credentials - Unexpected disposition in CObjRegKey::InitObj RegCreateKeyEx
. Delete the key please !.. : 5 Access is denied.
 
I found a very suspisous registry entry, the key HKEY_LOCAL_MACHINE\SAM\SAM with several sub keys that certainly is invalid. Question is just if all the sub keys can be deleted or parts are needed. When comparing with my (uninfected) notebook I only have HKEY_LOCAL_MACHINE\SAM\SAM there with no sub keys. The sub keys all have binary data in it. Here is a shorter sample of a regexport
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SAM\SAM]
"C"=hex:07,00,01,00,00,00,00,00,98,00,00,00,02,00,01,00,01,00,14,80,78,00,00,\
00,88,00,00,00,14,00,00,00,44,00,00,00,02,00,30,00,02,00,00,00,02,c0,14,00,\
0e,00,05,01,01,01,00,00,00,00,00,01,00,00,00,00,02,c0,14,00,ff,ff,1f,00,01,\
01,00,00,00,00,00,05,07,00,00,00,02,00,34,00,02,00,00,00,00,00,14,00,31,00,\
02,00,01,01,00,00,00,00,00,01,00,00,00,00,00,00,18,00,3f,00,0f,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00

[HKEY_LOCAL_MACHINE\SAM\SAM\Domains]
@=hex(0):

[HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account]
"F"=hex:02,00,01,00,00,00,00,00,5c,24,7c,7e,85,d5,c3,01,82,04,00,00,00,00,00,\
00,00,00,00,00,40,de,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,80,\
00,cc,1d,cf,fb,ff,ff,ff,00,cc,1d,cf,fb,ff,ff,ff,00,00,00,00,00,00,00,00,27,\
04,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,03,00,00,00,01,00,\
00,00,01,00,01,00,01,00,00,00,38,00,00,00,ee,ef,8c,47,f0,c7,64,99,c9,84,cb,\
90,7c,cb,e6,cb,f1,55,6c,56,a8,8c,58,d0,96,4a,db,08,07,70,cc,8d,bc,5a,d6,68,\
bc,d9,40,79,a5,a6,e6,38,f4,63,69,53,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00
"V"=hex:00,00,00,00,e0,00,00,00,02,00,01,00,e0,00,00,00,18,00,00,00,00,00,00,\
00,f8,00,00,00,00,00,00,00,00,00,00,00,f8,00,00,00,00,00,00,00,00,00,00,00,\
01,00,14,80,c0,00,00,00,d0,00,00,00,14,00,00,00,44,00,00,00,02,00,30,00,02,\
00,00,00,02,c0,14,00,7a,04,05,01,01,01,00,00,00,00,00,01,00,00,00,00,02,c0,\
14,00,ff,ff,1f,00,01,01,00,00,00,00,00,05,07,00,00,00,02,00,7c,00,05,00,00,\
00,00,00,14,00,85,03,02,00,01,01,00,00,00,00,00,01,00,00,00,00,00,00,18,00,\
85,03,02,00,01,02,00,00,00,00,00,05,20,00,00,00,21,02,00,00,00,00,18,00,df,\
07,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,18,00,d5,03,\
02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,00,00,18,00,d5,03,02,\
00,01,02,00,00,00,00,00,05,20,00,00,00,24,02,00,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,\
04,00,00,00,00,00,05,15,00,00,00,d5,cb,5c,58,fd,43,46,1e,07,e5,3b,2b

[HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Aliases]
@=hex(6):

Please advice?
 
Don't touch anything in the SAM key ...

[HKEY_LOCAL_MACHINE\SAM\SAM]

I don't see anything wrong with those sub keys values ( I'm not 100%, but I am 99% sure they are OK) touch them & you may not get into any of your accounts ...

Your notebook shows this only ... [HKEY_LOCAL_MACHINE\SAM]

Because the rest of the key is hidden ...

Do this & you will see a lot more :-

right-click the second SAM Key, choose "Permissions" highlight the "Administrator" and click the "Full Control" box, click "Apply" and "OK", then close and re-open Regedit.
 
So the keys there really should be hidden then? Well I think I screwed it again then as I did tuch them, and now I cannot boot as I get a lsass.exe system - system error : Object not found. I did export a copy of the keys, and I can get into the recovery console. Is it possible to execute a .reg file there?

damit I am too unpatient!
 
I managed to get back into safe mode and should now be able to restore registry with my backup. Then what I need is to find where and what make programs think we are in safe mode. There must be some flag or something?
 
Ok I am back at the wheel

It appear reg is not or no longer a part of RC on XP SP2 CD, but I managed the situation anyhow.

This url helped me to get back into windows
http://www.easydesksoftware.com/news/news36.htm

Then I found I had some old registry backups done with ERUNT, I restored the oldest one although it was since before I got it properly cleaned out. With the infected files gone this shouldn't be a problem and I got back a less "messed by me" registry. I then just booted into safe mode and cleaned up the registry again.

But before I did that I once again run the reset of of permissions (url in earlier post).

I didn't apply your reg fix for authentication though, I checked on my notebook and it looks the same and it hasn't been infected. So this key was obviously not changed by the infection.

To solve the issue where windows always think it's in safe mode I found and removed a key named .../Safeboot/Option in all the controlset keys.

I was then able to reinstall Windows Installer 3.1, and IE7 but WU didn't quite work yet. I found out that the tip I followed before missed a part. here is an url to a more complete solution
http://www.grq.net/windowsupdate.html

I took advantage of the previous tip though by putting the commands into .bat files.

Now WU worked and I got all updates, and I could also install BitDefender and have done a DeepScan that came out clean.

I will do a few more scans, just to be safe, Install my java and Firewall etc. and hope to be back with some final logs tommorow I guess. Well last time kav took 20 hours to scan but it maybe was due to the infection. Deep scan with bitdefender took 6 hours.

So it seem lik I am on the happy side again then :2thumb:
 
Hi

removing the SafeBoot\Option key/value removes the file security tab ... you may be interested in this :-

http://www.terminally-incoherent.com/blog/2007/07/ ... scroll down nearly to the bottom under heading Adding the File Security Tab in XP Home
Adding the File Security Tab in XP Home
Thursday, July 26th, 2007
If you own XP Home you are probably painfully aware of some of it’s limitations. The home edition of the OS for example won’t let you have a detailed file access control. The security tab where you can give or deny users permissions on given file or folder is simply missing from the properties dialog in this version.

Of course you can still modify file access permissions by using simple workarounds like:

Booting into Safe Mode
Using the cacls command on the command line
Using a 3rd party tool such as ACLView
Patching your system with a untested, unofficial patch.
None of this options is convenient, and the last one is particularly unsafe. While this patch does not have to be malicious, it’s just to easy to slip a rootkit into this type of system file patch.

Today I found yet another solution, while looking for something completely different. Someone at the MSFN forum simply noticed that you can cheat the system into thinking it is in safe mode by tweaking the registry, opted to create two reg files. First one to enable the security tab:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option]
"OptionValue"=dword:00000001

And another one to disable it:

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option]
The change is instant, and does not require a restart. Why do you need to disable it? Because with that dword in place, your XP will be absolutely convinced that it is running in safe mode, and thus won’t let you run certain software, or perform any installations.

The problem with their solution is that you need to remember to click on the second reg file to restore your registry back to normal. So I decided to improve on it with a little shell script that will add that key, wait for you to finish your file access related tasks, and then remove the key before closing:

Code: 
@echo off
echo 'Enabling Security Tab'
 
reg add HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option /v OptionValue /t REG_DWORD /d 00000001
 
echo 'Please keep this window open while you use the tab. When done, follow the prompts on the screen.'
pause
 
reg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option /f
You simply run this batch script, then leave it open at the prompt, do what you have to do, then go back and hit enter. The key will be automatically removed as the script closes.
Click to expand...
 
Ok but I have XP Pro

One thing I noticed thow is that I only have 2 account types, Administrator and Limited - which is the same as for XP Home, Pro is supposed to have other types as well I think, like Power user etc. ? Can the Bagle have done changes to Registry that make it appear as if I have XP Home? Right clicking My Computer and selecting Properties clearly state I have
System:
Microsoft Windows XP
Professional
Version 2002
Service Pack 2

And yes you are right, if I right click a folder or file and select properties, there is no security tab - I think that's what you mean?

But again, my system is Pro and not Home. My registry is probably screwed up in some way for sure. I hope the file I uploaded with the infector can cast some light on what kind of changes this evil thing really do.

Otherwise system seem to be fine now, although I haven't run many programs yet. Done some scans which have come up clean. Will do a KAV scan now though. I am just a bit fear ful of opening IE as it seem to invite all kinds of evil :fear:

steamwiz said:
Hi

removing the SafeBoot\Option key/value removes the file security tab ... you may be interested in this :-

http://www.terminally-incoherent.com/blog/2007/07/ ... scroll down nearly to the bottom under heading Adding the File Security Tab in XP Home
Click to expand...
 
Oh by the way, I noticed there is an account not added by me called "ASP.NET Machine A..." but I have a vague idea this once was created by "LogMeIn" which I once tried out but then removed. It's set up as a LUA so should be able to do something bad and I can probably just delete it.
 
HI

I guess I never asked you if you had home or pro ... FYI I just ran the batch on my XPhome .. works great.

Maybe this is all you need to do to see the security tab in XP Pro

enable Simple File Sharing in Windows XP Professional :-

My Computer >> Tools >> Folder Options >> View >> (scroll to bottom) >> CHECK Use simple file sharing (Recommended)

steam
 
You must log in or register to reply here.
Back
Top