Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't clear infected registry entries.


  • Please log in to reply
3 replies to this topic

#1 onehung

onehung

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 17 December 2008 - 09:46 AM

Hi I'm a Newby to Bleeping Computer so I hope I'm in the right place.

I've been cleaning malware from a friend's computer which was infected with "Virus Remover 2008" and other malware. (His son had installed a couple of peer to peer file sharing systems and this is probably what fetched in the infection).

The System is XP Home and I believe it is up to date with Windows updates. It has McAfee VirusScan and this is up to date. He also has Spybot and Adaware but these are out of date. The machine is not currently connected to the internet because I do not want to add it to my home network until I am happy it is clean. I am using my desktop to down/upload whatever is necessary and transferring files using a pen drive. I can lconnect it separately if this is necessary.

Anyway I installed Malwarebytes AntiMalware and successfully removed a good lot of stuff. I have also detected a couple of trojans with McAfee and deleted them. I have also scanned with SpyHunter, Trojan Hunter and Stinger. I had a lot of trouble with a file C:\Windows\System32\ciadmi.dll which was locked and refused to be deleted by MBAM, or FileAssassin or MoveOnBoot. In the end I took the Hard Drive out of the PC and mounted it in a caddy then added to my desktop as a USB slave drive. I then managed to delete the file.

:thumbsup: I am now left with four registry entries which are detected by MBAM but can't be deleted. I have tried to delete them manually using regedit but it will not let me do it, even when I am logged on as System Administrator in Safe Mode.

This is the MBAM log

----------------------------------------------

Malwarebytes' Anti-Malware 1.31
Database version: 1498
Windows 5.1.2600 Service Pack 3

17/12/2008 14:31:12
mbam-log-2008-12-17 (14-31-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 86655
Time elapsed: 19 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-----------------------------------------

I click on Yes to tell MBAM to fix these entries on start up and then Reboot, and guess what, they are still there.

I have done various other scans and can't see any other infections but I am worried about these entries and would like to find out what is going on.

Any help would be much appreciated.

BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 17 December 2008 - 10:35 AM

Hi,

Welcome here. :thumbsup:

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

Edited by superbird, 17 December 2008 - 10:35 AM.


#3 onehung

onehung
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 19 December 2008 - 03:05 AM

Hi

Thanks for the speedy reply.

No problems found. I put the machine back on line and it has run for several hours without any sign of infection. So far so good.

I am going to leave "well enough alone" for the time being. If problems reoccur I will reopen the topic.

Best regards for Christmas and the new year.

Onehung

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 19 December 2008 - 04:58 AM

That's all right. :thumbsup: You best regards for Christmas too, and for the new year. :flowers:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users