Pb registry after viral attack

[Guest]

Archived from groups: microsoft.public.windowsnt.registry (More info?)

Hi,

Following a viral attack on a Windows NT/SP6 station, I was able to identify
the worm (Win32.Darby.J) and eliminate all traces when logged in as an
administrator. However, when I log in to the account which was open when the
attack occurred I still get a message "The file
"CTVWIEK040A.COM" (or one of it's components) is missing. Verify that the
path and the file name is correct. etc.".

Effectively, this the name of the worm that was downloaded and which I
deleted. One of the side effects of this worm is to disable the the registry
tools so I can no longer excecute Regedit.exe or regedt32.exe under the
session.
I imagine that there is still a reference to the file in
HKCU\Software\Microsoft\Windows\Currentversion\Run.

However, I can execute Regedit.exe or Regedt32.exe as an administrator, but
I can no longer find any trace of the worm name. Furthermore,
according to Computer Associates, the keys to disable the registry tools are :

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = 1

and

HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Policies\System\DisableRegistryTools = 1

However, I can't find these keys in Windows NT.

Can anyone suggest a means of getting around this problem.
I can create a new account which functions normally. Should I just delete
the faulty account and create it?

Cheers,
--
Len

 

[Guest]

Archived from groups: microsoft.public.windowsnt.registry (More info?)

In article <472DF72D-FB03-4FD4-A5F6-BC5ED1F4CD6B@microsoft.com>,
LeonardMOR@discussions.microsoft.com says...
> Hi,
>
> Following a viral attack on a Windows NT/SP6 station, I was able to identify
> the worm (Win32.Darby.J) and eliminate all traces when logged in as an
> administrator. However, when I log in to the account which was open when the
> attack occurred I still get a message "The file
> "CTVWIEK040A.COM" (or one of it's components) is missing. Verify that the
> path and the file name is correct. etc.".
>
> Effectively, this the name of the worm that was downloaded and which I
> deleted. One of the side effects of this worm is to disable the the registry
> tools so I can no longer excecute Regedit.exe or regedt32.exe under the
> session.
> I imagine that there is still a reference to the file in
> HKCU\Software\Microsoft\Windows\Currentversion\Run.
>
> However, I can execute Regedit.exe or Regedt32.exe as an administrator, but
> I can no longer find any trace of the worm name. Furthermore,
> according to Computer Associates, the keys to disable the registry tools are :
>
> HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = 1
>
> and
>
> HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Policies\System\DisableRegistryTools = 1
>
> However, I can't find these keys in Windows NT.
>
> Can anyone suggest a means of getting around this problem.
> I can create a new account which functions normally. Should I just delete
> the faulty account and create it?
>
> Cheers,
>
At this web site on line 275 there is a vbs script that may fix you up.
http://www.kellys-korner-xp.com/xp_tweaks.htm

 

[Guest]

Archived from groups: microsoft.public.windowsnt.registry (More info?)

David,

Thanks for your hint. This solved my problem and I was particularly
interested by the tools available on the site.

After reflection, this was obviously the way to go. It was necessary to open
the session in the name of the account that had the problem. And then use
some means to get at the HKLM registers.

Thanks again,
Len MOR
"David Smith" wrote:

> In article <472DF72D-FB03-4FD4-A5F6-BC5ED1F4CD6B@microsoft.com>,
> LeonardMOR@discussions.microsoft.com says...
> > Hi,
> >
> > Following a viral attack on a Windows NT/SP6 station, I was able to identify
> > the worm (Win32.Darby.J) and eliminate all traces when logged in as an
> > administrator. However, when I log in to the account which was open when the
> > attack occurred I still get a message "The file
> > "CTVWIEK040A.COM" (or one of it's components) is missing. Verify that the
> > path and the file name is correct. etc.".
> >
> > Effectively, this the name of the worm that was downloaded and which I
> > deleted. One of the side effects of this worm is to disable the the registry
> > tools so I can no longer excecute Regedit.exe or regedt32.exe under the
> > session.
> > I imagine that there is still a reference to the file in
> > HKCU\Software\Microsoft\Windows\Currentversion\Run.
> >
> > However, I can execute Regedit.exe or Regedt32.exe as an administrator, but
> > I can no longer find any trace of the worm name. Furthermore,
> > according to Computer Associates, the keys to disable the registry tools are :
> >
> > HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = 1
> >
> > and
> >
> > HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Policies\System\DisableRegistryTools = 1
> >
> > However, I can't find these keys in Windows NT.
> >
> > Can anyone suggest a means of getting around this problem.
> > I can create a new account which functions normally. Should I just delete
> > the faulty account and create it?
> >
> > Cheers,
> >
> At this web site on line 275 there is a vbs script that may fix you up.
> http://www.kellys-korner-xp.com/xp_tweaks.htm
>

 

[Guest]

Archived from groups: microsoft.public.windowsnt.registry (More info?)

"Leonard MOR" <LeonardMOR@discussions.microsoft.com> wrote in message
news:472DF72D-FB03-4FD4-A5F6-BC5ED1F4CD6B@microsoft.com...
> Hi,
>
> Following a viral attack on a Windows NT/SP6 station, I was able to
identify
> the worm (Win32.Darby.J) and eliminate all traces when logged in as an
> administrator. However, when I log in to the account which was open when
the
> attack occurred I still get a message "The file
> "CTVWIEK040A.COM" (or one of it's components) is missing. Verify that the
> path and the file name is correct. etc.".
>
> Effectively, this the name of the worm that was downloaded and which I
> deleted. One of the side effects of this worm is to disable the the
registry
> tools so I can no longer excecute Regedit.exe or regedt32.exe under the
> session.
> I imagine that there is still a reference to the file in
> HKCU\Software\Microsoft\Windows\Currentversion\Run.
>
> However, I can execute Regedit.exe or Regedt32.exe as an administrator,
but
> I can no longer find any trace of the worm name. Furthermore,
> according to Computer Associates, the keys to disable the registry tools
are :
>
>
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegist
ryTools = 1
>
> and
>
>
HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Policies\System\DisableRegi
stryTools = 1
>
> However, I can't find these keys in Windows NT.

That is what normally should happen. You can't find either of those keys,
because when you are logged in as administartor you are looking at the
administartor's HKCU. You should look at HKCU of the user that was infected.
Most likely the registry part of that user is not loaded (and it shouldn't
be unless there are applications running as that user). You can use "Load
Hive" in regedt32 to load user's "ntuser.dat" file manually (into HKEY_USERS
or HKEY_LOCAL_MACHINE). But don't forget to unload it when you are done with
editing.

> Can anyone suggest a means of getting around this problem.
> I can create a new account which functions normally. Should I just delete
> the faulty account and create it?
>
> Cheers,
> --
> Len

 

[Guest]

Archived from groups: microsoft.public.windowsnt.registry (More info?)

In article <67852FF1-1F39-4BDD-80B1-488AEC7EE196@microsoft.com>,
LeonardMOR@discussions.microsoft.com says...
> David,
>
> Thanks for your hint. This solved my problem and I was particularly
> interested by the tools available on the site.
>
> After reflection, this was obviously the way to go. It was necessary to open
> the session in the name of the account that had the problem. And then use
> some means to get at the HKLM registers.
>
> Thanks again,
> Len MOR
> "David Smith" wrote:
>
> > In article <472DF72D-FB03-4FD4-A5F6-BC5ED1F4CD6B@microsoft.com>,
> > LeonardMOR@discussions.microsoft.com says...
> > > Hi,
> > >
> > > Following a viral attack on a Windows NT/SP6 station, I was able to identify
> > > the worm (Win32.Darby.J) and eliminate all traces when logged in as an
> > > administrator. However, when I log in to the account which was open when the
> > > attack occurred I still get a message "The file
> > > "CTVWIEK040A.COM" (or one of it's components) is missing. Verify that the
> > > path and the file name is correct. etc.".
> > >
> > > Effectively, this the name of the worm that was downloaded and which I
> > > deleted. One of the side effects of this worm is to disable the the registry
> > > tools so I can no longer excecute Regedit.exe or regedt32.exe under the
> > > session.
> > > I imagine that there is still a reference to the file in
> > > HKCU\Software\Microsoft\Windows\Currentversion\Run.
> > >
> > > However, I can execute Regedit.exe or Regedt32.exe as an administrator, but
> > > I can no longer find any trace of the worm name. Furthermore,
> > > according to Computer Associates, the keys to disable the registry tools are :
> > >
> > > HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = 1
> > >
> > > and
> > >
> > > HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Policies\System\DisableRegistryTools = 1
> > >
> > > However, I can't find these keys in Windows NT.
> > >
> > > Can anyone suggest a means of getting around this problem.
> > > I can create a new account which functions normally. Should I just delete
> > > the faulty account and create it?
> > >
> > > Cheers,
> > >
> > At this web site on line 275 there is a vbs script that may fix you up.
Your right that is an great site. There is a link there to "Doug's"
site. This too might be something you would be interested in.
good luck
David Smith