Registry question...

My dear Wilders friends, it's been a while since I've asked a question like this but here goes.... Is there a way to tell what process is holding which registry keys? And if so how? A friend of mine had a serious malware infection on her computer and so far I've removed almost all of it but Spybot still reports these two keys by CMD Service. It tells me to scan at start-up but no matter how many times I do this I'm just not successful. Also, is there a way to scrub a reg key/value regardless of whether it's being held in memory or not? I really like Spybot's shredder for this reason but it obviously only works for files. Thank you in advance for your help.

 

Hi erikguy.

For finding out what is accessing the registry,try this http://www.sysinternals.com/Utilities/Regmon.html

Have you tried booting into safe mode to edit the registry?
Or with some keys,you have to modify the permissions,keys like HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_...
You have to right-click on the key in question,select 'permissions',and then highlight 'everyone' in the top pane,then put a tick in the 'allow' 'full control' box.

 

If all else fails, one method I have used is to backup the registry with ERUNT and edit the backup registry hives it saves using something like RegdatXP. After saving your changes, use ERUNT's restore function to swap the hives you edited.

Nick

 

Hey!! Not a bad idea, Nick!! Thanks, you're awesome.

 

I just thought of something... I know I've seen good registry editors as replacements for the regular built-in RegEditor in Windows. Anybody have any good recommendations?

 

Quite a good one at the link below.
http://www.resplendence.com/reglite

 

Try RegDatXP
http://people.freenet.de/h.ulbrich/

OR from Patrick M. Kolla author of Spybot S&D
http://www.safer-networking.org/en/regalyzer/index.html

 

Oh nice!! Thanks friends!!

 

The cmdService is not removed by Spybot because the permissions for the registry keys were altered.

This procedure will work.

Please download delcmdservice (by Marckie), and save it to your Desktop.

• Unzip the content to your Desktop (a folder named delcmdservice)
• Double-click on the delcmdservice folder
• Double-click on delreg.bat to launch the tool
• When the tool has finished, please reboot your computer

Hope it helps anyone.

Regards,

Pieter