Re: How do I make registry changes stick?
- From: "ernie" <ernie@xxxxxxxxxxxx>
- Date: Mon, 17 Apr 2006 16:01:38 +0100
Thank you, Wesley. I found and deleted the .com files (and followed the rest
of the Symantec cleanup procedure) but the "execution" of the regedit.com
left a regedit.pif which also must be deleted to get the Run box to work
properly. A little quibble with the cleanup from Symantec, they say that the
file taskmgr.exe is also dropped by the worm but it appears legitimate? I
have left it anyhow.
This did not resolve the failure of regedit to edit the winlogon so, back to
msconfig and stopping a bunch of processes called Project1 and gogo115
finally caused the edit to stick. These files don't offend AVG but are dated
all at the same time so this other (etnuq.exe) virus comes as a package. I
will just list these files found in C:\Windows\ for any other unfortunates:
ms0420353-548.exe 136kB
ms0420353-5482006.exe 136kB
keyboard8.exe 44kB
mousepad8.exe 72kB
newname8.exe 24kB
wnu_??.exe 77kB which claims to be an uninstaller but just
renames itself.
Thanks again,
ern.
"Wesley Vogel" <123WVogel955@xxxxxxxxxxx> wrote in message
news:#5O7CTKXGHA.1204@xxxxxxxxxxxxxxxxxxxxxxx
All Regedt32.exe does is launch Regedit.exe.drops
Chances are that you have another POS, regedit.com.
Also Known As: W32.Alcan.A, Win32.Alcan.A [Computer Associates],
P2P-Worm.Win32.Alcan.a [Kaspersky Lab], W32/Alcan.worm!p2p [McAfee],
W32/Alcra-A [Sophos], WORM_ALCAN.A [Trend Micro]
[[This worm drops the legitimate file compression DLL, BSZIP.DLL in the
Windows system folder. It does this so it can compress itself. It also
the following files in the Windows system folder:http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ALCAN.A
CMD.COM
NETSTAT.COM
PING.COM
REGEDIT.COM
TASKKILL.COM
TASKLIST.COM
TRACERT.COM
These files contain the string MZ so that this worm can disable the
following Windows tool applications:
CMD.EXE
NETSTAT.EXE
PING.EXE
REGEDIT.EXE
TASKKILL.EXE
TASKLIST.EXE
TRACERT.EXE ]]
From...
WORM_ALCAN.A - Technical details
&VSect=T
have
Symantec Security Response - W32.Alcra.A
http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In news:uomNotHXGHA.4132@xxxxxxxxxxxxxxxxxxxx,
ernie <ernie@xxxxxxxxxxxx> hunted and pecked:
Falling at the first hurdle here, I Start > Run > regedit and get a
message "regedit is not a valid Win32 application."
I was using regedt32 in the run box although I can double click
regedit.exe when viewing the C:\Windows folder and it comes up OK. I
theto use the full path in the run box, then the editor comes up.
Thanks for confirming the Userinit value is also corrupt.
I found that the permissions for the key were <Not inherited> and on the
Advanced section clicked to check the "Inherit from Parent......" box
which caused a duplicate but <Inherited> set of permissions to appear in
the box. Deleted all the <Not inherited> ones and optimistically made
aedits. No joy, no more time on this now.
Thank you for the links. My ancient browser finds it so hard to download
checkpage these days let alone perform a search {:^).
Regards,
ern.
"Wesley Vogel" <123WVogel955@xxxxxxxxxxx> wrote in message
news:#ihS8VBXGHA.3492@xxxxxxxxxxxxxxxxxxxxxxx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon
Userinit
REG_SZ
C:\WINDOWS\SYSTEM32\Userinit.exe,
Try this...
Reset the registry permissions
In the Registry Editor, right click..
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon
To update the permissions of the registry subkey, follow these steps:
a. Click Start, click Run, type regedit and then click OK to start
Registry Editor.
b. Locate and right-click the registry subkey:
and then click Permissions.
c. Under Group or user names, click Administrators.
d. Under Permissions for Administrators, make sure that the Allow
tobox for the following entries is selected:
* Full Control
* Read
e. Click Apply and then click OK.
f. On the File menu, click Exit to quit Registry Editor.
Open the Registry Editor again and see if you can make the changes now.
If not, try this...
Start | Run | Type: regedit | OK |
Navigate to >>>
the said key
Right click the key in the left hand pane | Permissions... | Advanced
button | Owner tab | click the new owner and then click OK.
[[You can take ownership of a registry key if you are logged on as an
administrator or if you have been specifically assigned the permission
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-take ownership of the registry key by the current owner. ]]
See permissions, registry in Registry Editor HELP.
To assign permissions to a registry key
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/regedit_permit_key.mspx
To assign special access to a registry key
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/regedit_assign_specacc.mspx
To grant Full Control of a registry key
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/regedit_yield_own.mspx
To add users or groups to the audit list
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/regedit_audit_key_adduser.mspx
To add users or groups to the Permissions list
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/regedit_permit_key_adduser.mspx
To remove a user or group from the Permissions list
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/regedit_permit_key_remove.mspx
To take ownership of a registry key
shellus/regedit_take_own.mspx
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In news:etHzyOBXGHA.3800@xxxxxxxxxxxxxxxxxxxx,
ernie <ernie@xxxxxxxxxxxx> hunted and pecked:
I would like to add that in the same key there is a value "Userinit"
whose value has been altered in the same way viz:
,oouybpw.exe has been aded at the end.
The file does not exist.
ern.
"ernie" <ernie@xxxxxxxxxxxx> wrote in message
news:OciZwoAXGHA.3800@xxxxxxxxxxxxxxxxxxxxxxx
The etnuq.exe file is gone, I assume AVG dealt with it, but the
thatcall is still there which is freaking AVG out. It seems unlikely
consistency,regedt32 actually checks to see if the edits have logical
neverthe value goes straight back to the original data as though I had
virus.made the change. I looked at the restore points but there are none
before the 8th when this problem already existed. Have I missed some
thing on the permissions front, they are a bit hard to get my head
round. Thank you for the tip about scanning in Safe mode.
Regards,
ern.
"Wesley Vogel" <123WVogel955@xxxxxxxxxxx> wrote in message
news:uc1jce$WGHA.5012@xxxxxxxxxxxxxxxxxxxxxxx
Update AVG and run a full system scan. Etnuq.exe is probably a
http://www.bleepingcomputer.com/forums/index.php?showtutorial=61#winxo
You might want to start in Safe Mode to run AVG.
Some viruses and other malware like to conceal themselves in areas
Windows protects while using them. Safe mode will prevent those
applications access and therefore unprotect the viruses or other
malware.
How to start Windows in Safe Mode Windows XP
I
You have to get rid of C:\Windows\System32\Etnuq.exe before the
registry change is going to stick.
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In news:%23kSrij%23WGHA.3332@xxxxxxxxxxxxxxxxxxxx,
ernie <ernie@xxxxxxxxxxxx> hunted and pecked:
From Explorer.exe, C:\Windows\System32\Etnuq.exe to Explorer.exe
ern.
"Wesley Vogel" <123WVogel955@xxxxxxxxxxx> wrote in message
news:#KudD99WGHA.5076@xxxxxxxxxxxxxxxxxxxxxxx
What are you trying to change the value from\to?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon
Shell
REG_SZ
Explorer.exe
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In news:e2H$Lc7WGHA.4924@xxxxxxxxxxxxxxxxxxxx,
ernie <ernie@xxxxxxxxxxxx> hunted and pecked:
Using XP Home Edition, logged on as administrator in Safe Mode, I
make the change to
HKLM\sware\ms\windowsNT\current version\winlogon\Shell but, after
toclose the registry editor and reopen it, the value has returned
cannotits original data. I checked the permissions for the key but
fromsee a reason there for this behaviour.
How can I change this value as it is causing an annoying popup
msconfigAVG and I have to turn off the AVG Notification Service in
to stop it which may cause problems if I get another virus?
Thank you,
ern.
.
- References:
- How do I make registry changes stick?
- From: ernie
- Re: How do I make registry changes stick?
- From: Wesley Vogel
- Re: How do I make registry changes stick?
- From: ernie
- Re: How do I make registry changes stick?
- From: Wesley Vogel
- Re: How do I make registry changes stick?
- From: ernie
- Re: How do I make registry changes stick?
- From: ernie
- Re: How do I make registry changes stick?
- From: Wesley Vogel
- Re: How do I make registry changes stick?
- From: ernie
- Re: How do I make registry changes stick?
- From: Wesley Vogel
- How do I make registry changes stick?
- Prev by Date: Re: Basic question concerning driver upgrading
- Next by Date: Re: Multiple IE windows
- Previous by thread: Re: How do I make registry changes stick?
- Next by thread: Re: How do I make registry changes stick?
- Index(es):
