Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

how do I remove a value from the registry?


  • This topic is locked This topic is locked
9 replies to this topic

#1 kwisj

kwisj

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 21 March 2010 - 03:31 AM

Hi there
I am trying to learn how to remove a value from the registry using a .reg file.
This is the registry entry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\WINDOWS\system32\curslib.dll c:\windows\system32\pufuyada.dll jimaneno.dll C:\WINDOWS\system32\guard32.dll"
I want to remove:
curslib.dll
pufuyada.dll
jimaneno.dll
Can someone just talk me through how to do this? I know its not that difficult,but I am having problems with the syntax of the commands. I know that I have to use te following:
"jimaneno.dll"=-

"curslib.dll"=-

"pufuyada.dll"=-

But I dont know how to write it down properly to remove those values. Can someone tell me?
Cheers Kwisj
XP Home SP3

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:55 AM

Posted 21 March 2010 - 04:17 AM

Hello, this is part of a Vundo infection. Therefore, I am moving this topic to the Am I Infected forum.

Even if you were to edit the registry succesfully, its doubtful that the active Vundo would allow these changes to stick.

But the risk is even bigger you end up with an unbootable computer. "Fixing" AppinitDll values improperly can cause your computer not to be able to logon anymore.

The steps below should help you to accomplish the same task in a much safer way.

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 kwisj

kwisj
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 22 March 2010 - 11:33 AM

Hi Elise025
Thanks for your time in replying to my question. My computer is not actually infected as this is a part of something I'm trying to learn myself: how to remove registry keys and values using a .reg file. What the reg entry actually is is just a dummy entry for 3 infected values in the AppInt key. I would just like to know the syntax for removing the 3 values. I have been to the MS website and its not very clear, I am not a programmer, so they do give instructions, however I don't really understand the way to write a .reg file to remove the files in question. I just wanted and idiots guide on how to do it.
take it easy
Kwisj

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:55 AM

Posted 22 March 2010 - 12:45 PM

Hello again,

First of all, I am very curious to know how you got this " dummy entry for 3 infected values in the AppInt key" created. If you knew how to do that, it should be fairly simple to undo the process...

Before doing ANYTHING at all in the registry, you should back up your registry so you can restore it. Let me add to that, if you want to learn using .reg fixes, this is probably one of the worst places to start, since one little mess-up can cause your computer not be able to log on anymore.

BACKUP THE REGISTRY
---------------------------
Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

If you want to restore the registry values to what they should be, I suggest you find out what the default value(s) for this key is/are first.

A good place to start reading is here

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 kwisj

kwisj
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 23 March 2010 - 06:19 AM

Hi
Dear me. All I want to know is just the 1 or 2 lines of code to remove 3 values from the registry. I have gone to MS, and as usual that is not written for people who have little experience in computers. The line from the registry is not from the registry on my computer its an exercise that I have to complete to pass onto the next bit of a little distance learning course I'm doing. I am not actually changing my registry values. I just have to submit the answer. But I'm just finding it a bit difficult without having someone to ask in front of me who can teach me how to do it. So all I would like is someone who knows just to say ''write this to get rid of this.'' As I am not actually changing the registry I cant do it by trial and error. Kind of like not having to learn Spanish to just be told how to ask for a beer.
See if i write this [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows] that deletes the entire key I think. Now I know that the AppInit_DLLs is in the above key, and that the path for the files are this: C:\WINDOWS\system32\curslib.dll . so if I write this:
C:\WINDOWS\system32\curslib.dll
"curslib.dll"=-
and put it in a .reg file and import it into the registry will it get rid of that file? That's all I want to know. Just what I have to write, and how to write it with the correct syntax.
Please tell me :thumbsup:
thanx for your time Kwisj

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:55 AM

Posted 23 March 2010 - 07:08 AM

its an exercise that I have to complete to pass onto the next bit of a little distance learning course I'm doing.

This is exactly the reason why I don't want to give you the answer straight away.
Please be honest to yourself, what would you learn if I just posted the answer here? Would you be able to do it for yourself next?

Then again, this looks like you are doing some sort of malware removal training elsewhere. No way I am going to help you with that. You should ask your questions to the people who are guiding you there.

Once again, I pointed you at a good tutorial here at BC. See if you can find out a bit more about it...

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 kwisj

kwisj
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 23 March 2010 - 01:27 PM

its an exercise that I have to complete to pass onto the next bit of a little distance learning course I'm doing.

This is exactly the reason why I don't want to give you the answer straight away.
Please be honest to yourself, what would you learn if I just posted the answer here? Would you be able to do it for yourself next?

Then again, this looks like you are doing some sort of malware removal training elsewhere. No way I am going to help you with that. You should ask your questions to the people who are guiding you there.

Once again, I pointed you at a good tutorial here at BC. See if you can find out a bit more about it...

Hmmm Elise I think you are assuming quite a lot of things without actually knowing what I am doing. I did not post my original question in the help I'm infected sections, I did not post a HJT log, I did not really ask for much. In the title page of your site, you do say: ''... a community devoted to providing free original content, consisting of computer help and tutorials, in such a way that the beginning computer user can understand.''Nowhere does it say a person has to give reasons to ask for help, or these are the rules for asking questions, or we will not help you if we think that you are etc. etc. etc. I just thought it was a place where someone with a question could ask it without having to deal with a lot of attitude. I myself help out on music program forums, and I never ask why the person is asking a question: if I can answer the question, I just post the answer and that's that. One thing I would never say is: go and read the manual. With respect to you, you did not actually ask me what my problem was to begin with either, you just assumed a lot of things. Maybe I just haven't got the time, or indeed, internet access time to go looking around for hours on end at sometimes difficult to understand tutorials, or maybe I have a learning difficulty that means I need things to be explained to me in black and white first, with lots of examples: before I can move on. Thus telling me to go and read the manual may not be very helpful! Also remember if someone knows something that does not mean that they are able to teach it. I don't know many people who find the MS website particularly helpful for this very reason.
In none of the online stuff I have come across has anyone written something like this:
Here is an example of the problem; here is what we have to do; here is how we do it; here is 3 or 4 more examples; now have a go at solving this problem using the above method...If you remember this is how we learn at school. I'm a bit slow when it comes to things like this, and I like to learn by example. I suppose I could just go and ask a programmer. Oh. And by the way, in answer to your question Please be honest to yourself, what would you learn if I just posted the answer here? Would you be able to do it for yourself next? If you posted the answer I could use your answer to go back to the MS or other tutorials that I have looked at and compare it, and I would see what the syntax is, and then I would be able to do it myself, yes!
But thanks for your effort, and I think I will not ask for any more of your time.
Kwisj

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:55 AM

Posted 23 March 2010 - 02:04 PM

I did not really ask for much.

You ask me to do your homework. You expect a ready-to-use answer for an exercise you need to complete.

I consider I am not "helping" you if I provide you with this ready-to-use fix. Because that only would help you pass one exercise. It wouldn't be of any help when you would come across this kind of problem in a "real" situation, because you wouldn't know how to do it yourself.

One thing I would never say is: go and read the manual.

I would never say that to one of the people I am helping to remove malware, no. But when doing exercises as you explained, you are a student. A student is supposed to read his manuals. And if you have problems with that or do not understand it (which is perfectly normal, after all registry fixes are not easy), you ought to ask the person(s) that are guiding you through the training/study you are doing.

I'm a bit slow when it comes to things like this, and I like to learn by example.

Once again, I don't say you have to have all the answers immediately. I've been through training and I know how frustrating it can be. But you need to address this at the place where you are doing this exercise.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 kwisj

kwisj
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 24 March 2010 - 03:34 AM

Hi Elise
Here you go again assuming things that you don't know. I tell you again you don't know why I asked my question, and neither do you need to know. Apart from I am doing a little excercise about how to remove values from the registry: that is what I said, that may true or it may no be. I am not a student of anything. Maybe its to do with my work, and I have told someone that I could do something for them, and I have found it more difficult than I thought, or maybe I'm at school and my teacher is getting getting on my case for not beng able to do something. My issue with you is that your are assuming an awful lot of things without actually knowing anything about me. In addition, you don't have to know what I am doing. Like I say, I help out on a couple of music forums, and I have no interest why someone asks a question. If i can answer a question, I just do it. It is not my concern if they are stupid, lazy or using pirated software that did not come with a manual: they could even be selling my advice on. It really has nothing to do with me. So I really don't know what your problem is.
This is what I would have written if i had known the answer to a user question:
Be careful editing the registry as you can render the system inoperative.
Back the registry up you can do it from regedit, or you can use erunt
here are the steps export the registry entry from the registry to note pad,
edit it there with the following code
xxxyyyyzzz
"xyz"=-
import it back into the registry
reboot
hope this helps
Adios


I think this has gone on long enough for the sake of 2 lines of code! It would be cool to know what the moderators of this site think of this post. Maybe they could post a comment so that future users would know what they can or cannot ask!
kwisj

Edited by kwisj, 24 March 2010 - 03:36 AM.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:55 AM

Posted 24 March 2010 - 04:08 AM

It would be cool to know what the moderators of this site think of this post.

As Moderator of this site I can tell you we do not offer help to trainees of other malware removal schools to do their exercises.

Since everything important is said here, I am closing this topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users