Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Registry Entries


  • This topic is locked This topic is locked
5 replies to this topic

#1 AwffKkilter

AwffKkilter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 05 September 2013 - 03:55 PM

Hello,

I need to find out if it is ok to delete a registry entry entitled "HKEY_LOCAL_MACHINE\SOFTWARE\Updater By SweetPacks". I followed steps provided in one of your other topics to get rid of the 'SweetPacks' virus/adware/malware. My MBAM is not finding anything which is active regarding 'SweetPacks'. Today I decided to look through the registry and found the entry listed above. It has also created a new user group called "CREATOR OWNER" with 'Special Permissions', which seems to be full control basically. The boxes to change permissions are grayed out. Is it ok to delete this entry or do I need to take supplemental steps to remove it? I may not even be able to delete it without permission.Thank you for your assistance. You site is very informative and helpful.

 

AwffKkilter 


Edited by AwffKkilter, 05 September 2013 - 04:04 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:52 PM

Posted 05 September 2013 - 04:18 PM

Yes that is an infection..

If you want to play it safe this tool will do it.


ADW Cleaner

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
.



Please download Malwarebytes Anti-Malware mbamicontw5.gif and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 AwffKkilter

AwffKkilter
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 05 September 2013 - 05:44 PM

Thank you for your reply,

I downloaded  AdwCleaner, ran it and found nothing in the registry. Here is the log file:

 

# AdwCleaner v3.002 - Report created 05/09/2013 at 16:04:20
# Updated 01/09/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Tony - PSYCLONE2
# Running from : C:\Users\Tony\Downloads\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v10.0.9200.16660
 
 
-\\ Mozilla Firefox v21.0 (en-US)
 
[ File : C:\Users\Tony\AppData\Roaming\Mozilla\Firefox\Profiles\3gbkbyss.default\prefs.js ]
 
 
[ File : C:\Users\Tony\AppData\Roaming\Mozilla\Firefox\Profiles\[opt]rs0\prefs.js ]
 
 
-\\ Google Chrome v29.0.1547.66
 
[ File : C:\Users\Tony\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
Deleted : urls_to_restore_on_startup
 
*************************
 
AdwCleaner[R0].txt - [2726 octets] - [03/09/2013 09:57:43]
AdwCleaner[R1].txt - [1140 octets] - [05/09/2013 16:03:20]
AdwCleaner[S0].txt - [2833 octets] - [03/09/2013 10:00:18]
AdwCleaner[S1].txt - [1064 octets] - [05/09/2013 16:04:20]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1124 octets] ##########

 

Malware Bytes Anti-Maleware finds no threats.

Log file:

 

Database version: v2013.09.05.03
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16660
Tony :: PSYCLONE2 [administrator]
 
Protection: Enabled
 
9/5/2013 4:07:14 PM
mbam-log-2013-09-05 (16-07-14).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | 
 
Registry | File System | Heuristics/Extra | 
 
Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 248761
Time elapsed: 2 minute(s), 34 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 

The registry entry is still present. I am also not finding any unusual processes or services running.

 

I don't know if this helps,but here is a text version of the entry and it's values:

 

Key Name:          HKEY_LOCAL_MACHINE\SOFTWARE\Updater By SweetPacks
Class Name:        <NO CLASS>
Last Write Time:   9/5/2013 - 2:15 PM
Value 0
  Name:            WSG_redirectQueryParam1
  Type:            REG_SZ
  Data:            {66D90F7F-9D78-11E2-8642-BC5FF4467C16}
 
Value 1
  Name:            WSG_redirectQueryParam2
  Type:            REG_SZ
  Data:            3.5000006.10042&st=21
 
Value 2
  Name:            WSG_status
  Type:            REG_SZ
  Data:            active
 
Value 3
  Name:            WSG_gtQueryParam
  Type:            REG_SZ
  Data:            UA-37457264-2
 
Value 4
  Name:            version
  Type:            REG_SZ
  Data:            2.0.0.566
 
Value 5
  Name:            ToolbarID
  Type:            REG_SZ
  Data:            ff04ee6549954375a2f833a3f3bbab95
 
Value 6
  Name:            installer_name
  Type:            REG_SZ
  Data:            hsbing_717_active_2013-04-04-16-39-29
 
Value 7
  Name:            product_name
  Type:            REG_SZ
  Data:            Updater By SweetPacks
 
Could it be waiting for the right program to be opened up to activate it? I think I got it with Internet Explorer and I very rarely use it. Also, I haven't opened it up for awhile.
 
Thanks again  :clapping:  :thumbup2:

Edited by AwffKkilter, 05 September 2013 - 05:45 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:52 PM

Posted 05 September 2013 - 07:50 PM

Weird!! How ever it's holding on we can get it but we need to repost. Do steps 6,7 and 8 here.
Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 AwffKkilter

AwffKkilter
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 06 September 2013 - 10:44 AM

How's it going today?

I started a new topic with the info you requested. ( Odd Registry Entries and files ). My PC seems to be fine but I am becoming suspicious of just about everything. I was looking through my 'Programs and Features' and noticed 'Google Toolbar'. So I uninstalled it. Once it was finished, then 'Internet Explorer Toolbar 4.7 by Sweetpacks' suddenly appeared. My intention was to completely avoid Internet Explorer, but when I uninstalled the Google Toolbar, it directed me to the 'Why are you leaving us' webpage. And, of course, it opened up in Internet Explorer. 

 

I also found a couple of registry entries which were trying to take away the ability to modify or edit my registry and to allow a program to 'cut copy and paste'. I'm not sure if that is normal or not (doesn't seem like it).

 

Anyway I'm off to work so I will check these topics later this afternoon. Thanks again for your assistance.  :busy:   :bowdown:



#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:52 PM

Posted 06 September 2013 - 10:52 AM

MRL topic
http://www.bleepingcomputer.com/forums/t/506935/odd-registry-entries-and-files/

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.
From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.
Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.
The current wait time is 1 - 2 days and ALL logs are answered.
If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.
To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users