BleepingComputer.com: Locked Registry File - Suspected Backdoor

[HKEY_USERS\S-1-5-21-1060284298-1972579041-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B7493A88-F6C9-EA39-3156-BD86547D6C87}*]
"naonffchibafpgogjgclnodobema"=hex:6b,61,6d,68,67,62,67,67,65,6b,64,67,6a,6f,
6a,6b,6f,6f,63,61,70,69,00,7c
"oaiodcgpcjdbampefmaojmbimpcfgk"=hex:6b,61,6d,68,66,62,6c,64,6b,61,6d,70,6a,62,
6c,6e,6c,6b,6c,67,70,65,00,7c
"fbbmbjgcplfbcmiknkjlimppokinoofdlekkbfcpfepd"=hex:64,62,68,6c,65,61,6e,67,6a,
64,62,6d,61,69,66,6f,6f,64,68,63,66,69,63,70,67,6f,6f,63,66,65,6b,67,65,69,\
"abemflcobphlofkdmanidkbfppddpiplle"=hex:6a,63,6b,68,6a,62,69,6e,6e,67,6e,6b,
68,6d,61,6d,6e,69,66,6f,64,6f,6c,68,62,68,66,68,68,62,63,66,62,6d,6b,62,66,\
.
Locked Registry File - Suspected Backdoor - I Cannot Delete it - I Cannot Remove it.
This is left over after got hit by virus and then pc was cleaned. How do I remove this since I am afraid it is a back door left behind by virus.

This post has been edited by moddman: 16 April 2011 - 04:11 AM

Hi moddman ,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Besides the locked registry items you have mentioned I see on the GMER log other locked registry keys related to Daemon tools. Are still using Daemon tools or you want to remove them too?

I uninstalled daemon tools a while ago, I did not use it since then. I would say go ahead with that as well. Thanks.

Please download MiniRegTool.zip and unzip it.

• Run the tool.
  
• Copy and paste the content of code box into the edit box:
  
  

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B7493A88-F6C9-EA39-3156-BD86547D6C87}*]
  [HKEY_USERS\S-1-5-21-1060284298-1972579041-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B7493A88-F6C9-EA39-3156-BD86547D6C87}*]
  HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg
  HKLM\SYSTEM\CurrentControlSet\Services\sptd
  HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg
  HKLM\SYSTEM\ControlSet003\Services\sptd

  
  
• Check the Delete Key(s)/Value(s) including Locked/Null embedded radio button.
  
• Press Go button and post the result.

MiniRegTool by Farbar
Ran by Enzo at 2011-04-19 23:14:25

====================================
[HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B7493A88-F6C9-EA39-3156-BD86547D6C87}*] deleted successfully.
[HKEY_USERS\S-1-5-21-1060284298-1972579041-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B7493A88-F6C9-EA39-3156-BD86547D6C87}*] not found.
HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\sptd deleted successfully.
HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg deleted successfully.
HKLM\SYSTEM\ControlSet003\Services\sptd deleted successfully.

Okay they are taken care off. Do you have any question?

Thank you for your expertise. If I would have kept those reg entries....was it correct in my thinking that it was a suspected back door left on my pc? Especially the ones with the hex codes?

This post has been edited by moddman: 20 April 2011 - 07:16 PM

You are very welcome.

Those locked registry entries could not load anything. They were just leftovers and could not initiate any malicious activity be themselves. However, even in case of the Daemon tool leftovers they are better to be removed to keep the registry free of them for better maintenance.

Happy Surfing moddman.

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.