Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Couldn't delete a reg key from the CF sandbox


  • Please log in to reply
2 replies to this topic

#1 zed_711

zed_711

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 09 May 2011 - 08:28 AM

Hi all; I usually test some new ( probably portable ) apps in the Comodo Firewall sandbox; my last test was not so lucky because the program was not portable and start the default browser ( in the sandbox ). Now I can't delete the reg key it has created. The program to test was the letest version of MVRegClean.exe ( VT 0/43 ).
I have tried everything I know : PsExec, safe mode admin, Process Hacker ( regedit as NT AUTHORITY\SYSTEM ), but I was not able to delete it. Could any help me? Thanks.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot] #( This is the only and main key of CF sandbox )

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.mfp]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.spl]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.swf]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\Interface]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\TypeLib]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0\win32]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS]

[HKEY_LOCAL_MACHINE\SYSTEM\VritualRoot\MVREGCLEAN.EXE\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\HELPDIR]

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:02 PM

Posted 09 May 2011 - 10:37 AM

http://www.prevx.com/filenames/1477759230075093644-X1/MVREGCLEAN.EXE.html

http://forums.comodo.com/defense-sandbox-help-cis/unable-to-delete-a-sand-app-reg-key-t72455.0.html

Louis

#3 zed_711

zed_711
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 09 May 2011 - 11:53 AM

I have no active malware or so on, because the installer was extracted and the ({app}) ran in the sandbox. The only thing left is that reg key, that i'm not able to delete. I don't think it's due to elevation privilege as the ({app}) was in the sandbox; moreover, this is VT report for the installer:

http://www.virustotal.com/file-scan/report.html?id=7d649c3618748e86bac8b6189b65d974146c90d46822bacd68589553bff5fd54-1304045226

and this one for the executable in the {app} folder:

http://www.virustotal.com/file-scan/report.html?id=7357cc06dadec4ded50500faab2cafc4dde0706d39169e0369acfc0f641c535e-1296167278

Thanks.

Edited by zed_711, 09 May 2011 - 12:25 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users