Topic: Pesky Registry (Read 4731 times)

Novice · « **on:** July 27, 2010, 12:23:03 AM »

So, I got a few malicious .dll files in my appdata/local folder. I couldn't delete 'em and Trend Micro couldn't either (though it found them). Anyway, I scanned with Trend Micro in safe mode and was able to delete the .dll files.

However, when I started back up normally, I got some errors about those .dll files not being able to run (obviously they were deleted). So I found the startup keys in msconfig and disabled them. So, now they don't try and startup the deleted files among other things.

The problem is the startup keys are still in there. The location using msconfig is listed as this:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

I went to HKEY_CURRENT_USER (HKCU) and followed the path but nothing's there! Well, not what I was looking for. I suppose the problem is resolved for the most part but I'd like to get rid of the keys.

I tried CCleaner because I figured if the key was pointing to a .dll that wasn't there, I could delete it. Alas, it's still there.

Any ideas? </novice>

PS: A majority of the startup items I found are also in this location according to msconfig, but they aren't there when I follow the path in regedit.

ivan · « **Reply #1 on:** July 27, 2010, 01:13:23 AM »

If you're running XP or Vista, do a registry roll-back. Worked for me.

http://en.wikipedia.org/wiki/System_Restore

Novice · « **Reply #2 on:** July 27, 2010, 08:28:00 AM »

Gave this a try. Stupid thing was there as far back as the 23rd apparently. I suppose I need to go further back though that kind of worries me.

ivan · « **Reply #3 on:** July 27, 2010, 10:35:57 AM »

You can always undo the rollback.

And you're not losing any data by doing this, but you'll have to re-install any app you installed after the rollback point.

Novice · « **Reply #4 on:** July 27, 2010, 01:10:26 PM »

Looks like the 19th was the ticket. I guess I just thought that I could manually do something about this without reverting to an old version of my registry.

Oh well. Thanks, ivan.

Clear_Runway · « **Reply #5 on:** July 27, 2010, 01:20:49 PM »

registries are so gay. it's like something microsoft put in there to deliberately be as inaccessible as possible.

ivan · « **Reply #6 on:** July 27, 2010, 01:22:05 PM »

Quote from: Novice on July 27, 2010, 01:10:26 PM

I guess I just thought that I could manually do something about this without reverting to an old version of my registry.

Well, roll your registry forward again and screw around with it. Can't do no harm.

I did battle with a malignancy a while ago. The instructions for removing it by hand were baffling, and probably not actually tried by anyone. The most common advice I could find, from several sources, was to reinstall the OS. And amidst all this hand-wringing I found one guy who suggested, simply, to do a system restore to last known good.

Elegant.

Novice · « **Reply #7 on:** July 27, 2010, 01:50:04 PM »

I've done restore countless times before on my parent's old ME machine. Actually, I've re-installed the OS countless times. But this was usually due to what seemed to be memory issues / programs accessing protected or read only memory. I've never had to re-install because of a virus, I can usually delete or at least disable them.

Novice · « **Reply #8 on:** July 27, 2010, 01:50:37 PM »

Quote from: Clear_Runway on July 27, 2010, 01:20:49 PM

registries are so gay. it's like something microsoft put in there to deliberately be as inaccessible as possible.

Quite.

TheJudge · « **Reply #9 on:** July 28, 2010, 12:24:39 AM »

did you try spybot?

ivan · « **Reply #10 on:** July 28, 2010, 02:12:57 AM »

I know you weren't asking me, but I'll answer anyway:

Yes.

Spybot is first line of defense.

Novice · « **Reply #11 on:** July 28, 2010, 10:01:18 AM »

I usually do. Spybot and Trend Micro like to bitch at each other and try and get me to uninstall the other one so I don't keep it around anymore. I didn't this time just because Trend Micro got rid of most of it. At least, as much as I figured Spybot would have.

Novice · « **Reply #12 on:** August 04, 2010, 07:12:29 PM »

It came back!

12AX7 · « **Reply #13 on:** August 04, 2010, 09:59:18 PM »

Have you checked your floppy for bad clusters? Viruses like to hide in those. Sometimes that's the only visual indication.

ivan · « **Reply #14 on:** August 05, 2010, 02:26:31 AM »

Quote from: 12AX7 on August 04, 2010, 09:59:18 PM

Have you checked your floppy for bad clusters? Viruses like to hide in those. Sometimes that's the only visual indication.

TMI, dude.

Clear_Runway · « **Reply #15 on:** August 09, 2010, 09:29:02 PM »

this doesn't actually have anything to do with the registry per se, but whatever:

my sister want me to install an old game on her computer for nostalgia's sake. so i install it without a hitch. i try to run it. it wants a dll. i download the dll and put it in the appropriate directory. i try to run it again. it wants another dll. i search for the dll for several minutes before concluding that intel must be very stingy with this sort of thing. the only information i was able to glean is the this dll can be found on the disk for a completely different game, which i am downloading right now(all 700 mb of it). i'm justifying it to myself because i wont actually be playing the game, just grabbing the dll, and i have the right to use the dll because the program used to run on our old win95 box, so it must have been present.

Novice · « **Reply #16 on:** August 09, 2010, 10:02:06 PM »

I always run away from things that demand .dll files when installing them. Mostly because that was always the fake error message I used when I tricked someone into installing my trojanz.

Clear_Runway · « **Reply #17 on:** August 09, 2010, 10:51:44 PM »

i know that this is legit. i've had the disks for ages. and the only reason it wants the dlls is because of some dependancy that microsoft got rid of.

Novice · « **Reply #18 on:** September 06, 2010, 09:05:50 PM »

Just to follow-up, it came back again. I was able to get rid of most of the malicious files that tried to run, but it would always come back after a week or so.

Also, I was having this redirection problem where any Google link took me to a fake anti-virus or online meds website. I figured I had some kind of root kit going on or something trying to put me in a bot net.

I ended up using all of the following:
- McAfee (Install)
- Spybot (Install)
- Hijack This (Executable)
- A root kit fixer by Kaspersky Lab ZAO (Executable)
- Malwarebyte's Anti-Malware (Install)
- SUPERAntiSpyware (Executable)

I bought McAfee, installed it, ran the scan, then got a refund.

They all found something different (except I didn't actually have a root kit). After running all that, I haven't had any issues since.

*crosses fingers*

News:

Recent Forum Posts

Shout Box

Author Topic: Pesky Registry (Read 4731 times)

12AX7