Malware removed, but keys remain locked!?

Discussion in 'malware problems & news' started by Fano effect3, Apr 17, 2008.

Thread Status:
Not open for further replies.
  1. Fano effect3

    Fano effect3 Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    37
    Location:
    Amsterdam, Holland
    I would like to remove some registry keys, they are a byproduct of malware I manually removed, but remain detected by GMER anti-rootkit and are locked, they cant be removed by XP's standard or any other registry editor I tried.

    Any idea on how to remove locked malware registry keys?
     
    Last edited: Apr 17, 2008
  2. ravin

    ravin Registered Member

    Joined:
    May 2, 2003
    Posts:
    241
    Location:
    South Carolina
  3. Dogbiscuit

    Dogbiscuit Guest

    Have you tried altering the permissions for those keys?
     
  4. Fano effect3

    Fano effect3 Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    37
    Location:
    Amsterdam, Holland
    Regassassin gave "error hive returned null" when I pasted the keys

    HKLM\SOFTWARE\Classes\CLSID\{76CF9956-5493-FFD9-8442-FCE40CB7FE98}\InProcServer32
    HKLM\SOFTWARE\Classes\CLSID\{76CF9956-5493-FFD9-8442-FCE40CB7FE98}\InProcServer32@oapkdbpdjpgmajnjpnmfelhmcfcckm
    HKLM\SOFTWARE\Classes\CLSID\{76CF9956-5493-FFD9-8442-FCE40CB7FE98}\InProcServer32@napkflfgmajmihbdgddafklbdfan
     
  5. Fano effect3

    Fano effect3 Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    37
    Location:
    Amsterdam, Holland

    Yes I tried, but it gets reset.
     
  6. ravin

    ravin Registered Member

    Joined:
    May 2, 2003
    Posts:
    241
    Location:
    South Carolina
    have you tried dogbiscuit's suggestion and regassassin in safemode?:mad:
     
  7. Fano effect3

    Fano effect3 Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    37
    Location:
    Amsterdam, Holland
    permissions yes, but regassassin not yet in safemode.
     
  8. ravin

    ravin Registered Member

    Joined:
    May 2, 2003
    Posts:
    241
    Location:
    South Carolina
    Also some more info on the particular's of the malware detected by gmer may prompt more input from others and aid in it's removal. as a removal tool/process for the particular infection may be available.*puppy*
     
  9. Fano effect3

    Fano effect3 Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    37
    Location:
    Amsterdam, Holland
    Not one malware removal tool, or any particular malware detection product I used, was able to detect and remove anything associated with these keys. So I have to do it manually myself.

    I even tried "the avenger" tool from swandog46.geekstogo.com without success.

    Avira, Kaspersky, etc etc. thanks anyway for the help everyone.
     
    Last edited: Apr 17, 2008
  10. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I think you should seek highly skilled help in a malware cleaning forum.
     
  11. Dogbiscuit

    Dogbiscuit Guest

    When this has been a problem for me in the past, it's always been because I haven't given myself enough rights to delete the registry entry in question (while trying to delete it in Safe Mode as the Administrator).
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Can you post the Avenger script you used?
    And are you sure the malware is gone?

    Regards,

    Pieter
     
  13. RubbeR DuckY

    RubbeR DuckY Developer

    Joined:
    Jul 7, 2006
    Posts:
    215
    RegASSASSIN can fix these registry keys. This is the correct format.

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76CF9956-5493-FFD9-8442-FCE40CB7FE98}
     
  14. Fano effect3

    Fano effect3 Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    37
    Location:
    Amsterdam, Holland
    Registry keys to delete:
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76CF9956-5493-FFD9-8442-FCE40CB7FE98}\InProcServer32
    HKEY_LOCAL_MACHINE\Classes\CLSID\{76CF9956-5493-FFD9-8442-FCE40CB7FE98}\InProcServer32
    HKEY_LOCAL_MACHINE\Classes\CLSID\{76CF9956-5493-FFD9-8442-FCE40CB7FE98}\InProcServer32@oapkdbpdjpgmajnjpnmfelhmcfcckm
    HKEY_LOCAL_MACHINE\Classes\CLSID\{76CF9956-5493-FFD9-8442-FCE40CB7FE98}\InProcServer32@napkflfgmajmihbdgddafklbdfan

    execute
    after reboot it said, error.

    and later

    Registry keys to delete:
    HKLM\SOFTWARE\Classes\CLSID\{76CF9956-5493-FFD9-8442-FCE40CB7FE98}\InProcServer32
    HKLM\SOFTWARE\Classes\CLSID\{76CF9956-5493-FFD9-8442-FCE40CB7FE98}\InProcServer32@oapkdbpdjpgmajnjpnmfelhmcfcckm
    HKLM\SOFTWARE\Classes\CLSID\{76CF9956-5493-FFD9-8442-FCE40CB7FE98}\InProcServer32@napkflfgmajmihbdgddafklbdfan

    execute
    after reboot it said, error.


    on malware removed first:
    yes, it was a .sys file, but I can never say for sure because its not detected by regular signature antivirus or prevx .
     
    Last edited: Apr 20, 2008
  15. Fano effect3

    Fano effect3 Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    37
    Location:
    Amsterdam, Holland

    I tried this format already. Regassassin said : "Regassasin could not remove this registry key"
     
    Last edited: Apr 20, 2008
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I'll leave that conclusion to the experts at SpywareInfo, MalwareBytes and where else you have posted for help.
     
  17. Fano effect3

    Fano effect3 Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    37
    Location:
    Amsterdam, Holland
    I did not conclude anything, thats why I said: "I can never say for sure" And yes, I posted this on different forums because not every expert visits the same forum and Malwarebytes is the creator of Regassassin.
     
    Last edited: Apr 20, 2008
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Theres only one sure fire way i know to pull stubborn registry keys out safely without feeling nothing will ever work, and thats with the CD with ERD Commander on it.

    Nothing, and i mean nothing can prevent it from manipulating either the file system or registry and i've had to turn to that extreme rescue route before myself because nothing else available could help.

    It's like loading your O/S into a mirror O/S where you can review everything on your affected actual PC and actually do something about it.
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I think the author of RegAssassin posted earlier in this thread. ;)
    And the helpers at the security forums do have enough to do without people posting all over.
    Thanks for your understanding. ;)
     
  20. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Hello Fano effect3. Were you able to remove the registry keys?

    thanatos
     
  21. Fano effect3

    Fano effect3 Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    37
    Location:
    Amsterdam, Holland
    I've upgraded to SP3 in the meantime to see if this might affect their accessibility, then I tried Regassassin again, but the keys remain locked.
     
    Last edited: Apr 23, 2008
  22. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Did you try my suggestion?

    thanatos
     
  23. Fano effect3

    Fano effect3 Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    37
    Location:
    Amsterdam, Holland
    No, I just found out but I'll try this right away?

    (Update) first time rebooted then checked if they where removed, but they where still present, second time only with,

    [DefaultInstall]
    DelReg=del

    [del]
    HKLM, "SOFTWARE\Classes\CLSID\{76CF9956-5493-FFD9-8442-FCE40CB7FE98}\InProcServer32"
    HKLM, "SOFTWARE\Classes\CLSID\{76CF9956-5493-FFD9-8442-FCE40CB7FE98}\InProcServer32@oapkdbpdjpgmajnjpnmfelhmcfcckm"
    HKLM, "SOFTWARE\Classes\CLSID\{76CF9956-5493-FFD9-8442-FCE40CB7FE98}\InProcServer32@napkflfgmajmihbdgddafklbdfan"

    It said: error. installation failed.
     
    Last edited: Apr 24, 2008
  24. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Fano effect3 copy, paste the code below to notepad.

    Code:
    Set WshShell = Wscript.CreateObject("Wscript.Shell")
    WshShell.RegDelete "HKLM\SOFTWARE\Classes\CLSID\{76CF9956-5493-FFD9-8442-FCE40CB7FE98}\"
    
    
    Go to File>Save. In filename=delete.vbs, save as type=all file types. Click save. Go to safe mode, run delete.vbs.

    Have you tried deleting the keys using a boot CD? If not yet, please try if the script fails.

    thanatos
     
Loading...
Thread Status:
Not open for further replies.