Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware - editing registry


  • Please log in to reply
5 replies to this topic

#1 deedee1113

deedee1113

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 15 May 2005 - 08:19 AM

I'm using Norton SystemWorks 2004. I ran a full scan on my c:\ drive. A few Adware threats were found. I followed the links to the Symantec documentation regarding fixing the problems (removing the threats). They all mentioned editing the registry and deleting various items from the right side of the registry panels. But, I could not find any of the items that were mentioned in the documentation. The documentation did say to start the PC in safe mode (which I did not do). Could this be why I cannot find any of the items that were mentioned in the documentation? Thanks so much.

Edited by deedee1113, 15 May 2005 - 08:20 AM.


BC AdBot (Login to Remove)

 


#2 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:06:59 AM

Posted 15 May 2005 - 08:48 AM

Hello deedee1113 and welcome to BC

No, the registry is the same in Safe or Normal mode. Can you provide a link to the Symantec page you mentioned?

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#3 deedee1113

deedee1113
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 15 May 2005 - 09:45 AM

Thanks for answering so quickly. One of the links is http://securityresponse.symantec.com/avcen...e.elitebar.html

If you scroll down the page to "To reverse changes made to the registry", you see what they suggest you delete from the registry. I cannot find any of the entries in my registry.

Thanks.

#4 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:06:59 AM

Posted 15 May 2005 - 10:17 AM

May add some of the following registry subkeys


I wouldn't be concerned about it. As Symantec says, it may add those keys. These malware programs change continually to try to stay ahead of the programs that remove them. In addition, Symantec may have improved their removal procedure sufficiently that these or other entries are removed during the scan.

When I'm looking for something in the registry I use Edit>Find and paste a part of the key and let the search be done automatically. So, if I was looking for:

HKEY_CLASSES_ROOT\Interface\{DBF33E89-1784-42AC-ADE4-A428F56550A3}

In the find box I would paste DBF33E89 and let it look. If I get a hit and it finds that number, I look to the bottom of the regedit pane to see the full path to be sure its what I'm looking for. Then I right click the entry, export it to the desktop and delete. Then if I notice any strange behaviour, I can merge that key back to the registry from the desktop. To continue the search just press F3.

You might want to post a Hijack This log if you are concerned there are still some remnants.

If you were able to do this:

Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


In the right pane, delete the value:

"Sys29" = "%System%\win[3 random letters]32.exe
"kalvsys" = "%System%\kalv[3 random letters]32.exe"
"etbrun" = "%System%\elit[3 random letters]32.exe"
"antiware" = "%System%\elit[3 random letters]32.exe"


then you have removed the entries that activate the program.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#5 deedee1113

deedee1113
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 15 May 2005 - 10:49 AM

After I looked in the registry for the items and did not find them, I ran another full scan. The same threats were found. So, I was a little nervous...which is why I posted to this website.

I will try your "find" method, just in case I missed something in my hunt for the entries.

Can you please tell me what a "Hijack This" log is? I never heard of it.

Thanks so much for all your help.

#6 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:06:59 AM

Posted 15 May 2005 - 11:01 AM

Sorry deedee1113 I should have been more specific. HiJack This is a program that looks at the areas that malware usually populates on a computer and generates a report. It is a tool that should only be used by trained people and we have a great team here. Have a look at How to submit a Hijackthis Log. It has all the information you need to get a log posted to our team. Please be patient as they are all volunteers. Post your log and wait for a reply. Please don't post twice as the team looks for logs with no reply to work on. If you want to add some comments after you post your log you can use the Edit button at the top of your post.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users