(Msg. 1) Posted: Sat Jan 22, 2005 10:09 am
Post subject: Pb registry after viral attack Archived from groups: microsoft>public>windowsnt>registry (more info?)
Hi,
Following a viral attack on a Windows NT/SP6 station, I was able to identify
the worm (Win32.Darby.J) and eliminate all traces when logged in as an
administrator. However, when I log in to the account which was open when the
attack occurred I still get a message "The file
"CTVWIEK040A.COM" (or one of it's components) is missing. Verify that the
path and the file name is correct. etc.".
Effectively, this the name of the worm that was downloaded and which I
deleted. One of the side effects of this worm is to disable the the registry
tools so I can no longer excecute Regedit.exe or regedt32.exe under the
session.
I imagine that there is still a reference to the file in
HKCU\Software\Microsoft\Windows\Currentversion\Run.
However, I can execute Regedit.exe or Regedt32.exe as an administrator, but
I can no longer find any trace of the worm name. Furthermore,
according to Computer Associates, the keys to disable the registry tools are :
Can anyone suggest a means of getting around this problem.
I can create a new account which functions normally. Should I just delete
the faulty account and create it?
(Msg. 2) Posted: Sat Jan 22, 2005 5:10 pm
Post subject: Re: Pb registry after viral attack [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
In article <472DF72D-FB03-4FD4-A5F6-BC5ED1F4CD6B RemoveThis @microsoft.com>,
LeonardMOR RemoveThis @discussions.microsoft.com says...
> Hi, > > Following a viral attack on a Windows NT/SP6 station, I was able to identify > the worm (Win32.Darby.J) and eliminate all traces when logged in as an > administrator. However, when I log in to the account which was open when the > attack occurred I still get a message "The file > "CTVWIEK040A.COM" (or one of it's components) is missing. Verify that the > path and the file name is correct. etc.". > > Effectively, this the name of the worm that was downloaded and which I > deleted. One of the side effects of this worm is to disable the the registry > tools so I can no longer excecute Regedit.exe or regedt32.exe under the > session. > I imagine that there is still a reference to the file in > HKCU\Software\Microsoft\Windows\Currentversion\Run. > > However, I can execute Regedit.exe or Regedt32.exe as an administrator, but > I can no longer find any trace of the worm name. Furthermore, > according to Computer Associates, the keys to disable the registry tools are : > > HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = 1 > > and > > HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Policies\System\DisableRegistryTools = 1 > > However, I can't find these keys in Windows NT. > > Can anyone suggest a means of getting around this problem. > I can create a new account which functions normally. Should I just delete > the faulty account and create it? > > Cheers, >
At this web site on line 275 there is a vbs script that may fix you up.
<a style='text-decoration: underline;' href="http://www.kellys-korner-xp.com/xp_tweaks.htm" target="_blank">http://www.kellys-korner-xp.com/xp_tweaks.htm</a><!-- ~MESSAGE_AFTER~ -->
(Msg. 3) Posted: Sun Jan 23, 2005 5:55 am
Post subject: Re: Pb registry after viral attack [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
David,
Thanks for your hint. This solved my problem and I was particularly
interested by the tools available on the site.
After reflection, this was obviously the way to go. It was necessary to open
the session in the name of the account that had the problem. And then use
some means to get at the HKLM registers.
Thanks again,
Len MOR
"David Smith" wrote:
> In article <472DF72D-FB03-4FD4-A5F6-BC5ED1F4CD6B RemoveThis @microsoft.com>, > LeonardMOR RemoveThis @discussions.microsoft.com says... > > Hi, > > > > Following a viral attack on a Windows NT/SP6 station, I was able to identify > > the worm (Win32.Darby.J) and eliminate all traces when logged in as an > > administrator. However, when I log in to the account which was open when the > > attack occurred I still get a message "The file > > "CTVWIEK040A.COM" (or one of it's components) is missing. Verify that the > > path and the file name is correct. etc.". > > > > Effectively, this the name of the worm that was downloaded and which I > > deleted. One of the side effects of this worm is to disable the the registry > > tools so I can no longer excecute Regedit.exe or regedt32.exe under the > > session. > > I imagine that there is still a reference to the file in > > HKCU\Software\Microsoft\Windows\Currentversion\Run. > > > > However, I can execute Regedit.exe or Regedt32.exe as an administrator, but > > I can no longer find any trace of the worm name. Furthermore, > > according to Computer Associates, the keys to disable the registry tools are : > > > > HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = 1 > > > > and > > > > HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Policies\System\DisableRegistryTools = 1 > > > > However, I can't find these keys in Windows NT. > > > > Can anyone suggest a means of getting around this problem. > > I can create a new account which functions normally. Should I just delete > > the faulty account and create it? > > > > Cheers, > > > At this web site on line 275 there is a vbs script that may fix you up.
<font color=purple> > <a style='text-decoration: underline;' href="http://www.kellys-korner-xp.com/xp_tweaks.htm</font" target="_blank">http://www.kellys-korner-xp.com/xp_tweaks.htm</font</a>>
><!-- ~MESSAGE_AFTER~ -->
(Msg. 4) Posted: Sun Jan 23, 2005 12:35 pm
Post subject: Re: Pb registry after viral attack [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
"Leonard MOR" <LeonardMOR RemoveThis @discussions.microsoft.com> wrote in message
news:472DF72D-FB03-4FD4-A5F6-BC5ED1F4CD6B@microsoft.com...
> Hi, > > Following a viral attack on a Windows NT/SP6 station, I was able to
identify
> the worm (Win32.Darby.J) and eliminate all traces when logged in as an > administrator. However, when I log in to the account which was open when
the
> attack occurred I still get a message "The file > "CTVWIEK040A.COM" (or one of it's components) is missing. Verify that the > path and the file name is correct. etc.". > > Effectively, this the name of the worm that was downloaded and which I > deleted. One of the side effects of this worm is to disable the the
registry
> tools so I can no longer excecute Regedit.exe or regedt32.exe under the > session. > I imagine that there is still a reference to the file in > HKCU\Software\Microsoft\Windows\Currentversion\Run. > > However, I can execute Regedit.exe or Regedt32.exe as an administrator,
but
> I can no longer find any trace of the worm name. Furthermore, > according to Computer Associates, the keys to disable the registry tools
are :
> >
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegist
ryTools = 1
> > and > >
HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Policies\System\DisableRegi
stryTools = 1
> > However, I can't find these keys in Windows NT.
That is what normally should happen. You can't find either of those keys,
because when you are logged in as administartor you are looking at the
administartor's HKCU. You should look at HKCU of the user that was infected.
Most likely the registry part of that user is not loaded (and it shouldn't
be unless there are applications running as that user). You can use "Load
Hive" in regedt32 to load user's "ntuser.dat" file manually (into HKEY_USERS
or HKEY_LOCAL_MACHINE). But don't forget to unload it when you are done with
editing.
> Can anyone suggest a means of getting around this problem. > I can create a new account which functions normally. Should I just delete > the faulty account and create it? > > Cheers, > -- > Len<!-- ~MESSAGE_AFTER~ -->
(Msg. 5) Posted: Sun Jan 23, 2005 4:45 pm
Post subject: Re: Pb registry after viral attack [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
In article <67852FF1-1F39-4BDD-80B1-488AEC7EE196.RemoveThis@microsoft.com>,
LeonardMOR.RemoveThis@discussions.microsoft.com says...
> David, > > Thanks for your hint. This solved my problem and I was particularly > interested by the tools available on the site. > > After reflection, this was obviously the way to go. It was necessary to open > the session in the name of the account that had the problem. And then use > some means to get at the HKLM registers. > > Thanks again, > Len MOR > "David Smith" wrote: > > > In article <472DF72D-FB03-4FD4-A5F6-BC5ED1F4CD6B.RemoveThis@microsoft.com>, > > LeonardMOR.RemoveThis@discussions.microsoft.com says... > > > Hi, > > > > > > Following a viral attack on a Windows NT/SP6 station, I was able to identify > > > the worm (Win32.Darby.J) and eliminate all traces when logged in as an > > > administrator. However, when I log in to the account which was open when the > > > attack occurred I still get a message "The file > > > "CTVWIEK040A.COM" (or one of it's components) is missing. Verify that the > > > path and the file name is correct. etc.". > > > > > > Effectively, this the name of the worm that was downloaded and which I > > > deleted. One of the side effects of this worm is to disable the the registry > > > tools so I can no longer excecute Regedit.exe or regedt32.exe under the > > > session. > > > I imagine that there is still a reference to the file in > > > HKCU\Software\Microsoft\Windows\Currentversion\Run. > > > > > > However, I can execute Regedit.exe or Regedt32.exe as an administrator, but > > > I can no longer find any trace of the worm name. Furthermore, > > > according to Computer Associates, the keys to disable the registry tools are : > > > > > > HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = 1 > > > > > > and > > > > > > HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Policies\System\DisableRegistryTools = 1 > > > > > > However, I can't find these keys in Windows NT. > > > > > > Can anyone suggest a means of getting around this problem. > > > I can create a new account which functions normally. Should I just delete > > > the faulty account and create it? > > > > > > Cheers, > > > > > At this web site on line 275 there is a vbs script that may fix you up.
Your right that is an great site. There is a link there to "Doug's"
site. This too might be something you would be interested in.
good luck
David Smith<!-- ~MESSAGE_AFTER~ -->
All times are: Eastern Time (US & Canada) (change)
Page 1 of 1
You can post new topics in this forum You can reply to topics in this forum You can edit your posts in this forum You can delete your posts in this forum You can vote in polls in this forum
Home
Forums
Home
FAQ
Profile
Private Messages
Log in
Windows Other