HKEY_LOCAL_MACHINE\SOFTWARE\lameme ???

Discussion in 'privacy general' started by laramie, Apr 17, 2003.

Thread Status:
Not open for further replies.
  1. laramie

    laramie Guest

    I found this strangely named key :p in my registry, i ran a few different grams TDS 3 included and found nothing suspicious i also checked with a friend if he had it on his win2000 but he didn't,at that point i thought it was probably leftover junk from spyware that adaware didn't clean properly so i deleted it.
    Today i was looking through the registry and noticed that the key is back again?
    Does anyone have any idea what's going on here?

    Thanks for any help
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Hi laramie,

    From what I can find about it, it could be a dialer disguising as webcam software.
    Is there a folder with that name on your system as well?

    Regards,

    Pieter
     
  3. laramie

    laramie Guest

    Hi Pieter
    Can you point me to the info you found on the dialer
    I've try'd searching on google but have found nothing substantial yet

    thank you
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    I'd rather not do so, unless there is no other way to help you solve this.

    Disregard what was here before. My Spanish needs some work.

    Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log as a .txt file, and copy and paste its contents into your next post.

    Most of what it lists will be harmless, so do not fix anything yet.

    Regards,

    Pieter
     
  5. laramie

    laramie Guest

    here's my log results

    Logfile of HijackThis v1.93.0
    Scan saved at 16:05:18, on 17/04/2003
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=http=207.208.169.67:80
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (disabled by BHODemon)
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [Switch Off] F:\Program Files\Switch Off\swoff.exe
    O4 - HKCU\..\Run: [NetRun (CzarSoft)] F:\Program Files\NetRun\NetRun.exe
    O8 - Extra context menu item: Download All by FlashGet - F:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - F:\Program Files\FlashGet\jc_link.htm
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O10 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O10 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Hi laramie,

    Are you sure that's all? :eek:
    If so you can clean out the registry with JV16 Powertools

    Regards,

    Pieter
     
  7. laramie

    laramie Guest

    Hi Pieter

    After a registry clean up the key comes back again :/ ,i wish i had better info to offer but there is no data inside the key either so at the moment all i have to go on is the name "lameme" and that unfortunately hasn't returned any answers on google.
    It sounds to me like someones idea of a joke to have this key reappear in the reg after being deleted ,question is .. how is it getting there? :)
     
  8. Vampirefo

    Vampirefo Guest

    lameme means "lick me", So it is porn.
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Did you perform a search on your computer with hidden files showing?
    And did that result in any findings?

    Regards,

    Pieter
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Check in your Control Panel under Add/Remove software if there is an entry for Lameme.
    With this you could have cookies and other stuff like Pieter describes coming back with a new connect somehow.

    Port Explorer would show you immediately outgoing connections and in the full version ability to block it immediately, while TDS on highest sensitivity could find your nasty dialer(s).

    Seeing in the newsgroups several questions about this one, no solution yet. Recommendations to use the Spybot S&D too.


    Hehe, found it, with description and removal instructions.
    You might ever have got an e-card, with the instruction to d/l something to view it, right?
    So the add/remove thing to look for is probably friendgreetings or FG.
    http://www.sarc.com/avcenter/venc/data/friendgreetings.html
    I suggest you read and printout the whole page carefully before starting to work on it.
    Your updated av/at definitions should find it too, btw.
    It also says you can ignore several of the changed registry keys, so fingers crossed for you.
     
  11. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Laramie,

    Did you run Spybot SD as well? Could well be related to the "myfriendlygreetings" spyware.

    regards.

    paul
     
  12. Gary39

    Gary39 Guest

    Maybe this is the cause its a porn site. found it while searching for lameme.
    <please, I understand you´re trying to help, but these links are not allowd on this board>
     
  13. Gary39

    Gary39 Guest

    Ok havin been to the site i now have a lameme registry entry lameme :D
    I think i have got rid of it permanantly by just deletin me cookies and emptying temp internet files. Hasnt reapeared.
    ps I didnt click anything on the site so i guesse it autoloads on arival to the site.
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Strange. I followed your link before editing it out and just searched my registry and it was not found. o_O
    *trying again with IE

    Again nothing and I wasn´t prompted to accept cookies either.

    Puzzled,

    Pieter
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Pieter, maybe your cookies protection is higher or deleting them immediately. I saw yesterday at googling around hundreds of those sites offering software d/l in stead of dialers (oh really?) the promotion in google was, so i did not go there.
    But the description and the key was so exactly the friendsgreetings thing, that i did not have to look for the porn stuff fortunately.
    Gary did you have such a registry key with exactly that name too or just the cookie?
     
  16. the dude

    the dude Guest

    At work after a server break-in (which we're not sure if it was related to the key or not) we linked the key to Symantec Antivirus. What it does, we do not know but we have asked Symantec and they so far have not replied.
     
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi the Dude,
    have another look at this page with description, this is what you're looking for.
    http://www.sarc.com/avcenter/venc/data/friendgreetings.html
    It's a mass mailer worm.

    Break-in? What you mean?
     
  18. TEST

    TEST Guest

    The following link claims this is a bug in InstallShield.

    http://community.installshield.com/showthread.php?s=&threadid=102855

    Samprasad
    Power User (30+ Posts)

    Registered: May 2002
    Location:
    Posts: 48
    Installshield bug....big time. Also this gets interesting when u try to remove it, Installshield puts it back again. The reg key is created on the next of the customer information dialog on the Basic MSI project.

    Even if you have a CA to remove this reg key as the last action on the execute sequence, IS will put it back again, the second you launch setup.exe for modify or remove or repair.

    Crazy defect, but harmless...we just have to learn to ignore this reg key.

    Side note: one of my collegues told me that Lamme was a nasty word in Russian.

    Thanks
    Samprasad


    __________________
    Have a nice day.

    Sam
     
  19. BRYAN GLAZER

    BRYAN GLAZER Guest

    I am being hacked constantly and the LAMEME is a folder, empty, in my reg.
    Hacker source: PHPForum.net & PAHacks.com
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Brian,
    can you block them in your firewall and hosts file? the name, IP range, .....
    is there anything else on your system enabling their entrance? Did you download their software for instance?
    You might like to post a HJT log in the HijackThis / autostart forum and have an expertsvision over it, maybe there are some fixes possible.
    No alarms when scanning your system?
     
  21. dougsager

    dougsager Guest

    i have read this thread and also have the lameme entry.
    however, i have just a few days ago done a clean reinstall of win2k. and i most certainly have not been to any of the sites mentioned in the two antivirus advisories quoted in this thread.
    moreover, neither of those two advisories has anything whatsoever to do with lameme. the word does not even appear.
    i think the only avenue of any cogency is the comment about the installer issue, which does not seem to have been resolved.
    so at this point, if i understand correctly, nobody has any idea what this lameme entry does or how to get rid of it, really?
     
  22. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Longer ago i googled and found dialers and more on the name, now only a description of somebody thinking it had to do with his partitionmagic or bootmagic install, but did not find any serious confimation of that.
     
  23. ryan gilmore

    ryan gilmore Guest

    Hi, I've the same thing with this LAMEME registry key in windows XP, it seems to appear after you install mysearchbar or kazaa and there's nothing else with the same name, and i think it must have an effect in the computer because beside it's random (not in all computers appears, not even in the same LAN) the LAMEME key is used in spanish for Lick-me, so there's something going on there.
     
  24. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
  25. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Sorry to say but in my beliefs lameme is some cracking site providing in serials and cracks like katz, and all of this is sponsored by dialers and spyware inside so like Jooske said, a hjt log would be giving a more detailed insight of your machine...
     
Thread Status:
Not open for further replies.