Hundreds of VERY strange Registry keys

[fumei]

Hi folks, I have been trying to find some help on this one.

System:
P4 2.8 , 1 Gb RAM, Windows 2000 SP4

System Symptoms:

I have hundreds (and I mean literally hundreds) of Registry keys, such as this:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\CommonClient\NByosJ1kzgOrW49GTF72dMTQexV6wa2Q+4Bu/Gkfw9tKQqY3\aHyYeKDO6lhu9C8I7MQ8UfhRE4KDkwL8FP6Q/A==

Key Values

Name:
7GyCONTJqYpek6MiEkMz7fzoVF++U5CUaXRZqPxKq9JqDZu8GlE55Jnm98c=

Value (Binary):
53 2A 0C CD 18 B2 FD 09 S*.I.2ý.
05 88 55 10 23 B2 E0 4A ..U.#2àj
F4 7E 31 7D 70 F8 36 A0 ô~1}pø6
EC 54 C2 18 2F D5 6A AF iTÂ./Õj¯
43 A8 52 C8 C"RÈ

I copied some of the names of the keys into a text editor - the name is 5 pages long.

- any CD writing software will not load, With Task Manager open there is a brief blink of SOMETHING loading (running), then it disappears. No matter how I try to load the executable to ANY CD writing software, they will not. Therefore I can not back up any data to CD.

- even with Administrator rights, the system will not allow any Program Removal through Control Panel

- even with Admin rights, system will not allow any termination of either applications, or processes through Task Manager

- full screen display of any image files lasts about a half second, then main graphic application recaptures focus (Photoshop, PolyView)

- MS Word does not display any cursor

Action Taken:

full virus scan - nothing found
on-line scan - nothing found

I can not find any information about such keys anywhere yet. thought I would toss this one out here.

I wish I could find a way to post a screen dump of RegEdit...it looks very very strange.

Any thoughts and/or suggestions would be welcome. I understand that it is most likely this sucker is going to need a full software (OS and everything) install again. But I have a lot of data I would like to try and save. I pesonally think I have a problem.

Gerry

 

[2ffat]

Have you tried a registry cleaner? I use Easy Cleaner from ToniArts.

http://www.toniarts.com/products.ph...6c&PHPSESSID=b2f49d2b43e080f1f3449e67a241b76c

James P. Cottingham
-----------------------------------------
[sup]To determine how long it will take to write and debug a program, take your best estimate, multiply that by two, add one, and convert to the next higher units.[/sup]

 

[diogenes10]

http://www.tek-tips.com/viewthread.cfm?qid=911560

Take a look at makeitso's thread. Good chance you're fighting this new lop as well.


-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[fumei]

I will check the whole thing out.

Some data backed up, but as posted, I can not use any CD writing software. So I still have quite a bit of data potentially at risk. I had not done a back up for (I know I know...my fault) a couple of weeks. I am, in one of my incarnations, a photographer - digital. I just did a major shoot and "backed up" my CF chips to this machine, and formatted the chips, as I needed to use them again. We are talking 2 Gb of files that are not on the last backup. Sigh. I just have not got into the habit of backing up to the hard drive, and IMMEDIATELY making another copy on CD. Sigh.

I did not check any IE stuff, as I do not use IE (use Opera). Will post back here with any results.

What a freakin' pain.

Oh, and some other things:

It will NOT let me boot from an emergency disk.
It will NOT let me run Setup from my original Windows 2000 CD.

Gerry

 

[diogenes10]

fumei

Another thing you could look at that might make your backups a bit easier would be to get an additional harddrive. I was just talking with a friend a couple of weeks ago, he has a small side business too, he considers current costs of drives trivial in relation to his data.
His main drive has a program and data partion. He has a second drive multiple times the size of data partition and copies a daily ghost image of data to the backup drive. (In his case he has a network and the backup drive is on another machine as well.) You could probably set up a batch file to do that so the process could get pretty painless. You could then continue with a weekly or biweekly (or assorted shoot) archive to cd's as additional insurance.

As far as the current situation is concerned, You can compare a hjt log for your machine to makeitso's, you'll probably have lots and lots and lots of lines to match the 2 in his log. (and you may have other problems as well, you'll just have to see as you get into it.)

If you are really concerned about data prior to doing anything else, others here could probably talk you through process of slaving drive into another machine and copying files that way prior to doing anything else. You'll have some risk anyway you go-at some point you'll have to make a choice and forge ahead.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[diogenes10]

Another question that occurs to me.

I know nothing about digital cameras etc, but you said you took info from chips to computer. Computer wont let you write to cd. A) in digital process, can data go the other way-from computer to chips? and B) if so, will the computer let you put stuff back on chips and move to another machine that way?

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[fumei]

Yes I can move data from computer to chips. However, I have about 6 Gb of data, and 1.5 Gb of chips.

I am going to get a swappable drive and plunk a HD into it and get my data that way. Hopefully, whatever this is will not come with it.

BTW: what is a lop?

Gerry

 

[diogenes10]

A rabbit?

A little info here:

http://www.doxdesk.com/parasite/lop.html

http://www.kephyr.com/spywarescanner/library/lop/index.phtml

http://www.pestpatrol.com/pestinfo/l/lop_com.asp

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[fumei]

OK, then this ting is not a lop. I read the links you posted, and this is definitely not a lop. IE start page is not chaged. I had to go back to IE to check, as I do not use IE. No, there are no changes to IE.

Nop there are no changes to blahblah\Run

But as posted, I sure have hundreds of strange keys, and literally thousands of binary key values.

Something is in there, but Norton can not find it, McAfee can not find it...

Gerry

 

[diogenes10]

When I've seen the discussions on those really long randomcharacter file names on antispyware sites they've been referred to as lop.

Smah has a faq on online scanners.

Can you get online and try Pandasoft, RAV, and/or TrendMicro?

Or maybe an online PestPatrol scan just to see what it says?

Don't know risks of registry cleaner as 2ffat suggests, but backing up registry and trying that may be another option.




-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[diogenes10]

I guess I'm also missing the obvious, if you've not run adaware and spybot, you should try those as well.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[fumei]

Spybot, adware....nothing.

Registry is backed up. Will not allow any import of registry. Access denied.

Can not start any CD writing software - Access denied.

Can not use Task Manager to stop and\y processes or application - access denied.

Can not add another physical HD. Totally ignores it.

Can not add new prograns (install) anything like aany new virus/whatever checker. Access denied.

Getting worse, no random mouse movements, random switching between application, random selecting of screen areas (highlighted). Random switching to Caps Lock. Random movement of screen elemebts back and forth. Random key strokes appearing.



Gerry

 

[diogenes10]

I can't do much more but offer a few alternative tools to see if they will help in some way:

You could see if this tool gives you any help:

http://www.tek-tips.com/viewthread.cfm?qid=834037

An alternative to regedit that is suggested often in the antispyware community is registrar lite from resplendence.

Taskmanager alternatives:
Later versions of hijackthis also have a process tool under config, misc tools.
Process explorer sysinternals
security task manager neuber




-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[fumei]

I am not sure what to do with that thread, although I will look deeper. It seems to discuss user settings in IE. I do not use IE, and frankly do not care about IE at all. I have no idea if this thing is doing anything to IE, as I have not looked.

It is the hundreds of bizarre registry keys (most of which under Symantec - but not all), the bizarre behaviour, and the locking me out of administrative power - like being able to remove programs!; being able to stop processes! - that is what concerns me. Not being able to make CDs is a BIG problem for me.

Thanks for the other tips, and I will definitely check them out. It is getting stranger and stranger.

Gerry

 

[diogenes10]

Yes, I think it is mostly for internet explorer.
The program checks 24 things the programmer thinks are relatively common problems.
However on the 3rd tab, 17-24 registry editor shows up.
If that would show up in that program checked, my thought was maybe the program would fix the registry for you to allow regedit to work. If you can determine what key controls registry access, you can probably also get to it with registrar lite.


-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[MakeItSo]

fumei:
To me it seems you have one nasty and perhaps not cleanable system virus. Only (and best) chance I see, is to simply format your HD including master boot record.

To save your data, you might want to temporarily install a second HD with an OS and switch cables to make your computer boot from that disk. Then you might be able to first run a virus check on your second HD, when there are none of its DLLs loaded - plus you can pull some files over. Just take care, you don't infect the second HD too...

P.P.S: You might also try with Knoppix. It's a bootable OS on CD (needs no install, Linux version). There are several PC magazines with a free Knoppix CD...

Good luck!

 

[jbrackett]

fumei:

Something that I don't see in this thead. Have you tried any of these fixes while in safe mode, so that you have fewer processes interfering?

[sub]"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."[/sub]

[sup]"Trent the Uncatchable" in The Long Run by Daniel Keys Moran[/sup]

 

[fumei]

jbrackett - have tried everything is Safe Mode as well.

makeitso. - have tried to install another HD with an OS. Current OS refuses to recognize that drive. BIOS sees it, but even in Safe Mode on the screwed up drive, even at a command-line, the second drive is not found.

Oh, and Symantec's suggestion is to manually, delete the folders with any of their products. Manually, as I can not use Add/Remove Programs.

Then, to manually, in RegEdit frin every bkey with Symantec and maually delete every single key /value.

This is possible of course, but it does not give me a good feeling about the strange keys that are NOT under any Symantec key.

I doubt if there is a virus detection that i have not tried now. Nothing is found.

System getting progressively more unstable. The random highlight selections are very annoying. Cursor disappears, keystrokes do not appear on screen (so I can not see what has been typed), random keystrokes sometimes appear, random switching between running applications, and here is a new one - random deletion of layers in a PhotoShop file. Ouch!.

I still can not:

- use any CD writing software
- use Add/Remove programs
- control any Services throyugh MMC
- control any Disk Managament through MMC
- stop any application or process through Task Manager

Essentially I have lots any real control of the system.



Gerry

 

[MakeItSo]

Current OS refuses to recognize that drive

???
As OS only gets started after BIS boot, that would mean that your MBR and/or BIOS is infected!


Sure you switched the cables, i.e. connect the clean HD to the primary Controller on your board?

 

[fumei]

That is correct. I believe whatever this thing is, it HAS infected BIOS. I have succeeded in removing the original HD, and yes, with new cables, and new HD connected to primary controller on the board I installed:

OS only

I maintained the system in Safe Mode ONLY, just to watch what may happen. It took about three hours, but similar behaviour stated to appear, and some strange registry keys started to appear. I had a copy of the updated BIOS on a separate CD. It refused to run it. It totally would NOT let me update its BIOS.

This is narrowing it down....sort of.

I then tried to reinstall W2K from original CD on this new HD. Guess what, it will not let the W2K CD do a Setup. It runs, loads the temp files then Setup returns an error stating the temp files used for setup are corrupted. It does not even get as far as being able to delete the partition. It is as if, it is there, and knows an install may destroy it, so - no way Jose.

Used the CD to do an install on a different machine, different HD, setup works fine. Tried again on this buggered up machine....nope, Setup files get corrupted.

Here is another strange one. Single HD, jumpered as Master. On boot (before failure because no bootable HD found), what is displayed is:

Primary Master: None
Primary Slave: None

Primary Master: None
Primary Salve: Stblahblah - the ID of the drive.

This HD is the ONLY drive on the machine, it is jumpered to Master, BIOS set to boot from HD. Reset BIOS to boot from CD. Tried to do another install of W2K from original CD. Setup runs, copies temp files....stops because files are corrupt. take CD and try again on different machine, and setup runs and installs fine.

Oh, and another experiment. I took the messed up hard drive and put it in an old machine (but still W2k as OS). It was put in as Slave to the original Master on this old machine. While doing NO file transfers, the old machine appears to be infected. Removed the messed up HD; tried to do a full blow away install of W2K (from an original CD), on the old original (fine) HD. Nope, Setup files load into temp files....they get corrupted and Setup fails. Now I can not use that old machine either.


Conclusion.

It is NOT the install CD.
It IS in BIOS....I think. Or, something is getting into the MBR and doing something. Although once the OS is installed, or present (in my origfinal scenario), other more complicated events happen.

From this, I think (but I am so frustrated and angry that I can't think calmly now), that Symantec's suggestion on manually removing all Symantec system files, manually editing the registry to remove all keys that are weird, and everything under Symantec...is NOT going to solve this.

Someone has been very very clever (the little shit...pardon my language) and is doing some serious machine code here. Two of the three machine on my home network are toast, or seem that way. To me it looks like a full replacement of motherboard and HD. Or is that just me being, well, rather hair pulling negative.

Thoughts?

Gerry