Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Locked Registry File - Suspected Backdoor


  • This topic is locked This topic is locked
8 replies to this topic

#1 moddman

moddman

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:15 PM

Posted 15 April 2011 - 11:41 PM

[HKEY_USERS\S-1-5-21-1060284298-1972579041-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B7493A88-F6C9-EA39-3156-BD86547D6C87}*]
"naonffchibafpgogjgclnodobema"=hex:6b,61,6d,68,67,62,67,67,65,6b,64,67,6a,6f,
6a,6b,6f,6f,63,61,70,69,00,7c
"oaiodcgpcjdbampefmaojmbimpcfgk"=hex:6b,61,6d,68,66,62,6c,64,6b,61,6d,70,6a,62,
6c,6e,6c,6b,6c,67,70,65,00,7c
"fbbmbjgcplfbcmiknkjlimppokinoofdlekkbfcpfepd"=hex:64,62,68,6c,65,61,6e,67,6a,
64,62,6d,61,69,66,6f,6f,64,68,63,66,69,63,70,67,6f,6f,63,66,65,6b,67,65,69,\
"abemflcobphlofkdmanidkbfppddpiplle"=hex:6a,63,6b,68,6a,62,69,6e,6e,67,6e,6b,
68,6d,61,6d,6e,69,66,6f,64,6f,6c,68,62,68,66,68,68,62,63,66,62,6d,6b,62,66,\
.
Locked Registry File - Suspected Backdoor - I Cannot Delete it - I Cannot Remove it.
This is left over after got hit by virus and then pc was cleaned. How do I remove this since I am afraid it is a back door left behind by virus.

Attached Files


Edited by moddman, 16 April 2011 - 04:11 AM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:45 PM

Posted 19 April 2011 - 04:08 PM

Hi moddman ,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Besides the locked registry items you have mentioned I see on the GMER log other locked registry keys related to Daemon tools. Are still using Daemon tools or you want to remove them too?

#3 moddman

moddman
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:15 PM

Posted 19 April 2011 - 07:43 PM

I uninstalled daemon tools a while ago, I did not use it since then. I would say go ahead with that as well. Thanks.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:45 PM

Posted 19 April 2011 - 10:42 PM

Please download MiniRegTool.zip and unzip it.
  • Run the tool.
  • Copy and paste the content of code box into the edit box:

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B7493A88-F6C9-EA39-3156-BD86547D6C87}*]
    [HKEY_USERS\S-1-5-21-1060284298-1972579041-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B7493A88-F6C9-EA39-3156-BD86547D6C87}*]
    HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg
    HKLM\SYSTEM\CurrentControlSet\Services\sptd
    HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg
    HKLM\SYSTEM\ControlSet003\Services\sptd
  • Check the Delete Key(s)/Value(s) including Locked/Null embedded radio button.
  • Press Go button and post the result.


#5 moddman

moddman
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:15 PM

Posted 19 April 2011 - 11:15 PM

MiniRegTool by Farbar
Ran by Enzo at 2011-04-19 23:14:25

====================================
[HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B7493A88-F6C9-EA39-3156-BD86547D6C87}*] deleted successfully.
[HKEY_USERS\S-1-5-21-1060284298-1972579041-839522115-1010\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B7493A88-F6C9-EA39-3156-BD86547D6C87}*] not found.
HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\sptd deleted successfully.
HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg deleted successfully.
HKLM\SYSTEM\ControlSet003\Services\sptd deleted successfully.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:45 PM

Posted 19 April 2011 - 11:24 PM

Okay they are taken care off. Do you have any question?

#7 moddman

moddman
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:15 PM

Posted 20 April 2011 - 07:14 PM

Thank you for your expertise. If I would have kept those reg entries....was it correct in my thinking that it was a suspected back door left on my pc? Especially the ones with the hex codes?

Edited by moddman, 20 April 2011 - 07:16 PM.


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:45 PM

Posted 21 April 2011 - 12:54 AM

You are very welcome.

Those locked registry entries could not load anything. They were just leftovers and could not initiate any malicious activity be themselves. However, even in case of the Daemon tool leftovers they are better to be removed to keep the registry free of them for better maintenance.

Happy Surfing moddman.:)

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:45 PM

Posted 26 April 2011 - 01:03 AM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users