HKEY_LOCAL_MACHINE\SOFTWARE\lameme ???

[Jooske]

It's really hard to find info about it; among others friendlygreetings could have that part, or a modified version of it, part of friendlygreeting could be "hide minimized", a trojan, not sure if that would be another name for the same thing or just another element from the friends thing. It could exist under more names like friendsgreeting etc, others say they found it as part of an installshiled of various programs, others say it's part of symantec software, which last thing i doubt for then half the world would have the file on their system, so it's still rather obscure what it is and where it comes from.
Maybe if the file is located on a system (which file? if it is part of friendsgreetings it would add over 500 registry keys and who knows how many files!) somebody could submit it for further investigation.

[Cusedave]

I have located this same entry on my computer while attempting to fight homepage hijack and popup sites. May I post a copy of log from Hijack This here or should I start a different thread?

[Jooske]

Hi there and welcome to the forum!
Please post your hijackthis log in the HJT forum (see http://www.wilderssecurity.com/showthread.php?t=15913 how to and in that forum please) but i would suggest after you did to post here and in the thread you create there the links to each other, migt help lots of users! Thanks in advance!

What is the registry key HKEY_LOCAL_MACHINE\Software\Lameme?
Document ID:2003050209181748
Last Modified:05/08/2003
http://service1.symantec.com/SUPPORT...rc=bar_sch_nam

Situation:
You installed Symantec AntiVirus Corporate Edition (Symantec AV). After doing so, you notice that the following registry key has been created:

HKEY_LOCAL_MACHINE\Software\lameme

You want to know more about this key.

Solution:
This registry key is created by Installshield 7 during the Symantec AV installation. Specifically, the C:\Program Files\Common Files\InstallShield\Driver\7\Intel32\IDriver.exe file writes this key during the Symantec AV pre-installation tasks.

Symantec is currently investigating the functionality of this key. For additional information regarding Installshield, please visit http://www.installshield.com/.

I have the same entry also. The 'infected' computer is not connected to the internet in any way - so it must have come from an install. Almost everything installed on this computer is some sort of compiler\assembler freeware. I'll come up with a list and post it here (less than a dozen applications) if anyone is interested.

I have a second issue that may be related. Some of my regestry keys have an unknown user with special permissions on them. The unknown user's name comes up as some sort of key with numbers, letters and dashes.

Does this paint any light or raise additional questions?

[Jooske]

This does raise hairs. Are there files elsewhere related to those same files?
Are the files in autostart, anywhere else?
Did you look with the AutoStartViewer (DieamondCS products page) for all entries, etc?
Maybe has nothing to do with the lameme but a very different issue or maybe it does mean nothing, but it's better to be sure then sorry.


For the lameme, the person who created that filename most certainly caused lots of confusion worldwide as nobody knows for sure, and we read various explanations about it. The most reasonable like your own conclusion, part of an installshield or symantec software.

[Traves]

I checked my second computer and found both the lamme regestry entry and the mystery user permissions, although the mystery permissions are not all on the same keys. (This may be getting into a new forum topic but bear with me). One common key with the mystery permission is the HKEY_LOCAL_MACHINE\SOFTWARE\Intel key. If someone will check and see if they have this mystery permission it may be helpful-this entry may be used by another software program. These entries may be linked.

I ran the autorun viewer and saw no suspect entries. I could have missed something though. - Also both computers are largely running different software- with the exception of some commercial things like Norton's Anti-Virus and Firewall, Real Player etc..

The Key gets created when you install Symantec Antivirus..........


as Anatoliy's post mentions in detail......


http://service1.symantec.com/SUPPORT...rc=bar_sch_nam

[Jooske]

Thanks again! Hope they ever change the name, or maybe better not now we got used to it a little!

All of our computers, even those with no internet access, that have Symantec AntiVirus Corp Edition have the lameme reg entry. I have submitted a question to InstallShield about this today.

-MrT

[flyrfan111]

I have it on both my desktop and laptop and have never installed any corporate versions of Symantec, both came with NAV trials as most computers do these days.

Hey all. Just want to point out to all you hispanophiles that "la meme" also means "the same" in French. Don't know if that's even relevant...

[Jooske]

Can also be lame me.
life automated m... executable

lameme is a program called Lame Media Editor

To all it may concern,

Regarding the lameme is not spyware, a virus, porn dialer, worm, or anything of the such.

Please read my article on the Symantec webiste explaining what lameme really is. I apologize for any confusion.

http://service1.symantec.com/SUPPORT...rc=bar_sch_nam

--
What is the registry key HKEY_LOCAL_MACHINE\Software\Lameme?

Situation:
You installed Symantec AntiVirus Corporate Edition (Symantec AV). After doing so, you notice that the following registry key has been created:

HKEY_LOCAL_MACHINE\Software\lameme

You want to know more about this key.

Solution:
This registry key is created by Installshield 7 during the Symantec AV installation. Specifically, the C:\Program Files\Common Files\InstallShield\Driver\7\Intel32\IDriver.exe file writes this key during the Symantec AV pre-installation tasks.

Symantec is currently investigating the functionality of this key. For additional information regarding Installshield, please visit http://www.installshield.com/.


--

[Jooske]

Thanks, the origin of the file was mentioned several times but people don't read the whole thread all time

[eljaker]

hello... I am killing a new worm. it's have not a name but have a registry key named LAMEME... and other named KRYPTON...
sorry but instructions to remove it are on spanish...

este worm crea una carpeta lameme y una carpeta krypton...
como comentan en este foro.

hay un nuevo troyano/gusano que infecta w2000 y xp aprovechando el dcom/rpc y lsass vulnerabilidades... esta infectando redes ADSL con windows 2000 y XP que no se hayan actualizado desde microsoft

ASI SE QUITA DEL WINDOWS... (remove procedure)

entrar como administrador a la pc...

desactivar el gusano mediante ctrl+alt+del y buscando nombres raros tipo
xcdfghjty.exe o el zonealarm.exe

ANOTAR ESE NOMBRE ANTES DE BORRARLO PARA DESPUES UBICARLO EN EL REGISTRO...

se deberan bajar de microsoft los parches (updates) que protegen al windows sp2 y sp4 de las vulnerabilidades de dcom/rpc y lsass

bajar de microsoft el parche kb835732 , aceptar,elegir no reiniciar ahora

bajar de microsoft el parche kb835741 , aceptar, elegir no reiniciar ahora

usar el msconfig.exe de un viejo windows 98 para entrar al menu inicio...
al principio da un error,ignorarlo y seguir y arranca el programa como en el
w98...

cliquearlo, elegir inicio selectivo, menu inicio y desactivar todos los
microsoft update machine=xxxxxxx.exe (virus)
aplicar,aceptar,reiniciar
reiniciar la pc

reingresar como administrador

tildar no mostrar cuadro de dialogo de nuevo...

ver si sigue activo el virus... ctrl+alt+del y buscar el virus por nombre
raro...como antes...
si es asi pararlo,deteniendo el proceso...

ahora abrir el regedit,desde inicio,ejecutar,regedit
edicion,buscar, poner nombre del virus antes anotado...

borrar todas las entradas del registro del tipo microsoft update= nombredel
virus.exe halladas...
tambien la carpeta CRYPTON cuando se llegue a ella... y la carpeta LAMEME
que esta a continuacion...
en carpeta crypton estan todos los nombres aleatorios que uso el gusano para
funcionar encubierto...

f3 para seguir buscando

reiniciar

entrar como el usuario de la pc

enseguida ctrl+alt+del y desactivar el gusano si esta funcionando... puede
que este funcionando con otro nombre...aleatorio...
si es asi recordarlo para buscarlo en el registro de windows...


ir al regedit
edicion,buscar, nombre del troyano... eliminar las claves y la carpeta
kripton... f3 para seguir buscando...

cerrar sesion,volver a abrirla,chequear si no hay gusanos con ctrl+alt+del

si es asi ya se termino la limpieza...

si hay mas usuarios que estuvieron activos... entrar en esas sesiones y
hacer como al ultimo, para el gusano con ctrl+alt+del y entrar al registro y
buscarlo y borrarlo...


SALUDOS

eljaker

LAMEME

[Jooske]

If you locate the files submit them to submit@diamondcs.com.au for further investigation. Thanks a lot!

What is the registry key HKEY_LOCAL_MACHINE\Software\Lameme?

Situation:
You installed Symantec AntiVirus Corporate Edition (Symantec AV). After doing so, you notice that the following registry key has been created:

HKEY_LOCAL_MACHINE\Software\lameme

You want to know more about this key.

Solution:
This registry key is created by Installshield 7 during the Symantec AV installation. Specifically, the C:\Program Files\Common Files\InstallShield\Driver\7\Intel32\IDriver.exe file writes this key during the Symantec AV pre-installation tasks.

Symantec is currently investigating the functionality of this key. For additional information regarding Installshield, please visit http://www.installshield.com/.

I got a new computer, and it has lameme in the reg. GoogleSearch led me here.

ALL YOUR BASE ARE BELONG TO US

have you installed any CODEC recently?

cos that where it probably came from !

[Tuggboat]

I have it (the lame folder) in my registry under keywallet. Thats a password/ key crypto/storage utility. I think I purchased Port Explorer just because of Lame me . I keep waiting for it to hook up to somebody and transmit all my stuff.

[BlackSwan]

I too was just led to this thread here by searching Google, after doing some routine housecleaning on my XP machine and discovering I had this same entry in the registry. My registry cleaner had it listed under "Obsolete Software" and the key was HKLM\Software\lameme. I got the proggie to delete the entry and after rebooting a couple times, it hasn't come back so far.

The interesting thing is I'm not running any Symantec software on my PC - never have after a clean formatting and installation of XP, around the beginning of last year. I don't visit any suspicious sites (at least that I'm aware of) and in fact only connect this machine to the Internet to get antivirus etc. updates (running AVG 7 Free). I haven't received electronic greeting cards of any type in quite a while either. The PC is fully patched and, to the extent I can make sure of that, pretty well secured. I also never open any attachments and scan the PC thoroughly every week or so for viruses and spyware, to be on the safe side. The only detections I ever had were confirmed F/Ps from beta versions of Spybot S&D that I've been testing over time. Oh, and I haven't used Internet Explorer in ages (happy user of Firefox here).

It might also be interesting to note that I discovered the lameme entry after uninstalling a computer game (Duke Nukem Manhattan Project) which I'd got from a magazine. I experimentally installed this same game on another PC I have, running Win 98 SE, but the entry didn't appear after I uninstalled it from this second computer.

Don't know if the above helps any, but although I'm rather inclined to believe the entry in question came from some legitimate programme installation, I'm really intrigued about what it actually is/does.

EDIT #1 - Someone mentioned earlier it may also be related to a codec. I have CDex installed on the XP machine, and by running a search with AllTheWeb found some additional info about the Lame MP3 encoder, which is used by many music editing programmes (such as CDex & others).
LINK 1 - LINK 2

EDIT #2 - One more possible explanation (which BTW I loved ) can be found HERE.

Best,
BS

I also have this lameme registry entry.
I have checked my computer programs and I found it is related to the lame MP3 Encoder I have installed.
Check if you have a "lame" folder in your machine.
For further information check http://www.mp3dev.org
Hope I have solved your probs.

This key was put in on my PC when I installed CuteFTP Pro.

To test further I deleted the key then ran CuteFTP installer again and the key was back after install.