TheTechGuide Forum
General Category => Tech Clinic => Topic started by: flatbush71 on October 16, 2004, 08:23:21 PM
-
Windows Object Recognized!
Type : RegData
Data :
Category : Vulnerability
Comment : Possible unintended lockout from Registry Editor (Regedit access disabled)
Rootkey : HKEY_USERS
Object : S-1-5-21-3207847200-1532886375-2419647484-1003\software\microsoft\windows\currentversion\policies\system
Value : DisableRegistryTools
Data :
Windows Object Recognized!
Type : RegData
Data : explorer.exe,winload16.exe -shell
Category : Vulnerability
Comment : Shell Possibly Compromised
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows nt\currentversion\winlogon
Value : Shell
Data : explorer.exe,winload16.exe -shell
flatbush71
-
Is that from an Ad-Aware log?
Can you post a hijackthis log, I don't recognize winload16.exe
Create a permanent folder hijackthis
EG---- Open MyDocuments----Right click an empty spot and select NEW---Folder----Name the new folder HJT
OR create a folder as C:\HJT---this is where you will want to save Hijackthis too, also, backups will be stored there.
download from
HERE (http://\"http://aumha.org/downloads/hijackthis.exe\")
Do a SCAN----Scan will change to SAVE LOG----copy and paste the WHOLE contents of the log
here... Don't try and fix anything yet----It is all important
-
Can,t install it. Won't let me run the ".exe". Like to never got it downloaded, took 7 or 8 tries.
flatbush71
-
Can you download Zip files?
Something is trying to block it
Try this link for the zip file, you will have to unzip it to run it
http://www.majorgeeks.com/download3155.html (http://\"http://www.majorgeeks.com/download3155.html\")
or try one of these direct download links for hijackthis.exe
HERE (http://\"https://ssl.perfora.net/tools.radiosplace.com/HijackThis.exe\")
or HERE (http://\"http://209.133.47.12/~merijn/files/HijackThis.exe\")
-
got that one too. but still can't run the exe to install it.
flatbush71
-
What operating system are you running?
If your on a NT system are you logged in with Administative privileges?
Can you access your Task Manager?
Can your Restart into safe mode and run Hijackthis?
-
Have you tried running an Online Virus scan
Housecall's---Set to Autoclean
http://housecall.trendmicro.com/ (http://\"http://housecall.trendmicro.com/\")
or do this one too
Panda's
http://www.pandasoftware.com/activescan/co...n_principal.htm (http://\"http://www.pandasoftware.com/activescan/com/activescan_principal.htm\")
-
Ran house call no virus. Still can't run in safe mode. What ever I got, did something to the administrator settings. On startup no longer have to log-in, it just starts. Have XP.
flatbush71
-
task manager, defrag,services,properties of files(at bottom on right click) denied also.
flatbush71
-
Housecall's found nothing, when did this problem start happening?
Can you download this utility called Process Explorer (http://\"http://www.sysinternals.com/files/procexpnt.zip\")
Unzip it to a folder
Open It>>>This should show you the processes running
Click File>>Save as
Save the log and post it here
Can you use System Restore to a time before this problem started?
START>>>ALL PROGRAMS>>>ACCESSORIES>>>SYSTSEM TOOLS>>>SYSTEM RESTORE
Restore your computer to a time before this started happening
I still think it's viral related
You may also want to download and Install Registrar lite
http://www.resplendence.com/reglite (http://\"http://www.resplendence.com/reglite\")
Navigate to these keys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Highlight the Run and Runonce keys, do you recognize all the entries on the right hand side?
Do you recognize
-
One other thing to try
sometimes viruses change the exe file association in the registry
Can you download this zip file and unzip it to your desktop
Double click on it and allow it to merge to the registry----you may have to do this in safe mode
Restart your computer and let me know if things improve
http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip (http://\"http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip\")
-
I can find with Registrar lite, but can not delete.
flatbush71
-
Can not run xp_exe_fix.reg, denied.
flatbush71
-
Not sure what your saying
you found this entry with Registrar lite
winload16.exe
In Reg Lite click on Security at the top and take ownership
Give yourself full control
-
What about Process Viewer, what happened to that log?
Make sure you try running that reg fix in safe mode
-
DriveConfig
winload16.exe -services
In run
This is new and also showing in Ad-Aware
I found the other line but still unable to delete even in safe mode
flatbush71
-
What happened to the log from Process viewer?
-
Got full control ,delete returns after, and also resets to 1 after being changed to 0. Process viewer will not run. Yes, found "winload16.exe"
with Registrar lite.
flatbush71
-
Set Windows to Show Hidden Files and Folders (http://\"http://www.xtra.co.nz/help/0,,4155-1916458,00.html\")
Do a search for this file
winload16.exe or winload16
It may possibly be in your C:\Windows\System32 folder
Try and delete it if found
If you have trouble deleting it, Try right clicking on the file
Security tab>>advanced>>>Take full control of the file
check the box Allow inheritable permissions
from parent' to propagate... '
If your running XP pro you will have to Disable Simple file sharing
Make sure you also use the search function of XP
When searching click on the Advanced Options
Ensure there is a check in Hidden Files and folders
Stay in safe mode
Open Reg lite
Click Search at the top>>>Search Registry>>Text to Search for--Enter winload16.exe or just winload16
In the Search in box Enter Registry
Click the Spyglass at the bottom to begin the search
the entries on the right you can Right click on and jump to the location and Export the key to a folder on your hard drive and then delete the key if it looks malicious
I would also try to download the Stinger from Mcafee and try running it in safe mode
See if it picks up anything
http://vil.nai.com/vil/stinger/ (http://\"http://vil.nai.com/vil/stinger/\")
-
Finally got it!! Let me rename it and reboot, got all back. This one was a real challenge. The file is dated 5/03. With out ability to stop explorer in
processes sends you running in circles. I always try to figure out how all these chokes work so I can understand the nature of it. Blocking the processes window put me at a stand still for a few hours. Thank you for all your help, that is some really great utilitiy programs. I can use them in other areas. Thank you again!!!
flatbush71
-
Flatbush, I know from Experience, that if you have that kind of infection on your computer, there is probably something else too.....
You may want to supply me with that Hijackthis log now, let's see what else we can find