Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hidden User in XP registry


  • Please log in to reply
2 replies to this topic

#1 plox

plox

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 06 December 2009 - 08:46 PM

Hi

I am using XP PRO and have been experiencing all sorts of problems recently (computer turns it self off - corrupt registry - program not being able to register objects - not able to run repair).

I have run Combofix several times, a-squared HiJackfree , OTL and thought that I overcome the problems but there is a persistent hidden entry in my registry reported by Combofix which defies removal/or keeps coming back:

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-1614895754-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5244C3BC-C6BF-2399-C52E-784649D38C13}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hagmhnmhpliaikoh"=hex:6a,61,6e,6b,6d,6e,61,6e,65,65,62,66,65,6e,67,6b,6e,70,
69,66,00,00
"iamnbngpenmpnjaana"=hex:6a,61,6e,6b,6d,6e,61,6e,65,65,62,66,65,6e,67,6b,6e,70,
69,66,00,e3

Using Autoruns, is it being loaded under the Explorer tag:
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
the corresponding key name: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5244C3BC-C6BF-2399-C52E-784649D38C13}

Unfortunately I deleted one of the key and Regedit now tell me : Cannot open 5244C3BC-C6BF-2399-C52E-784649D38C13} Error while opening key.

I have no idea of how this user got created and what harm it's doing to my machine.

a-squared also lists these items under Explorer Addons but the location is blank:
Encryption Context Menu
IE User Assist
Shell Autoplay for Sideshows
Shell Extensions for File Coompression
Task bar and start menu
User accounts

Autoruns also has these entries:
Display Panning CPL Extension File not found: deskpan.dll
Display Panning CPL Extension File not found: deskpan.dll

Please let me know what other information you need and any steps /advice that I can take to permanently get rid of this.

Much appreciated

PS downloaded the DDS program from another post but it opens up with Notepad.

BC AdBot (Login to Remove)

 


#2 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:05:53 AM

Posted 07 December 2009 - 10:06 PM

The programs that you are using are some serious ones, Have you had guidance when using these programs. They can get you in more trouble than out of trouble if used incorrectly.

#3 plox

plox
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 08 December 2009 - 01:44 AM

Hello Layback Bear

I've followed instructions on several posts in the forum but no I've not received any individual advice. No one I consulted locally could work out what was going on I was quite desperate at the time and so I took on myself to try to resolve the problems. After using those tools I was able to do a repair of XP and the system is now a lot more stable.

While the computer turning itself off for no apparent reason could be hardware related as it is over four years old - it seems to no longer happen (cross fingers) since I ran those programs and doing the repair.

The concern that I have is with this hidden user - Googled the net for the user name but had no luck.

So I now have created a new admin user and keeping away from the the affected user as it seems to only load on that user profile (not Administrator or the new one). Short of formatting the partition, I am not sure what else I can do about it.

I am backing back my drive just in case using Covian as per the instructions if I need to reformat.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users