Solved

Registry Editing Problem - Denied Access - NEED HELP ASAP

Posted on 2004-07-31
78
7,235 Views
Last Modified: 2010-05-03
Hello everyone,


I am working on an XP Pro machine that was infested with multiple viruses and spyware... I have almost won the battle I even got rid of CoolWeb Search however I am losing the battle to something called "Common Toolbar" It has several registry entries that I cannot delete, they are the following


HKEY_CLASSES_ROOT\BabeIE.Helper
HKEY_CLASSES_ROOT\BabeIE.Handler
HKEY_CLASSES_ROOT\BabeIE.AgentIF
HKEY_CLASSES_ROOT\Tldctl2.URLLINK
HKEY_CLASSES_ROOT\WhleHelperObj.WhleHelperObj.

I have tried going into Safe mode running regedt32 and regedit both of them give me right off the bat their was an error opening this registry key followed by if I try to delete it an ACCESS DENIED error message if I go to the permissions it tells me I do not have the permissions to be able to see the permissions, when I check explicit permissions and so forth administrators supposed to have full permissions but every user account on this system is an admin account this makes no sense.,.... any ideas ???? anyone
0
Comment
Question by:briancassin
  • 26
  • 24
  • 22
  • +3
78 Comments
 
LVL 65

Assisted Solution

by:SheharyaarSaahil
SheharyaarSaahil earned 50 total points
ID: 11683623
Hello briancassin =)

Let's see if we can do anything manually....... Download HijackThis, run it and Post the Log File here:
http://www.wilderssecurity.com/supportfiles/HijackThis1980.exe
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11683636
Also have a look here >> http://www.spy-bot.net/CommonName.asp

can u see this common toolbar listed in Add Remove Programs ??
Im sure that u have run thses tools already in Safemode to delete all the malware !!!!!
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
ToolBar Cop >> http://www.mvps.org/sramesh2k/toolbarcop.htm
Stinger >> http://vil.nai.com/vil/stinger
========================================================
0
 
LVL 10

Accepted Solution

by:
timothyfryer earned 225 total points
ID: 11683648
I don't know why xp enjoys denying access to the administrators and owners so much.  It's windows I guess.  Apparently, the only way to get a license to free range the Windows OS is to be a virus.

You might try downloading a program called Registrar Lite from here
http://www.resplendence.com/download

It has a selection in the menu that supposedly provides you access to otherwise restricted keys though I can't say with any certainty that is will work for you.  It is free though and infinitely better than regedit or regedt32.  Those won't consistently find what your looking for.  My experience is that they're search mechanisms are inherently defective, similar to the native file search tool.  Agent Ransack is a good free substitute for that one.

In Registrar Lite, theres a selection in the top menu called Security, which has these three options:
Edit Permissions
Edit Auditing
Take Ownership

Thats where you need to focus in order to try and obtain permission to delete the spyware keys.  Good Luck.
0
 
LVL 40

Assisted Solution

by:Fatal_Exception
Fatal_Exception earned 225 total points
ID: 11683876
You might also be able to reset the permissions on these keys wit something like Multi-Remote Registry Change v4.0 for Windows NT/2000/XP/2003 (Free, fully functional demo)

http://www.eytcheson.com/products.htm
0
 
LVL 83

Expert Comment

by:oBdA
ID: 11685681
Have you tried taking ownership of the keys in question, then assigning the correct permissions (Permissions - "Advanced" button - "Owner" tab - "Change owner to", check "Replace permissions for container and objects")?
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11685944
That might actually work better than Registrar Lite.  I forgot you could do that in Regedit.  Since it works directly through Windows security, it might be more likely to work correctly.  Gosh, did I just say that about a Windows utility. I need to lay down.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11686135
Yea..  I can't believe we missed that...  Been out in the sun too long!!  :)
0
 
LVL 21

Author Comment

by:briancassin
ID: 11686207
I tried go to permissions on the registry keys in question it says " You do not have sufficent permissions to view these permissions"   if I try to go to the replace owner tab it says "access denied" each time these files are like completely locked... when I checked the explicit permissions they were all blank. I tried Administrator, Administrators, System etc... nothing works...

I am not sure if I am approaching this correctly this system has like 8 different user accounts all with admin priv's.... Do I need to do a RUN AS on REGEDIT or REGEDT32 and then user administrator ???? I tried this but however it wants a password typed in, in safe mode it will automatically go to the built in administrators account without a password....

Hopefully this helps with this mess
0
 
LVL 21

Author Comment

by:briancassin
ID: 11686212
Also I checked this link http://www.spy-bot.net/CommonName.asp

I had the winnet, toolbar, zenet, and agent on the system.

I also saw someplace this was after I used spybot and adaware unfortunately that using these with the newer variants of this will not remove it and can damage the winsock....

I am wondering if I need to go to services.msc and stop a service to get it unlocked in the registry. I don't know what service it would rely upon though.
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11686225
I don't remember getting any kind of permission denials using Registrar Lite when using the Permission Settings so maybe I was right the first time.  Have you tried Registrar Lite.  Once you use it, you'll throw regedit into the recycle bin.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11686239
if u can post here the LOG file of hijackthis scan,,,, then we will be able to check that if an invalid process\service is running on ur system or not :-?
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11686244
Export the whole Classes Root Key to file on the desktop, edit it with notepad to remove the entries, then import it back into the registry and reboot
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11686292
If you can't export the whole Classes Root key, then try exporting each of the four keys and then remove all the entries except the Regedit4 or whatever at the top and then import them back in.  I've deleted some bad printer settings that way before if the security doesn't stop you.
0
 
LVL 21

Author Comment

by:briancassin
ID: 11686320
this is really odd,
while looking into this some more and trying the permission thing again I was able to change one object over on the permission setting to the current user account I am under which has admin rights after doing so it then showed me the previous owner and then added two subkeys to itself CLISD and CurVer then displayed the owner on those two subkeys as one of the other users on the system. I was able to change just that one over the rest are giving me "unable to save permission changes" access is denied"....OK I am making progress I have finally been able to change 3 out of the 4 on the permissions
0
 
LVL 21

Author Comment

by:briancassin
ID: 11686358
OK guys.....

I think you are about to have a good laugh....

I want to know what is the correct order to change the permission on a registry key etc... when you get the message "You do not have permission to view the current permission settings for BabeIE.Handler but you can make permission changes"

Would you first change the owner of the object or what ???

Somehow through going back and forth between all the different screens I managed to get all 4 of these BabeIE keys unlocked but I am not sure how I did it.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11686368
Usually only the owner can change the permissions since they have full control, but if it is allowing you to make a change on the ACL, you might as well just give yourself (admin?) full control, then go about cleaning them up..  Is this what you are referring to here?

FE
0
 
LVL 21

Author Comment

by:briancassin
ID: 11686381
I am logged on as a user with admin rights.... whenever I went into these it would not tell me who the current owner was under the owner tab. Also when you first open the permissions their was no one at all listed I went to Advanced -> add
-> advanced -> then typed in administrator then clicked find now selected administrators their was that and administrator... then hit ok then between all the different screens, owner, ACL (I believe it is the ACL the one with the 10+ different permission settings, ) then selecting to replace owner, or "apply these permissions to objects and/ or containers within this container only" , also at one point I selected replace permission entries on all child objects....


Does any of this make any sense... ????
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11686403
Sounds like what I always do although I flip flop on whether to put a checkmark in the replace permissions box-Of course, I'm still trying to gain access to xp after two years so don't listen to me.  Half the time I can't even get into the Guest account.  Ha!

This is the tooltip for the little 'child objects' checkbox

Specifies whether you want to apply permissions to the selection in Apply onto and all applicable child objects within the tree.
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11686410
'Only' confuses me, it doesn't make sense within the context of the sentence.
0
 
LVL 21

Author Comment

by:briancassin
ID: 11686529
this is driving me nuts I forgot I had two more entries to get rid of and well now u can guess I cannot get rid of them.30 minutes so far clicking baCK and forth
0
 
LVL 21

Author Comment

by:briancassin
ID: 11686592
Finally got all of them... I don't know what's going on but is their a virus that can play with your permission settings in the registry and on other files in real time ?

It seems as though each one required a different series of events to finally get the ability to assign permissions to myself and take ownership of the files since it was displaying no owner
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11686601
I assume there is a virus that can do anything software can do if the writer is smart enough.  Did you try the Registrar Lite or exporting those virus keys and then removing the entries and then importing them back into the registry.  That might be an easier way to get rid of them if the permission settings don't work.
0
 
LVL 21

Author Comment

by:briancassin
ID: 11687016
no I did not try that, that was my next step since I was making progress but *slow* progress using regedit I kept on hammering with that.. However afterwards several other pieces of spyware were inaccessible to spybot seek and destroy I was using the older version intially 1.2 I did not realize it was at 1.3 now.... at any rate while I was in safe mode I ran spybot seek and destroy and the same thing happened where certain folders namely BDE and several registry keys referring to "Online Dialer" and "BTIEIN" were not accesible however, (and here is where the doh, dummy part comes in) I went to the permissions list on these items and was able to successfully change the permissions this no doubt probably would have worked for the other ones earlier that were telling me I did not have the proper permissions.... I never thought to run in safe mode with regedit.... Apparently one of the other viruses or something on the system was messing with the permissions and locking out modification because it was active in normal mode.... Unfortunately it never showed up in services.msc or in task manager so it was hidden well.

I did notice something rather interesting Gator "GTE" spyware left a log file behind that either wasn't supposed to be left behind or they just didn;t think anyone would find it who knows.... It appears to almost be like a test run of a new way they plan on installing their garbage on peoples systems.... In this log file it lists about 20 registry keys and next to each one of them it says locked  just before this listing it states something along the lines of "beginning lock of files" so apparently now the spyware companies are controlling even more of our systems by messing with the ACL's on files and folders so that the spyware removal utilities cannot fully remove them and their regenerators are left behind in the registry and in program folders... So if you know nothing of how to change permissions on folders and files in XP then you are SOL!!!!! It's not right at all.....
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11687064
I'm basically against legislation involving the internet because once government starts making laws, they can't stop, and pretty soon, it becomes a complete worthless mess that provides no benefit.  But I also believe that the things that these spyware companies are doing oftentimes constitutes felony vandalism, felony fraud, felony larceny, felony harassment, and so on.  I think the only solution though is self defense as opposed to legislation.  Crooks don't pay attention to laws but honest people are usually hobbled by them.  Possibly when the market gets more competitive and Microsoft loses its stranglehold on the industry, we might see some genuinely effective tactics against these creeps but until the market becomes competitive, it's more profitable for a monopolist to produce a defective product that he can then charge to repair.

http://www.cybertechhelp.com/forums/archive/index.php/t-33727.html
http://www.kephyr.com/spywarescanner/library/huntbar.btiein/index.phtml
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11687712
And therefore the conundrum:  Do we lock down our systems, stopping BHO's and ActiveX controls to be istalled and run on our systems, and thereby reduce our internet experience, or should we trust in those sites to not allow poorly written or malicious downloads to corrupt our operating systems..??    Unfortunately, trust can wear mightily heavy on poor souls that believe they are immune to these attacks.  

When SP2 comes out in its final form next month, I believe much of this will be addressed.  Although there is no doubt it will break things (poorly written legacy apps for one) it is a step in the right direction by MS.  You got to give them credit for trying at least.  Most corporations today are only focused on profit.  MS has spent an enormous amount of money going out of their way to try to secure this OS, and you must give them some credit for that....  :)

FE
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11687913
IE and Netscape, as far as I know, are the only browsers that will produce a popup window using javascript window.open('filepath','name','parameters').  They could turn that off in a heartbeat.  They leave it on so they can then come out with MSN8 Internet Service Provider that *****STOPS POPUPS****** Gimme a break. They're playing both sides against the middle.  Ha!!!!  Good debate Fatal! Probably get wacked for doing it here tho.
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11687947
Come to think of it, the Mafia has an almost identical marketing technique as ms although I think they call their's a "protection service"  Ha!!!!!!
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11687987
We need a CrazyOne's RealTime Pub and Forum.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11688845
:)  Hard to argue against you on those points, Tim...
0
 
LVL 21

Author Comment

by:briancassin
ID: 11689095
I say we all get together and make an opensource p2p Anti Spyware, Malware, Browser Hijacker, Adware etc. DOS attack software that turns every users computer into a DOS attack against the spyware, adware, malware companies... Heck they put bad files in our computers and don't care....

We'll call the program Vengence (by the way I am copyrighting that name as of now "Vengence - copyright BrianCassin 2004".)

Everytime the spyware attempts an attack the "EYE for an EYE module" - (copyright BrianCassin 2004) gets activated and then DOS's their servers the # of times they attempted to load their junk on someone's system if they attempt 3 times or more then the "Blodbath/Bleeder module - copyright BrianCassin 2004"  becomes activated and multiplies the DOS attack against them by mutiples of 10 for each offense after 3. So first offense after 3 gets 10 DOS attacks, second one gets 100 DOS attacks 3rd one gets 1,000 and so on and so forth.  

Oh and their is an auto updater called "Payback - copyright BrianCassin 2004" that updates all of the client system with the most recent banned websites.

So guys what do you think ??? like the idea ?
What are they going to do sue ????  We can just sue back for loss of data loss of use, privacy violation, malicious intent etc...
That will put an end to it real quick.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11689129
Count me in..!!  Bet we could make a fortune selling something like this, and no wonder you copyrighted it, Brian..!!  :)
0
 
LVL 21

Author Comment

by:briancassin
ID: 11689200
SourceForge here we come ?
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11689663
I thought about something very similar. A GOOD virus that just roams around killing bad viruses, but asks permission first before it comes onto your machine.  The bad ones freerange, why not the good ones.  The engine could be a separate download and then the updater could float.  Kind of like java applets. The only problem is trying to figure out who would keep it updated. It would politely ask for permission to mass mail itself using your Outlook Express, then ask your email victim if it was ok to update itself on their machine by phoning home for a new patch.  I think Symantec is working on a universal concept only this one would be completely free.  My money idea is a virus program that has game quality graphics and when you scan your comp, it shows it hunting down the bad virii and kicking their little virii rearends.  Clint Viruswood.  Whadaya think?
0
 
LVL 21

Author Comment

by:briancassin
ID: 11695361
Well I'm not out of the woods yet....

I am having major problems... I cannot get rid of some of the spyware on the system it just keeps comming back everytime it detects an internet connection I get tons of pop ups followed by shortcuts being automatically placed on the desktop and it is replicating. Scanned with Housecall and it came up with ADW.RULEDOR.C, ADW SCANPORT.A, TROJ BRIDGE.A, TROJ REVOP.F, TROJ AGENT.BU, TROJ DELF.RA

It removed all of these and I have checked the registry and so forth. I also ran HIJACKTHIS, ADAWARE and SPYBOT SEEK and DESTROY, COOLWEB SHREDDER, BHO DEMON, LSP Fix,

This is the list of spyware I removed from add/remove programs
Bargain Buddy
DashBar
Bridge
CasProg
IMBUM
Lycos Side Search
Internet Optomizer
Precision Time
Virtual Bouncer
Web Helper
Windows Search
Window Active
WinTools

These were deleted manually after running Spybot & adaware

Incredifind
FastSeeker
MyWay
MyWebSearch

I went into the registry and removed anything that was left behind...
slmss
lycos
mywebsearch

Then their were some files they could not remove automatically and Spybot and adaware would not run on the next system startup automatically even though they said they were going to.

c:\winnt\system32\ahaamon.cpy.dll
c:\winnt\system32\ahaamon.dll
Jen14108.exe
MsoHtmEd.exe <----- did not remove but it excluded itself from spybot
Ran Regsvr32 /u  on Ahaamon.dll then deleted it
c:\winnt\system32\imbum.dll
FastSeekerToolbar011203.dll
Favoriteman was detected by another anti spyware scanner and removed
stcloader.exe - removed
N-Case - Removed
two items were in the HKEY_LOCAL_MACHINE-software-microsoft-windows-current version - run    they showed up as just empty boxes like checkmark boxes only without the checkmark.

Removed these from the system32 folder manually
rem3.exe
Wtools.exe
Wsup.Exe
WtoolsA.exe
Each Debug "save defy ante scr" it said after it, this was in the registry it was masking itself under Iexplorer.exe in the task list everytime the pop-ups and redirectors started and I end tasked IExplorer.exe ( either Each Debug would flash real quick in task manager and then turn into IExplorer.exe again or it would come up as Oozestorecomp.exe and another instance of Internet Explorer would come up.

Ran the LSP fix and removed lspak.dll from it.

more executables deleted....
bi4.exe <---- when this was in the recycle bin and I right clicked on it and selected deleted it automatically restored itself and started creating all the files below

belt.ini
didduid.ini
setup.incred.5.exe
iconz.exe <----this was creating the icons on the desktop
mbbi8016.dll
asd.dll <----- I cannot unregister this, delete it, and taking ownership of it makes no difference also tried safe mode it just keeps saying that the file is in use by another program or person.
I noticed several files that have .exe.manifest  <----I'm sure this is not good
Helypmn35.exe
Jen14108.exe
SQLoader.dll
Qdow.dll
PdpPlugins094.dll
HDPlugin1015.dll

According to the spyware removal utilities they are identifying VX2 spyware over and over again apparently it is regenerating


One final odd thing is their is Norton Anti Virus Corporate Client Edition Installed on this system at first I could not connect to any update servers not this, nor spybot, nor adaware.

However In Norton where it says server name it says PLAGUE I am not sure if this is an actual server in a corporate enviroment. (this computer came from a dorm room) or if Norton got infected with a virus....

Also I tried running Panda anti virus it will not run. Everytime I try to run their online scanner it just freezes and then causes an error in internet explorer causing it to crash and then for the error report it cites IE as the first problem app then the second one says "unknown"



If any of you guys know of anything to get rid of the spyware that works better then spybot and better then adaware please post links... Spybot and Adaware are up to date but do not detect everything. I have rebooted into safe mode several times and they still find something each time.

Especially something to wipe out VX2 I used adaware's plug in for it but it did not work.

By the way I like the idea Tim!  
 
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11695547
I just got an activex driveby yesterday even though I had activex disabled in the internet zone.  Typical ms.  Hijackthis didn't work on some of it and I was running regmon, filemon, and process explorer trying to see what was recreating the files after hijacthis deleted them and I assumed they were reactivated by a service but later discovered they were coming from the first place I should have checked whicih was the run keys, but after deleting those, it still came at me at which point I noticed in process explorer that some of the nasties were running under Maxthon, which is MyIE2's new name, which is an IE based tabbed browser.  
I killed the browser and they stopped running.  When you say they automatically start up when it detects an internet connection, instead of looking for a relationship somewhere, I would just look at all the modules running directly under your browser process.  Don't ask me how the spyware configures the browser to start them up.  I haven't had time to look yet. Where's Clint Viruswood when you need him? Good Luck. Tim.
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11695561
Also, same problem as you I think, I unchecked boxes in msconfig but it didn't remove the entries in the run keys so the virii have another new twist.
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11695906
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11699498
Man, I spent 3 hours today cleaning up a client's system...  What a nightmare..!!  Felt so sorry that I halved my going rate...  ARGH..!!!  I should have taken my own advice, wiped the system, and started over...
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 21

Author Comment

by:briancassin
ID: 11699618
tell me about it .... 3 days 2 hours of sleep each day 2 computers nightmare central both loaded with trojams amd spyware unfortunate;y I can't format and reload they don't have their disks
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11699847
Are they HP's or Compaq's.  Are you sure they came with disks.  The newer ones don't have disks, they have a separate hidden partition that you can restore from.  If they are HP and you call HP they will sell you the disks.  I paid $10.00 two years ago, just talked to a guy says they are $35.00 now.  But you might make sure there aren't any hidden restore partitions somewhere.

Also, found a new utility called AboutBuster that knocks a few of em out.  It says it removes HomeSearch Assistant, which apparently generates random dlls.  Maybe same thing as Start Page hijacker and others because it helped me some.  Looked pretty good.

http://www.malwarebytes.biz/
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11699924
I carry all the OS's with me, just in case the user does not have theirs...  But then there is the problem with these Brandname systems and the OEM product keys...   you got it right, nightmare central..

Aboutbuster sounds promising..  will definitely give it a go..  thanks Tim..
0
 
LVL 21

Author Comment

by:briancassin
ID: 11700476
it's two gateway systems

this system got hit hard with that VX2 and also Look2me they also loaded garbage in the winsock which I used LSP to fix it.


I think I finally got all the garbage out the first system had 1,100+ pieces of adware , spyware, malware, hijackers, BHO's etc... and 15 different Trojans and JAVA viruses.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11702787
OMG...  I believe that must be some kind of record...:)
0
 
LVL 21

Author Comment

by:briancassin
ID: 11733367
well the problems weren't resolved it had to have a hard drive format. Something was still alive even after 4 different virus scans and using hijack this, LSP fix, spybot seek and destroy and adaware 6.0....

However now the printer will not work it is a Lexmark X73 multifunction. Everytime I go through the software install it gets to a point where it tells you to plug the USB cable in and then it is supposed to install the printer software by detecting the communication with the printer.... when you plug it in windows xp dings to let you know you can remove it but then it dings again because that icon next to the clock for safely removing the usb disappears. Then it says that printer is powered off not communicating and so forth. I have tried uninstalling and reinstalling over and over again yet no difference. It keeps losing communication with the printer tried two different USB cables. IT will spaz out and ding and the safely remove usb thing appears then it dings again and disappears then it dings again and appears....

The worst thing those was when I plugged the USB cable back in and was in the add printer wizard checking out different ports and so forth all of the sudden the system violently rebooted the Bios screen was flashing over and over then the XP loading screen I pulled the USB cable to the printer and it stopped.... It would almost seem as if the printer sent a voltage back through the USB cable when windows rebooted it said windows has encountered a serious error.

Are the ports bad or is the printer bad any ideas guys ? ???? If I go into device manager and remove the usb root hub and usb generic hub with the printer detached windows pnp finds the ports and reinstalls the software...
0
 
LVL 21

Author Comment

by:briancassin
ID: 11733375
I have never seen a printer problem like this before....    I hate usb printers they all seem to be buggy not only that but the add printer wizard does not natively support USB connections, you have to rely on 3rd party software to do the trick.
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11733545
Sounds like your having fun.  I have an x73 myself although I don't use the piece of crap except to hold down some dust in the corner.  Having trouble communicating with the printer eh!   get used to it.   Ha!  
What's the difference between usb 1.0 and usb 2.0?
2.0 cER^&V$   up twice as fast

If I were you, I would do this in this order:

1.  Throw the piece of crap in the trash and go get a decent parallel printer.

To be honest, I don't remember how to fix because:
1.  its been too long since i used it and
2.  i don't think i ever really fixed it anyway

BTW, that is not a stand alone scanner.  If its not hooked up to the computer, it doesn't do anything at all. Nuthin!!!!!   It's totally software driven, even the buttons.





0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11734901
Well, Tim said it all for me here Brian..  Although I have never seen your situation exactly (reboot), I hate those printers, and have had trouble with them many times before.  I am probably responsible for most of the in the trash printers in the Midwest USA...  :)  They are so cheap, I usually tell the customer that they can spend $100 on me fixing them, or go out and buy a new one (with new ink cartridges) for less.   Never once had a customer upset at me for that advice..

FE
0
 
LVL 21

Author Comment

by:briancassin
ID: 11738854
Yeah i kinda saw that after going onto google their tons of postings dedicated just to lexmark x73 printer problems.

Of course before I touched it, it worked fine according to the customer..... so you know the deal now I am looked at as the killer of the printer and the responsible party.

I called Lexmark tech support wow is all I have to say.... Lets learn english as a first language not a second. Nothing against other nationalities but when you repeat the same answer over and over after I have told you I have done that it is more then a little aggravating. Also the accent is so heavy it is hard to comprehend. If I can't comprehend them and they cannot comprehend me how are we going to get anything resolved.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11739360
What we've got here is failure to communicate (Cool Hand Luke)...  :)
0
 
LVL 21

Author Comment

by:briancassin
ID: 11739774
LOL no kidding
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11741054
Since we are discussing ways to prevent spyware, etc., above, I think I might have found something that could be useful to us.   A free program written by Mike Lin from MIT...  Installed, it seems to run good on my XP Pro box...  so it should be safe.   Anyway, the interesting one is the Startup Monitor.  It tells you whenever something tries to register itself in any of our Run Keys in the Registry.  You can get it here:

http://mlin.net/StartupMonitor.shtml

I also pulled down the Startup Control Panel..  Pretty neat little utility that takes the place of msconfig...  Grab them when you get a chance and ck them out..

FE
0
 
LVL 21

Author Comment

by:briancassin
ID: 11750825
the fun continues....

have any of you guys ever seen disk defragmenter in xp come up with an internet explorer screen inside of it saying action cancelled ?

and the best is the sfc /scannow did not detect this at all as being a problem...

however if I go to it and go to find target it goes to c:\windows\system32 and then has dfrg.msi highlighted however the modified date is 11-1-2003 on the shortcut but even if I go to the system 32 directory it still errors
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11750896
dfrg.msi I think is the installer for the defragger possibly
My defrag shortcut links to dfrg.MSC not MSI, and it works just fine.  Maybe your shortcut is pointing to the wrong file.


0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11750903
I looked on my machine and didn't have a dfrg.MSI and didn't get one hit by googling it.
If it really is .MSI you might try changing the extension.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11751700
Here is a thread that talks about the dfrg.msc file....  Probably won't help, but worth the read..

http://www.ozzu.com/ftopic26951.html
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11751745
Brian..  are you logged in as the Administrator, or just a user with Admin rights?  If you know the administrator's credentials, you might try using them to run these utilities...  just a thought..

BTW:  can you find dfrg.msc anywhere in the system32 directory?
0
 
LVL 21

Author Comment

by:briancassin
ID: 11755548
msc i meant it was late when i posted that it is the msc file, system information utility does not respond either.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11755979
Boy is this system hosed or what?  You know what I am thinking, so I won't even comment...
0
 
LVL 21

Author Comment

by:briancassin
ID: 11757053
So I am thinking H.D format what do you guys think ?

If you guys ran into a system like this would you even attempt to fix the problems or go straight to a h.d. format >????   I have spent so many hours on these two systems it is not even funny...
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11757381
My standard answer is:  If I cannot fix a system with the same indications that you are seeing within ONE hour, I backup the important data, including all settings for email, etc., blow it away and start fresh...  I love to kill spyware, but my time is just too valuable to waste, especially at my age..!!!  :)
0
 
LVL 21

Author Comment

by:briancassin
ID: 11757587
good policy :)      

the one thing I am not clear on is how to back up all that stuff. I know how to back up some of it.....

do you backup program files or just the data contained in them ?
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11757880
No, just the data which is contained within.  You will have to reinstall the apps to register them in the registry anyway, so backing the apps up will only waste space an time.  If the system not virus free, you will need to make sure that you don't move the virus over.

Depending on the apps, I usually do a search for anything that might need to be saved.  For instance with Word, I make sure I get all the .doc files.  If quicken is installed, open it up and back up the .qdf database.  For email (Outlook) I run the Export utility and get the .pst...  For IE, I export the bookmark folder.    etc...   Then I will grad all the settings, such as email user authentications, etc...

As a backup media, in my case, I am always hooked into a network, so I usually create a network share and move all the data there.  Easy to move back that way.  And once it is in the share, I can scan it for anything that may be hazardous too.

Anyway, that is how I would approach it..

FE

0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11759301
Yeah, the fastest way way to make 48 cents an hour is to have a flat rate virus removal service.  I agree with Fatal, show the customer the cws variants page at merijn's hijackthis website and tell em custom manual removal is fixed at $75/hour or you can just give em a brand new system.  Life's too short for virus and Lexmark.
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11759408
Here's the CWS variant page I referred to above.  Look at #38 which has the sp.html entry and also the one following which doesn't even show up in many process viewers.
These viruses have gone beyond wicked to industry threatening.  I suspect boot viruses will become much more popular as well so if you have a new install of xp and basic tools like dfrg.msc and others don't work, then you might run a boot virus check.  Reinstalling won't fix the mbr even with an fdisk or diskpart I don't believe.
http://www.richardthelionhearted.com/~merijn/cwschronicles.html#aboutblank
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11759456
I agree, you need to kill it in DOS usually.   Here is an example of a boot virus and how it is fixed..  :)

http://securityresponse.symantec.com/avcenter/venc/data/eek.b.html
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11759643
On the backup topic, if you get a good searcher like Agent Ransack, you can leave the search field blank and hit the search button and it should list every file in the machine.  Then if you sort by Type, you can run down the list looking for data type files that need to be saved.  That brings up a good point though.  I don't think I've ever seen a piece of software that sorts data files from executables, library files, image files, etc.  That would be a very useful tool for this type of situation.  I set up an automated backup system on a friends office lan that sends everything up to xdrive.  Even when you search all the machines to figure out what needs backing up, your never quite sure you've got it all because you don't know all of the programs they use.  They might use word 95 percent of the time, but occasionally they might also use WordPerfect if they received a wpd file from another source and don't want to convert it or similar scenarios.  A utility that identifies non-system data type files and separates them from system, library, executables, etc. would be nice.  
0
 
LVL 21

Author Comment

by:briancassin
ID: 11760133
timothy,

what you said is exactly the problem I have been going through

1st system 20+ hours to repair    I charged them $90.00

2nd system 24+ hours to repair I charged them $90.00

3rd system 13+ hours to repair I charged them $90.00

4th system 15+ hours to repair I charged them $80.00

The hours above are the times for removing things through the registry, deleting folders, etc... then realizing the system is so hosed that a format was in order all but the last one resulted in a format the most recent one which was having the disk defrag problem was resolved by repair install of xp over itself.


I just started a pc repair business, I know how to fix computers.... at least I would think so with everything I have done up on here, the certifications I have,.... but considering how long it has taken to repair these systems I am beginning to wonder 1 of 3 things

1. Do I not have enough knowledge ?

2. Am I approaching this the wrong way...

3. Am I going too in depth ?


I was trying to be fair to people but at the same time I am losing out I currently an charging $45.00 1st hour which also covers fixing the problem if diagnostics are done in under an hour....

then $40.00 each additional..... that is onsite if I pick up the computer or they bring it to me I was charging same price but capped it so it is not to exceed $120.00 in labor no matter how long it takes (excluding parts).


First thing I do is run HIJACK THIS to see what is running around....

When I remove any application including spyware etc.... or junk programs the customer wants off the system I go into the registry and remove all traces of it ever existing... I also look on the c: drive for any remains left behind....

I also unregister any dll's that garbage software is running regsrv32 /u "dll file"

I do not know if I am being too neat or what not. When I have used Spybot and Adaware they have done a decent job but yet left some pieces behind like the program folders and some of the registry keys....

Do you guys usually set it and forget it ???? and if they miss anything oh well or how do you approach it..... also Best buy only charges $40.00 flat rate for virus removal $40.00 flat rate for spyware removal.... how can I possibly compete with that ?   oh they also charge a $60.00 diagnostic....

Whenever it is a possible virus or definite virus issues I run 4 different virus scanners I do not put trust into just one.... Norton misses trojans all the time, Mcafees stinger is good for finding certain ones but not very good overall, Housecall finds almost everything. Panda has found some things that none of them have found.

I also empty the recycle bin and do a disk defrag even if it does not need it. Clean out the temporary internet files including all cookies and any suspect objects.

If operating system corruption then start-run- sfc /scannow <-which I do not have much faith in.

(which told me this system was fine recently even though disk defrag was out to lunch the networking control panel and msinfo32.)

Run Windows update and install all critical service packs etc...

Run Spybot, Adaware and Pest Patrol.

If those cannot resolve it then back to the manual way

Install Spyware Blaster and Adaware 6.0 - no charge

Am I doing too much or not the right things ?????? what would you guys say ?
I am at a loss.....
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11760482
I'm not in the business so my opinion isn't worth much.  I just do it for friends and family, and keep a small peer to peer network going for a small law firm here.  But my life experience at the ripe old age of 47 is that the less you know, the more money you'll make.  That is based upon the following assumptions, which are usually true.


SUCCESSFUL PEOPLE SHARE THESE COMMON TECHNIQUES AND ASSUMPTIONS
1.  The customer knows nothing.
2.  The repair person knows only a little bit more, but doesn't know it or show it.
3.  The repair person CONFIDENTLY tells the customer what must be done, whether it's correct or not.

This method seems to work pretty much across the board, from used car mechanics to gynecologists.

When you figure probably 25-40%% of all hysterectomies weren't medically indicated by the symptoms yet were performed anyway, you can draw one of two conclusions.  The doctor is a crook.  The doctor is an idiot.  The answer in a large percentage of the cases is probably that the doctor is an idiot and just did what he knew to do.  Likewise, with amateur mechanics.  The more you know, the more it works against you until at some point, you spend the first hour of your repair call just explaining the numerous repair permutations that are possible.  Detail slaughters rate of return.

I have the same problem as you I think, perfectionistic, wanting to do a good job, etc.  But if you spend 16 hours delousing a computer for $90.00 while the guy next door spends 2 hours backing up and then reinstalling a brand new system.  Which guy will appear to be more competent to the customer.  The guy that took 16 hours and returned the same old machine or the guy that took 2 hours and returned a freshly installed os with all the new Windows glitter.  

I've been looking at these viruses like the one that got me a few months back.  The virus tools don't work and manual removal is iffy and some don't even show up in process viewers.  I have enough trouble debugging my little html and javascipt pages without trying to figure out what some Doctorate in Computer Science did with assembler over in Russia somewhere that makes the machine go to YouBuyIt.com

If you look at the CWS variants on that link I posted above, you realize how many different ways there are to avoid detection.  The spyware companies make their living by using the same technique I outlined above.  They know just a little more and they're CONFIDENT.  Their junk doesn't work.  I think alot of them write the viruses and let em go into the wild to create business.  I would imagine to be a good anti-virus programmer, you would first need to be a good virus programmer.

Maybe if you ask yourself before each call what the customer's options would be if it wasn't you showing up at the door, then you might get a little more selfish and a little less concerned with what they think.  Nice guys finish last every time.

Just out of curiosity, does BEST BUY offer any guarantee of spyware removal or do they just say they remove it.  Ever been to an AAMCO?  The guy working there as the TRANSMISSION SPECIALIST was a CONVENIENCE STORE ASSOCIATE yesterday.  I would be suspicious of there claims.  Frieda Fudgeit in Marketing wrote the advertising for BEST BUY but Otis Oops does the actual repair work.
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11761832
http://www.geeksquad.com/main.asp?h=488

From what I gathered in the little bit of time I had to check it out, this it the outfit BestBuy outsources mainenance and virus stuff to.  I had to enable ActiveX and Java downloads in order to be able to view it.  That seems kind of inconsiderate.  These guys are lunkers with a webpage.  I betcha a million dollars that the fee you quoted is for them to show up, run Stinger, and leave regardless of the results.  Anything else is extra.  If you can find 1 guy in the whole bunch who knows how to open the registry, I'll give you an extra million.  

Basically, being in business for yourself requires that you sell.  I've had sales jobs and I hated them.  I'm not a smilin' jack glad handing pathological liar, which is the ideal personality type for most sales positions.  That puts you, presumbably the honest geek type if I've stereotyped you correctly, in a bit of a conundrum.  How to tout your wares without going outside your personality.  If it were me, I would probably screw it up, but if it were me giving advice to someone like you, I would identify ways that you can put your best qualities out there without sounding brash.  In the process, I would also think of ways to subtlely sabotage the image of the competition without lying.

"Yes, ma'am I realize ABC CompNGo only charges $22.00 for a virus visit.  But you should also be aware that this only includes running one popular virus removal utility.
In a recent test, that utility removed less than 20% of the WormNSquirm virus variants, which account for over half of all infestations documented over the last 90 days.  If they have to employ any other virus removal techniques, then they charge their hourly rate of  $80/hour.  It's very similar to the "4 tires for $88.00 at PepBoys". It would be perfect if only your car had 13" tires.  Tires for YOUR car, including all of the things necessary to make them roll correctly, will cost $273.00.
See the difference, Mrs. Dumrnsnot."

If you go to a telephone sales boilerroom, whether selling long distance, or snake oil, every salesperson there will have a list of rebuttals in front of them to rebutt every objection that the customer has.  They're created in advance.

I would try a webpage like Fatal has.  It makes you look like your part of an organization as opposed to some guy working out of his car.  It adds credibility.

So you don't trap yourself into having to rebuild the piece of junk from scratch, I would analyze the wording I use on your advertising, whatever that is, to give you outs.

And finally,
You can usually find the biggest idiot in any crowd by how willing he is to give advice.  Ha!!!!!!!!!!!!!!!!





I
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11762080
All great points.  I have a client base which I have worked with for some years now, outside my normal duties for Kip and Dover Productions.  This is the way I determine what to charge...  First, for friends of the family, and for those I REALLY like, I charge $30 / hour, but the things I do for them are very basic items.  For instance, have a gentlman that is older (even older than me..:) that could not delete a file he wrote in word.  I knew that it was a corrupted Normal.dot file, which took about 15 minutes to fix and then after 45 minutes of good conversation, I charged him $20 and he tipped me an additional $20.  45 minutes was interesting conversation, as he was the CEO of a major corporation here in town.  I got more out of it than he did by far...  

For others, I basically I reverse engineer my price.  I determine what is wrong, and what I can possibly charge for the repair.  If the machine is not worth it, I tell them.  (Many techs take advantage of their customer's lack of knowledge, and the customer spends $100 + on a system not worth $50.. )  They respect you more if you are honest.    Once I know what the customer is willing to pay, I spend the time accordingly.  If they want to go cheap, I backup and reinstall the OS, with the understanding that they will have to install their apps.  

Additionally, if they let me take it home, my price goes down.   As you know, much of fixing the OS is just sitting in front of the machine watching your utilities do their job.  When I am home, I can sit and answer questions on EE while this is happening, eh?  

Then I have a special base which is comprised of my more wealthy clients.  One such comes to mind where she just wants me to help her download and send email.  She was a godsend when my former company went bankrupt early last year, as she paid me $400 a month to help her do this every Sunday.  (Unfortunately, she spends half the year in her 'vacation' homes on the west coast, but she will be back next month thru Xmas..  :)

Anyway, it took me a while to develop this clientele, but word spreads if you are honest, good, and cheerful to be around.  I take the time to explain the little things, in a way the customer understands.  This builds strong relationships, and will help you tremendously in the future.

BTW:  when I started doing this 4 years ago, I knew just enough to be dangerous.   I look back at my lack of knowledge then and it even scares me...  But the more you do, the faster you will be able to diagnose the problem and correct it.  It appears that you are very focused on doing the right thing, no matter what the cost, and your customer's will, and do appreciate it.

FE
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11762330
I think thats the way learning is.  The more you know, the more you realize just how much you don't know.  I just found out that the fdisk /mbr command run from the recovery console can actually make a disk with a boot virus unrecoverable.  Prior to reading that, I always assumed it was a safe command.  I guess the solution is to go get a PhD in Computer Science, but then, those guys are either teaching for peanuts and wouldn't do anything else or they work for ms and make 300K/yr.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11762444
Those are the guys that you can listen to for an hour and go away without a clue to what they said...  :)
0
 
LVL 21

Author Comment

by:briancassin
ID: 11767111
Those are the guys that build the WOPR (from movie war games) and then forget to put a killswitch on it for when it goes out of control. http://161.58.5.90/wargames/playgame.wav
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12108528
Thanks Lee
0
 
LVL 21

Author Comment

by:briancassin
ID: 12108597
Thanks LEE ?  how about thanks BRIAN !!!!

LOL
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12111031
Ahh... moving too fast..  THANKS Brian..!!  :)
0
 
LVL 1

Expert Comment

by:markdormer
ID: 12364874
The reason you can't access it is not due to permissions.

The key/value is locked by a process.

Use a tool like Handle from sysinternals to verify this.
Then kill the process, try PSKill, then you should be able to delete/modify the key
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Upgrade or retire 8 95
RemoteApp Printing 5 94
Best practices power settings GPO Win 10 4 60
Can’t delete a file 14 87
Ok I have been working on this for some time having learned and gained certification in XenDesktop 4 along came version 5 which was released last month. Since then I have been working to deploy XenDesktop 5 in a small environment with only 2 virt…
If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
This video discusses moving either the default database or any database to a new volume.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now