Solved Problem with Mal/Emogen-M

Hmmm .... on the Jeanine account, does the registry editor open if you click Start>Run and type regedit then hit enter?

Please right click the ResetProtocolDefaults.reg file and select Edit. It should open in notepad. Press the Ctrl and A keys simulataneously to select all, then Ctrl and C to copy it to the clipboard. Paste it in a reply here.

 

Sorry for the late reply, we got dumped on with snow. Not really dumped but I digress...The editor does open when I do regedit for my moms (jeanine) account. Here is the copied and pasted file that you gave me too:

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=" "
"http "=dword:00000003
"https "=dword:00000003
"ftp "=dword:00000003
"file "=dword:00000003
"@ivt "=dword:00000001
"shell "=dword:00000000

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=" "
"http "=dword:00000003
"https "=dword:00000003
"ftp "=dword:00000003
"file "=dword:00000003
"@ivt "=dword:00000001
"shell "=dword:00000000

 

Lets see what happens with a slight modification. Logon to mom's account before proceding.

Highlight and copy the contents of the code box below to a blank notepad. Save it to the desktop as;

Filename: fix.reg
Save as type: All Files (*.*)

Code:

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=" "
 "http "=dword:00000003
 "https "=dword:00000003
 "ftp "=dword:00000003
 "file "=dword:00000003
 "@ivt "=dword:00000001
 "shell "=dword:00000000

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=" "
 "http "=dword:00000003
 "https "=dword:00000003
 "ftp "=dword:00000003
 "file "=dword:00000003
 "@ivt "=dword:00000001
 "shell "=dword:00000000

Double click fix.reg and allow it to merge with the registry.

If successful, restart the computer and logon to mom's account again, then create and post a new HijackThis log.

 

I got an error accessing the registry when I try to merge the new one.

 

Mal Emogen K....can't Get Rid On It

Need some help in getting rid of Mal Emogen k. Did the usual virus scans and only Spysweeper is picking it up. It quarantine the virus, then hours later it finds it again. I've done virus scans in safe mode which include, Norton, Spysweeper, Spybot, and Smitfraud scan. No luck Any help it removing this thing would be greatfull. Its a tough bugger.

 

Boz,

Are you comfortable editing the registry?

Ted,

Welcome to WindowsBBS Normally, I would split your post off into a topic of it's own, however, I'm not going to do that at this time. You seem to have 2 things in common with Boz .......... Mal/Emogen and SpySweeper being the only thing that detects it. Does SpySweeper give you a filename and location?

 

To be honest, no. I have never done that before, but I am doing what you posted and it didnt work. Spy sweeper does not give a file location, so I dont know what to do

 

Please do the following while on Mom's account.

Highlight and copy the contents of the quote box below to a blank notepad. Save it to the desktop as;

Filename: check.bat
Save as type: All Files (*.*)

Double click check.bat to run it. It will open policies.txt when it completes. Please post it's contents.

 

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun REG_DWORD 0x95

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} REG_DWORD 0x1
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} REG_DWORD 0x40000021
{0DF44EAA-FF21-4412-828E-260A8728E7F1} REG_DWORD 0x20

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ratings

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system
dontdisplaylastusername REG_DWORD 0x0
legalnoticecaption REG_SZ
legalnoticetext REG_SZ
shutdownwithoutlogon REG_DWORD 0x1
undockwithoutlogon REG_DWORD 0x1

 

Seems to be in order. Lets try this. On Mom's account;

Highlight and copy the contents of the code box below to a blank notepad. Save it to the desktop as;

Filename: RegReset.bat
Save as type: All Files (*.*)

Code:

@echo off
REG delete  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /f
REG add  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /f
REG add  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v http /t REG_DWORD /d 0x00000003 /f
REG add  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v https /t REG_DWORD /d 0x00000003 /f
REG add  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v ftp /t REG_DWORD /d 0x00000003 /f
REG add  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v file /t REG_DWORD /d 0x00000003 /f
REG add  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v @ivt /t REG_DWORD /d 0x00000001 /f
REG add  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v shell /t REG_DWORD /d 0x00000000 /f
REG delete  "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /f
REG add  "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /f
REG add  "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v http /t REG_DWORD /d 0x00000003 /f
REG add  "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v https /t REG_DWORD /d 0x00000003 /f
REG add  "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v ftp /t REG_DWORD /d 0x00000003 /f
REG add  "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v file /t REG_DWORD /d 0x00000003 /f
REG add  "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v @ivt /t REG_DWORD /d 0x00000001 /f
REG add  "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v shell /t REG_DWORD /d 0x00000000 /f
reg query  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /s>>check.txt
reg query  "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /s>>check.txt
start notepad check.txt
cls
exit

Double click RegReset.bat to run it. It will open check.txt when it completes. Please post it's contents.

 

I saw a lot of errors with that one, I dont know if thats good or not but I assume its not:


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
http REG_DWORD 0x3
https REG_DWORD 0x3
ftp REG_DWORD 0x3
file REG_DWORD 0x3
@ivt REG_DWORD 0x1
shell REG_DWORD 0x0

 

That batch at least showed me where the problem is, and it's on the current user key we're trying to change. Lets see if we can do this without editing permissions. Delete the RegReset.bat currently on the desktop, and the check.txt file too. We're going to create new ones.

Highlight and copy the contents of the code box below to a blank notepad. Save it to the desktop as;

Filename: RegReset.bat
Save as type: All Files (*.*)

Code:

@echo off
REG add  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaultsdummy" /f
REG save  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaultsdummy" proto.hiv
REG delete  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaultsdummy" /f
REG restore  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" proto.hiv
del /q proto.hiv
REG delete  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /f
REG add  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /f
REG add  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v http /t REG_DWORD /d 0x00000003 /f
REG add  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v https /t REG_DWORD /d 0x00000003 /f
REG add  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v ftp /t REG_DWORD /d 0x00000003 /f
REG add  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v file /t REG_DWORD /d 0x00000003 /f
REG add  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v @ivt /t REG_DWORD /d 0x00000001 /f
REG add  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v shell /t REG_DWORD /d 0x00000000 /f
reg query  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /s>>check.txt
start notepad check.txt
cls
exit

Double click RegReset.bat to run it. It will open check.txt when it completes. Please post it's contents.

 

More errors on that one.....

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
http REG_DWORD 0x3
https REG_DWORD 0x3
ftp REG_DWORD 0x3
file REG_DWORD 0x3
@ivt REG_DWORD 0x1
shell REG_DWORD 0x0

You know what, I dont know if I told you this or not but my moms desktop walpaper disappeared, and I cannot drag anything to the recycle bin. I dont know if that will help you or not but the info is out there.

 

Again, on Mom's account;

Download SWREG.exe and save it to the desktop.

Highlight and copy the contents of the code box below to a blank notepad. Save it to the desktop as;

Filename: protoperms.bat
Save as type: All Files (*.*)

Code:

@echo off
if exist protoperms.txt del /q protoperms.txt
swreg acl  "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /spec B >>protoperms.txt
start notepad protoperms.txt
cls
exit

Double click protoperms.bat to run it. It will open protoperms.txt when it completes. Please post it's contents.

What happens when you try to change the wallpaper?

 

*******************************************************************************
Registrykey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults

Object does not exist or user doesn't have enough permissions



Thats what I got. Trying to change the wallpaper as we speak....BTW what do you want me to do with that other thing I downloaded?

Edit: tried to change it and nothing happened. It let me into the control panel, and the desktop wallpaper changing screen, and it let me pick a back ground but when I applied it nothing happened.

 

On Mom's ........ click Start>Run and type regedit then hit enter. Navigate to the following location.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults

• Right click the ProtocolDefaults key and select Permissions. If you are prompted with a permissions message, just click OK and right click>Permissions again.
• On the Permissions dialog box, click Advanced.
• Select the Owner tab.
• Select Administrators in the list, check the box to replace owner on subcontainers and objects, then click Apply. Click OK to close the Advanced Security Settings dialog.
• On the Permissions dialog again, verify Administrators is listed and when selected shows Allow>Full Control in the lower pane.

• If not listed, click Add.
• Type Administrators and click Check Names.
• When Adminstrators populates, click OK, then give full control.
• OK out of the Permissions dialog when complete and close regedit.
• Try to merge the ResetProtocolDefaults.reg file (the first fix we tried) and let me know if the merge succeeds.

Don't hesitate to post back if you have questions ... I'll be right here till you get through it.

 

I dont have internet settings when I try to navigate through the registry, I have Explorer, policies, run, run once, runonceex, run services and telophony. These are all of my choices under current version

 

That's not good, Boz. That profile is badly corrupted. Are any of the accounts working properly? A new profile should be created to replace the Mom account, from an account that is working properly.

 

Lets move on to Dad's account. Put a copy of dss.exe on the desktop of that account and run a scan, then post the log.

 

My profile is working fine, and my dads is working too, but he says its slow. If I delete her profile and make a new one will that be like a temporary fix?