Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Regedit Disabled+wierd Files


  • Please log in to reply
7 replies to this topic

#1 Commander Gman

Commander Gman

  • Members
  • 1,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 PM

Posted 11 June 2007 - 03:33 AM

So i reformatted my comp and heres what happened to it
I have this file in my documents (actually 2 of them)they are both folders
One says"My Folder"& the other says "Rated R Pictures"
i tried to delete "My Folder" but it keeps coming back at My Documents then the deleted one is sent to the recycle bin
For the "Rated R Pictures"i decided not to delete them because for further reference
Nothing happens if i double-click on them
Also,i have a Microsoft Word file in my desktop that can't be deleted and the deleted one goes to the recycle bin if you try to delete it (so it actually will dupcate if you delete it)
It also can't be opened
Here is some info i caught up:
http://www.castlecops.com/p852087-please_h...what_to_do.html
all 3 of these files are currently on the desktop
In addition,here's some picture info about the files:(Note:These info shown are also thesame for all of the files if you go to properties then under the "Version" tab)

Posted Image
And also if you select legal trade marks,it says "<!---D#A#R#K#M#O#O#N--->"

One more issue was Regedit,i cant access it even if i try to use a tool like Remove Restrictions Tool
http://www.softpedia.com/progDownload/RRT-...load-68926.html
Any more ideas?
Even if i am the Administrator of the Computer and the only one using this computer
By the way,also,there was another account that was an Admin i believe,this was jumbled with it shown after the reformatt the next time i log-in the computer,when i go to that account,it's similar to a regular account

Update:I lost my "Run Command in my start menu"Also need to recover it

Logfile of HijackThis v1.99.1
Scan saved at 4:11:35 PM, on 6/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\lsass.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user 1\Desktop\VGR\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe"
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [] \lsass.exe
O4 - HKLM\..\Run: [WinRun] C:\WINDOWS\AutoRun.ini
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: dllhost.com
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Edited by Commander Gman, 11 June 2007 - 03:52 AM.

Motherboard: MSI P35 Neo-F (Socket 775 LGA) Processor: Intel Core 2 Quad Q6600 @ 2.40 Ghz Kentsfield Chipset: Intel P35 Graphics Card: Nvidia Geforce GT 440 Memory: 2x 2GB DDR2 800 RAM Storage: 1x IDE 80GB, 1x SATA II 500 GB, 1x External 500GB HD Power Supply: 600W Power supply Monitor: Dual screen set-up Casing: Mini-ATX Fan(s): 1x 80mm silent fan OS: Windows XP SP3


BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:08 AM

Posted 11 June 2007 - 04:28 AM

Hi Commander Gman, :flowers:

We're studying your log and will be back to you a.s.a.p.

Thanks for your patience. :thumbsup:

#3 Commander Gman

Commander Gman
  • Topic Starter

  • Members
  • 1,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 PM

Posted 11 June 2007 - 07:55 PM

Another Update:
Posted Image
Ok i have found some more faulty listings in my start menu that is thesame as the files recently mentioned above and must be removed
2nd I have this folder in "My network places" and if you double-click on that directly,you'll see a folder called "Net Folder"again similar,although this must be taken care of first since it hinders me from connecting to BC
Another one is a word doucment in C>Program Files and named as "philconst" although the icon looks old like previous versions of word,it is still similar to the rest of the files
I tried deleting it with several other programs but with no success...

well......might as well reformatt if i can't get the job done fast....

Edited by Commander Gman, 11 June 2007 - 08:30 PM.

Motherboard: MSI P35 Neo-F (Socket 775 LGA) Processor: Intel Core 2 Quad Q6600 @ 2.40 Ghz Kentsfield Chipset: Intel P35 Graphics Card: Nvidia Geforce GT 440 Memory: 2x 2GB DDR2 800 RAM Storage: 1x IDE 80GB, 1x SATA II 500 GB, 1x External 500GB HD Power Supply: 600W Power supply Monitor: Dual screen set-up Casing: Mini-ATX Fan(s): 1x 80mm silent fan OS: Windows XP SP3


#4 Commander Gman

Commander Gman
  • Topic Starter

  • Members
  • 1,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 PM

Posted 12 June 2007 - 01:16 AM

Even delete on reboot using HJT won't work :thumbsup:

Well sorry though to inform you but just got a fresh reformatt since my pc woudn't start well
So everythings back to normal :flowers:

Motherboard: MSI P35 Neo-F (Socket 775 LGA) Processor: Intel Core 2 Quad Q6600 @ 2.40 Ghz Kentsfield Chipset: Intel P35 Graphics Card: Nvidia Geforce GT 440 Memory: 2x 2GB DDR2 800 RAM Storage: 1x IDE 80GB, 1x SATA II 500 GB, 1x External 500GB HD Power Supply: 600W Power supply Monitor: Dual screen set-up Casing: Mini-ATX Fan(s): 1x 80mm silent fan OS: Windows XP SP3


#5 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:08 AM

Posted 12 June 2007 - 03:06 AM

Hi Commander Gman, :flowers:

Welcome to BleepingComputer Forums.

Well sorry though to inform you but just got a fresh reformatt since my pc woudn't start well
So everythings back to normal


Okay, a good decision I think since you had some nasty ones such as W32/Lovelet-AD

which includes functionality to access the internet and communicate with a remote server via HTTP.

Don't forget to change your passwords!

Please follow these recommendations in order to prevent future infections:

a. Visit Windows Update on a regular basis to stay current with critical updates.

b. Use a Firewall. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones click: Understanding and Using Firewalls!

c. Install and run the following free programs:

* Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here!

* Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found
here! Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

* SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here!

* SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here!

* IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Keep all these programs (including your anti-virus) up-to-date and run them regularly.
If you do not update regularly they will not be able to catch any of the new variants that may come out.

d. I recommend you to read Tony Klein's excellent article: So how did I get infected in the first place?

e. If you want to fight back the Malware Writers, please take a look here!

Glad I was able to help and if there are any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BleepingComputer Forums, we also help people with other computer problems! Do not forget to tell your friends about us!

Good luck! :thumbsup:

#6 Commander Gman

Commander Gman
  • Topic Starter

  • Members
  • 1,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 PM

Posted 12 June 2007 - 05:40 AM

Thanks Falu :thumbsup:

Don't forget to change your passwords!

Well what passwords should i change?
I can only recall the instance of logging in here at BC
Not logging at my email during the time of the infection
But unfortunately,i don't know how to change the password here in BC and haven't heard anyway doing so...
Oh and one more site...obviously,PhotoBucket since i was uploading the images during the time of the infection
Anyway to solve this?

Turns off anti-virus applications

Well,not really,my AVG was on at that time...

Uses its own emailing engine

Haven't seen it yet

More or less,my infection was rather something different
The files point in one direction to where its originating (actually locally)
This infection i believe,is coming from Phillipines and its rare that one would know how to fix it
since several methods won't work....i shoudn't have tried the one in the post and check the regedit slot to reenable regedit again :flowers:

Oh one last thing,do you have the Malware Training Removal Program link here at BC? i lost it thanks anyways :huh:

Edited by Commander Gman, 12 June 2007 - 05:59 AM.

Motherboard: MSI P35 Neo-F (Socket 775 LGA) Processor: Intel Core 2 Quad Q6600 @ 2.40 Ghz Kentsfield Chipset: Intel P35 Graphics Card: Nvidia Geforce GT 440 Memory: 2x 2GB DDR2 800 RAM Storage: 1x IDE 80GB, 1x SATA II 500 GB, 1x External 500GB HD Power Supply: 600W Power supply Monitor: Dual screen set-up Casing: Mini-ATX Fan(s): 1x 80mm silent fan OS: Windows XP SP3


#7 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:08 AM

Posted 12 June 2007 - 03:22 PM

Hi Commander Gman, :thumbsup:

Thanks Falu


You're very welcome.

Don't forget to change your passwords!

Well what passwords should i change?


Actually I was referring to passwords relating to any banking or financial transactions.

This infection i believe,is coming from Phillipines


I don't know where they came from but you had several infections, nasty ones!!

Oh one last thing,do you have the Malware Training Removal Program link here at BC?



Here it is: Malware Training Removal Program

All the best.

#8 Commander Gman

Commander Gman
  • Topic Starter

  • Members
  • 1,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 PM

Posted 13 June 2007 - 05:05 AM

Actually I was referring to passwords relating to any banking or financial transactions.

well luckily,didn't do anything related at that time :flowers:

I don't know where they came from but you had several infections, nasty ones!!

Being a untrained but little knowledge of my HJT log,these where the ones that i find crazy

F2 - REG:system.ini: Shell=explorer.exe "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe" "lsass.exe.exe"


O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

An unlegitimate entry,even if i was the admin :thumbsup:


Thanks for everything Falu
Might as well close the topic

Motherboard: MSI P35 Neo-F (Socket 775 LGA) Processor: Intel Core 2 Quad Q6600 @ 2.40 Ghz Kentsfield Chipset: Intel P35 Graphics Card: Nvidia Geforce GT 440 Memory: 2x 2GB DDR2 800 RAM Storage: 1x IDE 80GB, 1x SATA II 500 GB, 1x External 500GB HD Power Supply: 600W Power supply Monitor: Dual screen set-up Casing: Mini-ATX Fan(s): 1x 80mm silent fan OS: Windows XP SP3





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users