• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Spyware Problem Task Manager, msconfig, regedit disbaled

R

RichardE

Banned
I dled a program and when I tried to install it, I realised it had some spyware on it. This spyware disbaled regedit, task manager and deleted? msconfig. I enabled regedit with a vbs script, and than used regedit to enable task manager. What do I do about msconfig though? When I try to run msconfig all I get is "windows cannot find msconfig, please make sure you typed the name correctly.."

Im running Windows XP Home

Also, don't know if this is related or not, by now for both FF and IE, I cannot brown from page to page.

Ok, I figured out how to fix the problems.

For anyone that might run into this

this is the vbs script to enable regedit

Copy and paste this and name it enableregistryedit.vbs

'Enable Registry Editing'
'© Veegertx - 4/7/2004
'This code may be freely distributed/modified
On Error Resume Next
'Prevents errors from values that don't exist
Set WshShell = WScript.CreateObject("WScript.Shell")
'Delete DisableRegistryTools registry values

WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
WshShell.RegDelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"

'display message
Message = "You should have access to Regedit now"

X = MsgBox(Message, vbOKOnly, "Done")
Set WshShell = Nothing
Set fso = Nothing


After that, to enable task manager

Use this hive HKEY_CURRENT_USER
than go to this key Software\Microsoft\Windows\CurrentVersion\Policies\System and set that to 0

Finally for Msconfig

go to this key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSCONFIG.EXE

and set the path to C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe

As it seems this spyware is going around on alot of dl'ed programs, I hope this can help anyone who has this problem as well.
 
Try the routine I wrote up in this text document as an initial step. If you have an antivirus program installed, update it and make sure all its options are turned on (compressed-file/archive scanning & heuristics, etc).

Afterwards, download, install, and update Spybot Search & Destroy 1.4, and also Windows Defender (formerly Microsoft AntiSpyware), and reboot into Safe Mode and scan with them also. Also scan with your regular antivirus program while in Safe Mode too.

Good luck 🙂
 
Thanks for the help 🙂

I resolved the three issues, thankfully, here is the solutions.

Ok, I figured out how to fix the problems.

For anyone that might run into this

this is the vbs script to enable regedit

Copy and paste this and name it enableregistryedit.vbs

'Enable Registry Editing'
'© Veegertx - 4/7/2004
'This code may be freely distributed/modified
On Error Resume Next
'Prevents errors from values that don't exist
Set WshShell = WScript.CreateObject("WScript.Shell")
'Delete DisableRegistryTools registry values

WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
WshShell.RegDelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"

'display message
Message = "You should have access to Regedit now"

X = MsgBox(Message, vbOKOnly, "Done")
Set WshShell = Nothing
Set fso = Nothing


After that, to enable task manager

Use this hive HKEY_CURRENT_USER
than go to this key Software\Microsoft\Windows\CurrentVersion\Policies\System and set that to 0

Finally for Msconfig

go to this key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSCONFIG.EXE

and set the path to C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe

As it seems this spyware is going around on alot of dl'ed programs, I hope this can help anyone who has this problem as well.
 
Now that everything is back, go here and create a Bart's PE bootdisc for yourself. That will give you an OS source to boot from CD to help recover on anything like this in the future (some spyware is even worse, see the Aurora definition at Symantec when you are bored.)

There are also Linux boot tools that do the same. A search of the archives for this forum will find threads discussion what tools are available.

😀

Edit - btw, good work on finding and fixing issue. Gold star.
 
Now for the $64,000 question... did he actually check the system for Trojans, worms and viruses and cure the disease, or did he just treat a symptom? 😉

I guess really curing the disease would start with not downloading and running rogue junk in the first place. But whatever.
 
Originally posted by: mechBgon
Now for the $64,000 question... did he actually check the system for Trojans, worms and viruses and cure the disease, or did he just treat a symptom? 😉

I guess really curing the disease would start with not downloading and running rogue junk in the first place. But whatever.
Click to expand...

From what i saw, the red keys were just pointing to a keygen.exe which I got rid of. I have yet to see any more symptoms from it, ran antivirus, CC and got rid of a bunch of junk.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top