"Registry editing is disabled" by virus/trojan

[ehgoodrich]

I am working on a friend's computer that has been infected for some
time (possibly with the RBOT-ACT trojan as well as other spyware).
After cleaning it up as best I could (ending up installing another copy
of XP on 2nd partition and scanning from there), I still cannot access
Task Manager or edit the registry when booted to the original
partition. I have tried looking at all the usual places suggested in
this group by Kelly, Doug and others. The local and group policies are
NOT being used to prevent access. Anyone have any other ideas where to
look??

A few more details: I can run gpedit.msc to look at the group policy
area and don't see anything unusual. I can also run CP->Admin
Tools->Local Security Policy:nothing there either. I have looked at
all the recommended areas in the original registry (running regedit
from the 2nd XP copy and using Load Hive) and can't see anything
mentioned in any related topics!!!

Any ideas??
emmette

 

[David H. Lipman]

From: <[email protected]>

| I am working on a friend's computer that has been infected for some
| time (possibly with the RBOT-ACT trojan as well as other spyware).
| After cleaning it up as best I could (ending up installing another copy
| of XP on 2nd partition and scanning from there), I still cannot access
| Task Manager or edit the registry when booted to the original
| partition. I have tried looking at all the usual places suggested in
| this group by Kelly, Doug and others. The local and group policies are
| NOT being used to prevent access. Anyone have any other ideas where to
| look??
|
| A few more details: I can run gpedit.msc to look at the group policy
| area and don't see anything unusual. I can also run CP->Admin
| Tools->Local Security Policy:nothing there either. I have looked at
| all the recommended areas in the original registry (running regedit
| from the 2nd XP copy and using Load Hive) and can't see anything
| mentioned in any related topics!!!
|
| Any ideas??
| emmette

The following tool will verify that you are now clean or it will find and remove any viral
remnents. It should also be able to give you back access to the Registry tools.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[ehgoodrich]

Sorry it took awhile, but I finally got around to looking at this more
closely and discovered the disable of TM and Regedit was being done by
CyberSitter!! It was not evident at first because it does it
dynamically: when CS loads, it adds the Disable strings to
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System and then
it takes them back out on logoff!!! This explains why I didn't seem
them when using Load Hive to look at the registry while booted from
another partition.

Anyway, Dave, thanx for the response. I did download Multi_AV and will
save that in my toolkit to use next time...

e