Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help removing infected Registry Keys


  • Please log in to reply
6 replies to this topic

#1 _vorkosigan

_vorkosigan

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 25 July 2018 - 02:59 AM

Hello!

 

I originally started a thread here:

 

https://www.bleepingcomputer.com/forums/t/680185/cant-remove-trojandisabledavsecuritycerts-in-infected-registry-keys/

 

And I was told to come here? :) 

 

The infected keys are related to blocking anti-virus software, as I understand. 

 

All the info is in the previous thread, but if there's anything you'd like me to reproduce, just let me know. 

 

A recent fixlog is pasted below. 

 

Many thanks for your help!!

 

Warmest,
Nat

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 20.06.2018
Ran by pc (10-07-2018 21:21:13) Run:4
Running from C:\Users\pc\Downloads\FRST
Loaded Profiles: pc (Available Profiles: pc)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
CloseProcesses:
 
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
HKLM\ DisallowedCertificates: AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947 (AVG Technologies CZ) <==== ATTENTION
HKLM\ DisallowedCertificates: AD4C5429E10F4FF6C01840C20ABA344D7401209F (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: DB77E5CFEC34459146748B667C97B185619251BA (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF (AVG Technologies CZ) <==== ATTENTION
Hosts:
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION => restored successfully
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947 => could not remove, key could be protected
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\AD4C5429E10F4FF6C01840C20ABA344D7401209F => could not remove, key could be protected
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\DB77E5CFEC34459146748B667C97B185619251BA => could not remove, key could be protected
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF => could not remove, key could be protected
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 10-07-2018 21:22:29)
 
 
Result of scheduled keys to remove after reboot:
 
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947 => could not remove, key could be protected
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\AD4C5429E10F4FF6C01840C20ABA344D7401209F => could not remove, key could be protected
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\DB77E5CFEC34459146748B667C97B185619251BA => could not remove, key could be protected
HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF => could not remove, key could be protected
 
==== End of Fixlog 21:22:29 ====
 


BC AdBot (Login to Remove)

 


#2 jenae

jenae

  • Members
  • 601 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 25 July 2018 - 05:19 AM

Hi, looks like you are in somewhat of a pickle,I can see from the Farbar details the registry keys your concerned about, there are 8 of them is this correct?

 

Go to search and type:- command prompt, right click on the returned command prompt and select "run as administrator" an elevated cmd prompt will open, copy the below cmd then right click anywhere in the cmd prompt window and select "paste" the cmd will append to the prompt, press enter.

 

reg query "HKLM\Software\Microsoft\SystemCertificates\Disallowed\Certificates\AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947" > 0 & notepad 0 

 

Notepad will open with some data, please paste this into your reply, I want to look at one of the entries, I believe you have already navigated to the keys and tried to delete them, is this so? did you receive any error messages? could you right click on one of the entries and select "permissions" when the permissions dialogue box opens select "advanced" tell me what shows at the top next to "owner"



#3 _vorkosigan

_vorkosigan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 25 July 2018 - 10:43 AM

Thank you!

 

When I pasted that exact command, it created a Notepad that was completely blank, unfortunately. No content or data whatsoever. 

 

Yes, I have navigated to the keys and tried to delete them, as detailed in original post I think, along with the error messages. I think this was it:

 

"I followed the instructions on the bitdefender page. 

 

When I opened certmgr, and opened the 'Untrusted Certificates Folder', There was only one folder inside, called "Certificate Trust List"

 

I'm attaching 2 screenshots when I opened what's in there: https://imgur.com/a/MQXMyKd"

 

Thank you for your help!



#4 jenae

jenae

  • Members
  • 601 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 25 July 2018 - 09:23 PM

Hi, well I was guessing the right path, could you navigate to the offending registry entries and highlight one from the main regedit menu select "file" and "export" send it to desktop , right click on the saved file and select "edit" it will open in notepad, copy paste this detail in your response.

 

What I am thinking is there is a "handle" on these keys, if we boot to the RE (repair your computer) we can load the software registry hive delete the entries there, unload the hive, this I am hoping will be rid of them. If this happened only recently it may be possible to use windows regback to restore a previous registry. By default windows takes a registry backup of the 5 hives (inc's software) every 7-10 days, we can restore this if the dates are before your problem, should fix the problem. Open explorer navigate to system32\config\regback, open the file (may have to get UAC approval, say continue) the dates created will show, let me know if this was before the problem.



#5 _vorkosigan

_vorkosigan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 25 July 2018 - 10:55 PM

Hello,

 

This is the detail: 

 

*

Windows Registry Editor Version 5.00

 
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\SystemCertificates\Disallowed\Certificates\AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947]
 
*
 
That's all there is. 
 
Unfortunately, this was more than 10 days ago. My original post was July 6, so this was around then. 
 
Thanks!


#6 jenae

jenae

  • Members
  • 601 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 26 July 2018 - 12:14 AM

Hi, well my cmd was right, there are no sub keys and no value data, this is good. 
 
Are you comfortable with modifying the registry? You need to boot to the RE ( press and hold the shift key while clicking on "restart" the RE will open, Troubleshoot, then Advanced, then Command prompt, It will have:- 
 
x:\windows\system32 > at the prompt. 
 
In this diagnostic mode the OS is not always assigned to the C: drive we need to establish what drive letter the RE has assigned the OS.
 
At the cmd prompt type:- 
 
bcdedit  | find "osdevice" (press enter)
 
The drive letter returned by this cmd is the letter we use in our cmd's (type exactly as you see here inc the " ", the | is called a pipe and can be found above the \ key)
 
Syntax is important, type exactly as you see here, best if you print these instructions, as you will not be able to see them in this mode.
 
Often in win 10 it is D (we will use this in our example)
 
At the prompt type D: (press enter)
 
The prompt now looks like  D:\>
 
At this we type:-
 
Reg Load HKLM\TEMP\ D:\Windows\system32\Config\Software (press enter)
 
Next type:-
 
Regedit.exe (press enter)
 
Registry editor will open, Navigate to HKLM then to TEMP and expand to:-
 
Microsoft\SystemCertificates\Disallowed\Certificates\ YOU KNOW WHICH ONES YOU NEED. 
 
Also looks like they are in:-
 
WOW6432Node\Microsoft\SystemCertificates\Disallowed\Certificates\
 
You will need to go to both locations, select the relevant keys, right click and select Delete, if they  delete you may be in luck, do this for all of them.
 
When finished at the cmd prompt type:-
 
Reg Unload HKLM\TEMP (press enter) exit out and restart computer in normal mode.

Edited by jenae, 26 July 2018 - 12:16 AM.


#7 jenae

jenae

  • Members
  • 601 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 26 July 2018 - 02:07 AM

Hi, sorry, I should have included this in the previous post it is essential that you uninstall all third party AV's that you might have on your computer, they will conflict with any attempts to repair this (fortunately not in the RE, however when you boot to normal mode)

 

Google for the developers uninstall util it is important that you run this, even if you have uninstalled any AV's and not run their uninstaller, do so now.

 

Use only Windows defender and Windows defender firewall.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users