Disabled regedit and Task Manager, Pc incredibly slow, Popups at increasing

Internet Settings key
On the owner tab, select Administrators, check the subcontainers box, click Apply but not OK.
Select the Permissions tab.
Check the box labled Replace permission entries .....
Click Apply, then OK
Verify System and Administrators have Full access and click OK
F5 to refresh

 

Tank, I have to get some sleep. We'll pick this back up tomorrow evening. Good progress tonight!

Just so you know, it will not hurt (and it might help) to add Tank, with full perms.

If you are still unable to get the ZoneMap key to appear, try creating it.
Right click the Internet Settings key and select New
Type ZoneMap and hit enter or click somewhere off the key
Let me know if successful

 

Hello noahdfear,

Surprise! I started up, clicked on IE and the internet connections setup appeared. After completing, I checked the Security Settings and they were set to the default values! Download is enabled, etc. So I promptly downloaded Avast(I was been unprotected).
So it seems that our work last night bore fruit.

Now here's the other problem that may be also a registry problem:

when I try to open Widows Explorer, I get a popup:
Program Error "Explorer.exe has generated errors and will be closed by Windows. You will need to restart the program. An error log is being created.

I need to free up some space to install Avast and I don't know how to do that without Windows Explorer.

 

I would suggest only installing 1 thing right now ..... we'll get to the rest later.
Download and install SubInACL from Microsoft.

Then, highlight and copy the contents of the code box below.

Code:

cd /d  "%ProgramFiles%\Windows Resource Kits\Tools "
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
exit
cls

Open a command window by clicking Start>Run and typing cmd then hit Enter.
Right click in the command window and paste the copied text.
Now sit back and wait.
If the command window pauses at any point, press enter and it should continue.
The command window should close on it's own when complete.

Restart the computer and see if things behave more normally.

I'll check back this evening.

 

Hello, I did as instructed and the DOS ran on its own and finally closed. I rebooted and I got as far as the blueish screen that later fills up with the desktop items but it just froze.
I rebooted and this time it froze on the splash screen with the progress bar half way to the end.
The third reboot got past that and there was the disk check for consistency that didn't find problems and finally the desktop.
I tried windows explorer and the popup still shows. Also, and this was a problem I had already noticed a while back, The ADD/REMOVE PROGRAMS from the control panel opens but is almost completely greyed out and shows nothing. IE seemed a bit faster when browsing.

 

Odd behavior RE: upon reboot. I can only guess that the system was recovering from again having proper access to the registry.

First thing I'd like to do is get a fresh HijackThis log.

 

Hello noahdfear,

I managed to recover what used to be drive D:. When I had first tried to format it I couldn't get past 78%, so I hooked up the vintage 5Gb drive that I was using during our communications. From the noise it was making I'd say it was about to kick the bucket. Not to mention the numerous remnants of previous installations of Win98se and several Win2k. Also there was no more space and eliminationg things was a russian roulette. In the end I figured that the 32 Gb Drive(the D) might have some defective sector at about 78% of its capacity. So, using the disk manager I created a 23Gb partition and hoped that it would be good up to that point. Fortunately, it worked. So I installed win2k and immediately downloaded Avast!. Then I updated IE5 to IE6. So I finally have a fully working Pc with 23Gb.
I cannot thank you enough for the help you extended. Knowing I could count on someone with your expertise kept me from throwing this Pc out the window. I also learned a great deal from your instructions.

So, thanks again!
Take care,
Tank

 

Wow Tank! You're just full of good news today!
I'm so happy to hear you're up to snuff again. I actually came home and installed Win2K on a virtual machine so I would have ready reference to give accurate instructions.

It might be worth your time to try and create a partition in the unpartitioned space. If successful, run checkdisk on that partition using the /r switch.

You should also consider installing the Recovery Console, especially if you haven't flashed that BIOS, allowing you to bootup with a cd.

I'm also very happy that I was able to help. You're most welcome Tank.

 

Installation cd was infected!

Hello noahdfear,
After my latest message I started to get a host of problems in the newly installed Os. That forced me to reformat, repartition and reinstall win2k. All the while wondering how could I get reinfected so quickly and so aggressively. I was following your tip to install the recovery console and as soon as the cd was in the drive (E Avast issued a warning that E:Setup.exe was infected(W32Trojan Generic if I recall correctly). Now many things become clearer. This latest install seems to be working great and no problems have poped up yet. I'm worried that, since this Trojan was in the setup, it might start acting up during boot, before Avast can stop it. Avast does have an option for boot scan but I don't know how efficient it is since I had run it in the previous installation and it hadn't picked anything up.
Are there any files I can send to Jotty before I turn my Pc off? What should I do? I'm kind of tired of messing with drives and installations.
Let me know. I'll be hitting the sack soon but I'll leave my Pc on to be sure I can still use it tomorrow morning.
Thanks,
Tank
I ran DSS if it is of any help
Deckard's System Scanner v20071014.68
Run by Tancred on 2008-08-14 00:20:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-14 00:21:14
Platform: Windows 2000 Service Pack 4 (5.00.2195)
MSIE: Internet Explorer (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\system32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\SPOOLSV.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\mstask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Tancred\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\related.htm
O9 - Extra 'Tools' menuitem: @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\related.htm
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\system32\dmadmin.exe


--
End of file - 2256 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {D45B1C18-C8FA-11D1-9F77-0000F805F530}
Description: NT Apm/Legacy Interface Node
Device ID: ROOT\NTAPM\0000
Manufacturer: Microsoft
Name: NT Apm/Legacy Interface Node
PNP Device ID: ROOT\NTAPM\0000
Service: NtApm


-- Files created between 2008-07-14 and 2008-08-14 -----------------------------

2008-08-14 00:20:43 0 d--hs---- C:\Recycled
2008-08-13 22:18:58 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_1ec.dat
2008-08-13 22:16:22 0 d-------- C:\Program Files\Alwil Software
2008-08-13 21:20:33 0 d--hs---- C:\WINNT\Installer
2008-08-13 21:20:33 0 d-------- C:\Documents and Settings\Tancred\Application Data\Identities
2008-08-13 21:20:26 0 d--h----- C:\WINNT\system32\GroupPolicy
2008-08-13 21:20:26 0 d--h----- C:\Documents and Settings\Tancred\Application Data
2008-08-13 21:20:25 0 d--hs---- C:\WINNT\CSC
2008-08-13 21:20:25 0 d--h----- C:\Documents and Settings\Tancred\Templates
2008-08-13 21:20:25 0 d-------- C:\Documents and Settings\Tancred\Start Menu
2008-08-13 21:20:25 0 d--h----- C:\Documents and Settings\Tancred\SendTo
2008-08-13 21:20:25 0 dr-h----- C:\Documents and Settings\Tancred\Recent
2008-08-13 21:20:25 0 d--h----- C:\Documents and Settings\Tancred\PrintHood
2008-08-13 21:20:25 221184 --ah----- C:\Documents and Settings\Tancred\NTUSER.DAT
2008-08-13 21:20:25 0 d--h----- C:\Documents and Settings\Tancred\NetHood
2008-08-13 21:20:25 0 d-------- C:\Documents and Settings\Tancred\My Documents
2008-08-13 21:20:25 0 d--h----- C:\Documents and Settings\Tancred\Local Settings
2008-08-13 21:20:25 0 dr------- C:\Documents and Settings\Tancred\Favorites
2008-08-13 21:20:25 0 d-------- C:\Documents and Settings\Tancred\Desktop
2008-08-13 21:20:25 0 d---s---- C:\Documents and Settings\Tancred\Cookies
2008-08-13 21:20:14 0 d-------- C:\WINNT\system32\NtmsData
2008-08-13 21:19:29 0 d-------- C:\WINNT\system32\Microsoft
2008-08-13 21:10:01 0 d-------- C:\WINNT\system32\rpcproxy
2008-08-13 21:10:01 0 d-------- C:\WINNT\system32\rocket
2008-08-13 21:10:01 0 d-------- C:\WINNT\system32\inetsrv
2008-08-13 21:10:01 0 d-------- C:\WINNT\mww32
2008-08-13 21:10:01 0 d-------- C:\WINNT\ime
2008-08-13 21:10:01 0 d-------- C:\Program Files\microsoft frontpage
2008-08-13 21:09:28 122880 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-08-13 21:09:21 0 -rahs---- C:\MSDOS.SYS
2008-08-13 21:09:21 0 -rahs---- C:\IO.SYS
2008-08-13 21:09:21 0 ---h----- C:\CONFIG.SYS
2008-08-13 21:09:21 0 ---h----- C:\AUTOEXEC.BAT
2008-08-13 21:08:12 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-08-13 21:07:59 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-08-13 21:07:55 0 dr------- C:\WINNT\Offline Web Pages
2008-08-13 21:07:55 0 d---s---- C:\WINNT\Downloaded Program Files
2008-08-13 21:07:34 0 d---s---- C:\WINNT\Tasks
2008-08-13 21:06:55 15012 --a------ C:\WINNT\system32\emptyregdb.dat
2008-08-13 21:05:55 0 d-------- C:\WINNT\Registration
2008-08-13 21:05:44 0 d-------- C:\WINNT\system32\DTCLog
2008-08-13 21:05:41 0 d--h----- C:\Program Files\WindowsUpdate
2008-08-13 21:05:07 0 d-------- C:\Program Files\Accessories
2008-08-13 21:05:02 0 d-------- C:\Program Files\Windows NT
2008-08-13 21:04:58 1785160 -ra------ C:\WINNT\system32\dtcsetup.exe <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
2008-08-13 21:04:57 0 d-------- C:\WINNT\system32\Com
2008-08-13 21:03:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-08-13 20:56:34 0 d-------- C:\Program Files\Common Files\ODBC
2008-08-13 20:56:31 0 d-------- C:\WINNT\Speech
2008-08-13 20:56:28 0 dr------- C:\Program Files
2008-08-13 20:56:28 0 d-------- C:\Program Files\Common Files
2008-08-13 20:56:20 81680 --a------ C:\WINNT\system32\SPOOLSS.DLL <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
2008-08-13 20:56:13 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-08-13 20:56:13 0 d-------- C:\Documents and Settings\Default User\Start Menu
2008-08-13 20:56:13 0 d--h----- C:\Documents and Settings\Default User\SendTo
2008-08-13 20:56:13 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-08-13 20:56:13 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-08-13 20:56:13 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-08-13 20:56:13 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-08-13 20:56:13 0 d--h----- C:\Documents and Settings\Default User\Local Settings
2008-08-13 20:56:13 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-08-13 20:56:13 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-08-13 20:56:13 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-08-13 20:56:13 0 d--h----- C:\Documents and Settings\Default User\Application Data
2008-08-13 20:56:13 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-08-13 20:56:13 0 d-------- C:\Documents and Settings\All Users\Start Menu
2008-08-13 20:56:13 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-08-13 20:56:13 0 d-------- C:\Documents and Settings\All Users\Documents
2008-08-13 20:56:13 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-08-13 20:56:13 0 d--h----- C:\Documents and Settings\All Users\Application Data
2008-08-13 20:56:00 0 d-------- C:\WINNT\system32\CatRoot
2008-08-13 20:55:49 0 d-------- C:\Documents and Settings
2008-08-13 20:50:21 0 d-------- C:\WINNT
2008-08-13 20:50:21 0 d---s---- C:\WINNT\Web
2008-08-13 20:50:21 0 d-------- C:\WINNT\twain_32
2008-08-13 20:50:21 0 d-------- C:\WINNT\system32
2008-08-13 20:50:21 0 d-------- C:\WINNT\system32\wins
2008-08-13 20:50:21 0 d-------- C:\WINNT\system32\wbem
2008-08-13 20:50:21 0 d-------- C:\WINNT\system32\spool
2008-08-13 20:50:21 0 d-------- C:\WINNT\system32\ShellExt
2008-08-13 20:50:21 0 d-------- C:\WINNT\system32\Setup
2008-08-13 20:50:21 0 d-------- C:\WINNT\system32\ras
2008-08-13 20:50:21 0 d-------- C:\WINNT\system32\os2
2008-08-13 20:50:21 0 d-------- C:\WINNT\system32\npp
2008-08-13 20:50:21 0 d-------- C:\WINNT\system32\mui
2008-08-13 20:50:21 0 d-------- C:\WINNT\system32\ie_de
2008-08-13 20:50:21 0 d-------- C:\WINNT\system32\ias
2008-08-13 20:50:21 0 d-------- C:\WINNT\system32\export
2008-08-13 20:50:21 0 d-------- C:\WINNT\system32\drivers
2008-08-13 20:50:21 0 d-------- C:\WINNT\system32\drivers\etc
2008-08-13 20:50:21 0 d-------- C:\WINNT\system32\drivers\disdn
2008-08-13 20:50:21 0 dr-hs---- C:\WINNT\system32\dllcache
2008-08-13 20:50:21 0 d-------- C:\WINNT\system32\dhcp
2008-08-13 20:50:21 0 d-------- C:\WINNT\system32\config
2008-08-13 20:50:21 0 d-------- C:\WINNT\system
2008-08-13 20:50:21 0 d-------- C:\WINNT\security
2008-08-13 20:50:21 0 d-------- C:\WINNT\repair
2008-08-13 20:50:21 0 d-------- C:\WINNT\msapps
2008-08-13 20:50:21 0 d-------- C:\WINNT\msagent
2008-08-13 20:50:21 0 d-------- C:\WINNT\Media
2008-08-13 20:50:21 0 d--h----- C:\WINNT\inf
2008-08-13 20:50:21 0 d-------- C:\WINNT\Help
2008-08-13 20:50:21 0 dr--s---- C:\WINNT\Fonts
2008-08-13 20:50:21 0 d-------- C:\WINNT\Driver Cache
2008-08-13 20:50:21 0 d-------- C:\WINNT\Debug
2008-08-13 20:50:21 0 d-------- C:\WINNT\Cursors
2008-08-13 20:50:21 0 d-------- C:\WINNT\Connection Wizard
2008-08-13 20:50:21 0 d-------- C:\WINNT\Config
2008-08-13 20:50:21 0 d-------- C:\WINNT\AppPatch
2008-08-13 20:50:21 0 d-------- C:\WINNT\addins


-- Find3M Report ---------------------------------------------------------------

Nothing modified in this timespan.


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager "= "mobsync.exe" [06/18/03 12:00p C:\WINNT\system32\mobsync.exe]
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07/19/08 06:38a]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop "=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@= "Driver "

*Newly Created Service* - AAVMKER4
*Newly Created Service* - ASWMON
*Newly Created Service* - ASWRDR
*Newly Created Service* - ASWSP
*Newly Created Service* - ASWTDI
*Newly Created Service* - ASWUPDSV
*Newly Created Service* - AVAST!_ANTIVIRUS
*Newly Created Service* - AVAST!_MAIL_SCANNER
*Newly Created Service* - AVAST!_WEB_SCANNER
*Newly Created Service* - RASMAN



-- End of Deckard's System Scanner: finished at 2008-08-14 00:25:01 ------------

 

If that's a factory cd that Avast is flagging, it's a false positive. I would certainly be forwarding that info to Avast were I in your shoes too.

Deckards log looks great!

 

Nope. Not a factory cd. That one is back in Italy, where I live. This one I got here in Brazil. So it's very possible that it is indeed infected. Is there anywhere else I could get the Recovery Console?

 

I'll look around when I get a chance, but I don't know of another way to get the Recovery Console installed on Win 2000.