Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

please help regedit and safemode...please


  • This topic is locked This topic is locked
16 replies to this topic

#1 galib

galib

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 03 March 2010 - 10:58 AM

I am using win xp sp-2 and facing some problems

1. regedit and taskman disabled (by admin)
2. Cannot install any kind of antivirus software
3. when I enter safe mode it says error 0*000000007B.
4. I used comboFix and The report is given to attachment.
5. gpedit->user configuration->admin templete->system->prevent access to registry editing tool->disable
but still cannot access to regedit

please please send the solution...Thanks.......

Attached Files



BC AdBot (Login to Remove)

 


#2 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:12:24 PM

Posted 03 March 2010 - 11:11 AM

Greetings galib and Welcome to the Forums,

That combofix log you attached is from the second time you ran it. Can you post the log from the first run please? Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#3 galib

galib
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 03 March 2010 - 11:39 AM

thanks a lot....here is the first combfix report.....please...

Attached Files



#4 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:12:24 PM

Posted 03 March 2010 - 12:23 PM

Copy the data in the code box below into notepad and save it as FixRegTools.reg
Set File type to "all files"
CODE
REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-

Double-click that file and confirm you want to merge it with the registry.

Reboot the computer. On your next reply, let us know if you are having any other issues. Thanks!


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#5 galib

galib
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 03 March 2010 - 12:53 PM

same result....regedit is desabled by ur admin...I changed the file types from tools->folder option->file types and set the .REG as "all files".am I right?I double clicked and it doesnot gives the confirmation to marge....when double clicked its says "regedit is disabled by admin"......please take a look again....thanks

#6 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:12:24 PM

Posted 03 March 2010 - 01:25 PM

Try it again with your ESET file protection disabled. Make sure you are logged on with "administrator" rights. You might also consider uninstalling Kaspersky unless you are able to keep it disabled for on demand use only.

I know ESET has a file protection component that wrestles with combofix...most often I have users uninstall it during a fix routine. If you still have issues, boot to safe mode and try it there. Post back your results.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#7 galib

galib
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 03 March 2010 - 02:49 PM

I have just updated combofix and ran it...It ran without any problems...Then I ran windows in safe mode.for The first time I was able to access safe mode...In The safe mode Everything is ok(taskman and regedit).Then restarted my pc and canNot access to safe mode.It again gives the error 0*0000007B.

Then I accessed to normal mode and ran RegistryFix.exe and I have access to regedit for a few seconds!!!!Then again it disabled!!Then I copied RegistryFix.exe in every drive and double clicked on It and then Regedit is accessible for a few seconds for every drive ....Now it gives the same result and not accessable......What can I do now...?...Thanks for ur attention...

#8 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:12:24 PM

Posted 03 March 2010 - 08:45 PM

Let's have a better look at things. Please refrain from using combofix anymore unless you can assure me that you have been trained in it's proper use and know what to do if things get turned sideways on you by accident.

Please do the following:

Step 1
Please download the free utility DDS.

Disable any script blocker you may have running, then double click dds.scr to run the tool.
  • When it completes, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.

Step 2
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to your desktop
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please agree to do so
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that, by default, have already been checked. Please uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All <--don't miss this one
  • Then click the Scan button & wait for it to finish
  • Once the scan completes, click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save it where you can easily find it, such as your desktop
**Caution**

Rootkit scans often produce false positives.

Do NOT take any action on any of these "<--- ROOKIT" entries without proper guidance from an expert user.

Please include the following logs in your next reply, Thanks!:
  • DDS.txt
  • Attach.txt
  • ark.txt

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#9 galib

galib
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 04 March 2010 - 09:51 AM

Here is Three files.(unchecked show all) thanks

Attached Files

  • Attached File  ark.txt   293bytes   9 downloads
  • Attached File  DDS.txt   12.99KB   10 downloads
  • Attached File  Attach.txt   20.94KB   8 downloads


#10 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:12:24 PM

Posted 04 March 2010 - 11:05 AM

Uninstall the following software:
Ask Toolbar

Please open a blank Notepad by clicking start-->run
Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



KillAll::

File::
c:\windows\system32\rrt_vf.wav
c:\windows\system32\rrt_tv.wav
c:\windows\system32\rrt_tn.wav
c:\windows\system32\rrt_is.wav

RootKit::
c:\windows\system32\drivers\jogjrn.sys

Driver::
abp470n5

FireFox::
FF - ProfilePath - c:\docume~1\galib\applic~1\mozilla\firefox\profiles\u6ag15bz.default\
FF - prefs.js: browser.search.selectedEngine -

Folder::
c:\program files\Ask.com

DDS::
mRun: [RRT-Auto] D:\RRT.exe auto

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#11 galib

galib
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 04 March 2010 - 11:29 AM

here is the log....

Attached Files



#12 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:12:24 PM

Posted 04 March 2010 - 12:36 PM

While I review the log, return to post 4 and repeat those instructions. Post back those results. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#13 galib

galib
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 04 March 2010 - 12:53 PM

same result......I again created FixRegTools.reg according to post 4 and The result is same.....(regedit is disabled by ur admin)....

#14 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:12:24 PM

Posted 04 March 2010 - 06:15 PM

I am suspicious of several remaining files. Based upon some of them listed
Here, this could be related to a Virut infection. Virut in it's older version(s) can sometimes be removed but the newer variants are impossible to cleanup. Let's not jump the gun though just yet...I need you to take these files to a free on line scanner Here. Upload each one of these, one at a time of course, and save the results to post them back here. Thanks!

c:\windows\system32\mlfcache.dat
c:\windows\pchealth\UploadLB\Binaries\UploadM.exe
c:\windows\new_reg.exe
c:\windows\regedit.exe
c:\windows\Installer\182c9c.msi

...by the way, I realize it's possible you used an online regfix tool available at PCTools having the same name as one of those files. However, if you did and found that it failed, then tried step two, then you did it wrong. That could also be part of this issue. If any of that sounds familiar then please search your memory and fill me in on what all you did exactly in the event that we may need to un-do it. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#15 galib

galib
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 05 March 2010 - 03:28 AM

I canot enter http://virscan.org/. I want to copy my valuable data into other HDD and format this one and make partition again.....Is it possible to get rid of the virus by doing this ? thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users