Define deleted registry keys, pleez

April 15, 2006 at 21:17:38
Specs: XP Home SP2, 1.6Ghz with 512Mb RAM
Hi Everyone,

I'm wrestling with a Symantec article on the W32.Petch worm. It seems I may have the thing, but not sure (yet).

The article is kind of wishy-washy and says things like may affect specified files and may delete registry keys, but what might their definition be for 'deleted' keys?

I clearly have some deleted keys as my list below shows, but as for my other keys which although are there (in a manner of speaking), they have no value set, and I'm wondering if this is normal or has the key been 'deleted'.

Kudo's for reading all this crap if affording the time to do so. More kudo's if also replying.

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Desktop\SafeMode

mine shows:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\

but thereafter, no "Desktop" folder is found listed in the explorer window.

That key is "missing" right?


HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot

mine shows:
Name - ab (Default) Type - REG_SZ Data - (value not set)
Name - ab AlternateShell Type - REG_SZ Data - cmd.exe


HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot

mine shows:
no listing for ControlSet003 (only 001 & 002)


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

mine shows:
Name - ab (Default) Type - REG_SZ Data - (value not set)


HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

mine shows:
Name - ab (Default) Type - REG_SZ Data - (value not set)

Then lists below a bunch of Names with Type being REG_BINARY and Data being bunches of letter/numbers.


HKEY_LOCAL_MACHINE\SYSTEM\LastKnownGoodRecovery

mine shows:
Name - ab Default Type - Reg_SZ Data - (value not set)


HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ContentIndex\Catalogs\System

mine shows...
Name - ab Default Type - Reg_SZ Data - (value not set)
Name - Isindexing NNTPSvc Type - Reg_DWord Data - 0x00000000 (0)
Name - Isindexing W3Svc Type - Reg_DWord Data - 0x00000000 (0
Name - ab Location Type - Reg_SZ Data - D:\System Volume Information

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Biosinfo

mine shows...
Name - ab (Default) Type - REG_SZ Data - (value not set)
Name - ab InfName Type - REG_SZ Data - biosinfo.inf
Name - ab SystemBiosDate Type - REG_SZ Data - 05/19/04

Lastly (no pun intended), the worm "changes a registry key" (although this may or may not be happening to all those infected with W32.Petch) for:

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"

to a value of:
"Userinit32.exe"="C:\Windows\system32\userinit32.exe"

mine shows:
Name - ab Userinit Type - REG_SZ Data - C:\Windows\system32\userinit32.exe

I asked earlier about this entry and was told here (in my 3-8-06 post) to leave it alone as it was a valid entry, but Symantec's saying it has been changed, but from what?

Regards and hap-e-trails, Steve Hopper


See More: Define deleted registry keys, pleez

Report •


#1
April 16, 2006 at 14:59:55
Did Norton identify the W32Petch worm? Usually if you are missing registry keys, the system will not work or some other program errors will occur? Is this happening? Have you used an on line scan like Kaspersky's at this url:

http://www.kaspersky.com/virusscanner



Report •

#2
April 16, 2006 at 15:06:19
Symantec_ W32.Petch

possibly
userinit.exe

to:

userinit32.exe

may need to switch back,

may be altered and infected,
turn off system restore,
boot in safe mode,

scan again,
scan for spyware as well,

empty trash,



Report •

#3
April 17, 2006 at 03:02:33
Hi again everyone, hope everyone had a nice Easter and enjoyed their families.

Capt-
I began researching the W32.Petch thing after a crash where MS reporting resulted in a MS window that explained possible causes for my crash.

bofra-
As for my initial post's mentioning of the

>"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"

>to a value of:
"Userinit32.exe"="C:\Windows\system32\userinit32.exe"

I goofed on the HCKY string.

It is actually HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and the registry entry there should be "C:\Windows\system32\userinit.exe," (less quotes) which seems to be no issue for me as at least there, I have that entry.

Capt, bofra & everyone else-

Kaspershy scan initially revealed nothing but some of my quarantined infections and maybe some 6 restore points having 'Trojan-Downloader.Win32.IstBar.ny' in them, but I'm locked out of all restore points anyway as a result of some queer downloaded program named "Software Distribution Service 2.0" (listed only in one of my restore points calendar). However Kapsersky's scan file "button" led me to a "browse" button, ref. http://www.kaspersky.com/scanforvirus which seems to be highly helpful as it seems to offer the user a means for accessing and restoring files we are normally locked out from.

As for the the trojan(s) in my restore points, as I'm locked out of them anyway
and in that I need to delete them so as to allow me to use one that was mysteriously deleted when I lost my desktop on 3-19-06.

Buuuuut, as I plan on deleting all restore points (out of common sense at this stage), moreover I'll likely need to delete them towards improving the chances of being able succesfully to import my 3-19 RP.

And the reason I need to import that restore pooint becasue on 3-20 my entire desktop was somehow deleted, I think even my (classic) themes file was deleted as well. Thereby I lost an important desktop folder containing much needed files.

I'm just a little apprehensive about trying to use either PC Inspector File Recovery or EaseUsDataRecoveryWizard Demo programs (for hopefully importing the deleted restore point) as neither program is smart enough to identify the directory for restoring files. I must tell it where the files belong.

Also I suspect that merely importing the restore point folder to the right directory may not enable me to use it because I see a number of other files in my 'sys vol info' folder and of which I'm certain one or more enables the sys restore wizard to handle the RP's so as to enable the RP to be presented in the sys restore wizard's calendar.

In my 'sys vol info' folder I see a file
"MountPointManagerRemoteDatabase" which has the icon of (I think) a 'system file'. Also in the same folder I see a .txt file named
"drivetable".

And in the 'sys vol onfo' folder's "_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}" folder, I see my current RP folders (RP1 thru RP41), two XML Editor files ("_driver" and "_filelst") indicated to be Microsoft Outlook Configuration File.

I suspect that the MountPointManagerRemoteDatabase file may be the only one necessarily needing something done to it that will enable the sys restore wizard to read and allow subsequrnt use of an imported RP.

Any help at this point would be greatly appreciated. And if affording such and I
succeed in importing and using the restore point, I'll need to repost this string for all to benefit from.

Regards and hap-e-trails, Steve Hopper


Report •

Related Solutions


Ask Question