Removing bad registry key..

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Sheezwack, Sep 30, 2006.

  1. Sheezwack

    Sheezwack Private E-2

    Hi All,

    I have had a few problems but I think most are taken care of, except this one.

    I had a dodgey account appear on my PC and noticed a service called WinYhd which was owned by the account. I had already removed the account but cannot remove the service. When i check the registry key the permissions are only set to read for SYSTEM.

    Is there anyway i can remove these registry keys, basically there is no one with permission for the key so I can't get rid of it.

    Any ideas?

    Thanks
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  3. Sheezwack

    Sheezwack Private E-2

    Thanks Chaslang,

    I have tried that, even doing run as administrator but the problem is it says i dont have permission to change the permissions. Hence i cant get permission to remove it.

    I am logged in as administrator and it still doesnt work. When i select the key WinYhd it says "Cannot open WinYhd: error while opening key". Then i right click it and go permissions it says "You do not have permission to view the current permissions but you can make permission changes".

    So i try that, and add 'Administrator' with full permissions then press okay and it says "access denied".


    Any other ideas?

    p.s i booted the pc up with miniPE, and was able to view the key however i still couldnt delete it or change the permissions.
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are we taking about a registry key or are we taking about a service you need to stop, disable and delete?

    If it is a Service, how does it show up in your Services list (use services.msc to see all services). What is the Name given in the list? And when you double click on the service name, what does it show for Display name:

    Also what does it show for Startup type: and Service status:
     
  5. Sheezwack

    Sheezwack Private E-2

    Well there is both actually, first i noticed the service called WinYhd that i couldnt remove, that belong to a dodgey account which appeared on my pc.

    Then i found some registry keys matching the name WinYhd.

    Here are the service details:

    Service Name : WinYhd
    Display Name : WinYhd
    Description : Enables network access to local devices via iSCSI protocol.
    Path to Exec: "C:\Program Files\Windows NT\BPW.exe"
    Startup Type: Automatic
    Service Status: Stopped
    Log on as: .\BzlffMPOr


    I have already removed the bpw.exe file, that whole directory was full of dodgey exe files which i removed with a boot image.

    There was a dogey account BzlffMPOr in my users on windows xp which i removed. No idea when it appeared.

    I have tried removing the service but i get some permission denied that SYSTEM did not have permission to remove it.


    The original reason i wanted to remove it apart from the fact I beleive its dodgey, is that I can't boot into safe mode and I Think that is the reason.



    After i removed the user account and tried to boot in to safe mode, my event viewer gave me these messages:

    After i deleted the exe file i got


    So i'm not sure what to do next :(
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You can try the below!

    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to WinYhd ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    WinYhd

    If you receive any error messages just ignore them and continue.

    Now exit HJT and reboot when it tells you it needs to.


    If the above does not work, you will have to continue on to the below to do our full cleaning procedures because it could mean other malware is at work.

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Downloading, Installing, and Running HijackThis

    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.



    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
      • CounterSpy - ONLY IF you were not able to run Windows Defender
      • Bitdefender - from step 6
      • Panda Scan - from step 6
      • runkeys.txt - the log from GetRunKey.bat
      • newfiles.txt - the log from ShowNew.bat
      • HijackThis
    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
  7. Sheezwack

    Sheezwack Private E-2

    Okay tried all of that, here is what happened:

    In the first step the service was already stopped. However when i tried to change it from automatic to disabled i get "Permission Denied"

    Next in HJT, i tried to delete the service but it said "Service WinYhd was not found in the registry". So it didnt do anything or tell me to reboot.



    So i tried your steps for cleaning out with these results, I can't boot in safe mode so this was all done in normal mode.


    Spybot: Found nothing

    Counterspy: Found 3 items including troj.Goldun.BH Trojan and 2 low risk items. I dont have a registered cs so it wouldnt remove it.

    Bitdefender: Found 2 items, (1 that i forgot to remove from ewido quarantine)

    PandaActiveScan PRO: Found 1 cookie and removed it

    I have attached the appropriate logs.
     

    Attached Files:

  8. Sheezwack

    Sheezwack Private E-2

    And the next 3.
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    WARNING: DO NOT DOUBLE CLICK ON THE BELOW REGISTRY PATCHES.

    What is in the below three files in the root folder of drive C?
    Code:
    C:\
    legacy~1.reg  Oct  1 2006         802  "legacy_winyhd.reg"
    log.reg       Oct  1 2006          73  "log.reg"
    winyhd.reg    Oct  1 2006        1996  "winyhd.reg"
    
    DO NOT double click on them because it will try to add the contents of them into the registry! You need to open them with notepad or wordpad by right clicking on them and using Open with or Send to (if you have setup Send to properly).

    You can rename the files to be
    legacy_winyhd.txt
    log.txt
    winyhd.txt

    And then you can attach them here. This will also prevent them from being run if something is using them.
     
  10. Sheezwack

    Sheezwack Private E-2

    sorry i created those files, i was making a backup of the keys before i tried to delete them just incase they turned out to be something not dodgey.

    So all they are is a copy of the keys

    There are a couple of registry keys, one called legacy_winyhd which i can change the permission of and delete, but it just keeps coming back.

    the other one WinYhd is the one i cant even delete. Here are the contents of that key:

    maybe there is something in there that helps.


    From those other logs however does it look like i am infected with smitfraud or something? I can't boot in safe mode to delete it, i wonder if i boot up into miniPE if i can use the smitfraud removal tool however, i guess thats similar to safe mode.
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What makes you think that?


    What are the below two installed programs for?
    SecurityOptimizer
    Suite Specific
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download the Registry Search Tool

    Unzip to your Desktop and double click on regsrch.vbs
    (if you have script protection in your antuvirus program, please allow this to run)

    In the dialog that opens enter the following:

    WinYhd

    Press 'OK'

    The search will run for a while then alert you when it is finished. Press 'OK' and copy the contents of the WordPad window and attach it to this thread.
     
  13. Sheezwack

    Sheezwack Private E-2

    The only reason i suspected smitfraud is because of the newfiles.txt file and this line:

    But I'm probably reading it wrong?



    Also have attached that file, i don't think it picked them all up however, probably because it doesnt have permission to read the other WinYhd keys (like the one in my previous post)
     

    Attached Files:

  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It said "No matches found" but even if it did find files in that folder. It would not necessarily mean they are bad.

    You did not answer one of my questions:
    Do you really have a registry key named SYSTEM_ON_C that is located under HKEY_LOCAL_MACHINE
     
    Last edited: Oct 4, 2006
  15. Sheezwack

    Sheezwack Private E-2

    Sorry not sure what they are,

    Security Optimizer looks dodgey and when i try to uninstall takes me to "http://notetol.com/uninstall.php"

    Suite Specific doesnt show up in add\remove so i'm not sure what its related too.



    I have bought a new HD so I think i might give up and do a fresh install!
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well that is your decision to make. If you want to continue to try and fix the WinYhd problem, my next steps are below.


    Download and Install Registrar Lite (Make sure you select a download link from Majorgeeks and not the Author's)

    Run Registrar Lite navigate to the following keys and take ownership of them (one at a time) I explain further down how to take ownership.

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
    HKEY_LOCAL_MACHINE\SYSTEM_ON_C

    To take ownership of the key do the following:
    Paste one of the lines from above into the Addres bar of RegistrarLite and hit Enter
    Click-on the above Registry Key just to make sure it is selected.
    Click-on Security in the Menu
    Select Take Ownership
    Tell me if you get any error messages and when you get one!

    Now locate each of the below keys ( which are subkeys of the above keys we just took ownership of ) and select them (one at a time) and right click on them and select Delete

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINYHD
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINYHD
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINYHD
    HKEY_LOCAL_MACHINE\SYSTEM_ON_C\ControlSet002\Services\WinYhd

    After deleting them, click View and select Refresh in Registrar Lite. Double check to make sure all of them are gone. If not try repeating a second time and make sure you take ownership at the higher level of the key like I show in the first part of the procedure.

    Let me know if you had any problems following this procedure. Attach a new log from RegSrch afterwards.
     
  17. Sheezwack

    Sheezwack Private E-2

    I am still going to try fix it, will let you know how it goes.


    On a side note, i keep recieving emails of the type "return to sender" that say an email i sent (which i didnt) got rejected. Many of the are some random name @myemaildomain.com.

    Does this mean my computer is being used to send out spam or something? Or my mail server? How do you tell?
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You may or may not be spamming. It could just be the other way around that someone has your email address and is just sending this spam to you.


    By the way, remember the Security Optimize program. Run the uninstall again and this time click the link at that site and lets see what happens. I ran it and have not noticed anything but I also did not have the Security Optimizer program installed.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds