Removing bad registry key..

[Sheezwack]

Hi All,

I have had a few problems but I think most are taken care of, except this one.

I had a dodgey account appear on my PC and noticed a service called WinYhd which was owned by the account. I had already removed the account but cannot remove the service. When i check the registry key the permissions are only set to read for SYSTEM.

Is there anyway i can remove these registry keys, basically there is no one with permission for the key so I can't get rid of it.

Any ideas?

Thanks

[chaslang]

Welcome to Majorgeeks!

You need to take ownership of the registry key.

See the below:

http://technet2.microsoft.com/Window....mspx?mfr=true

After you own it, you can delete it.

[Sheezwack]

Thanks Chaslang,

I have tried that, even doing run as administrator but the problem is it says i dont have permission to change the permissions. Hence i cant get permission to remove it.

Quote:

You can take ownership of a registry key if you are logged on as an administrator or if you have been specifically assigned the permission to take ownership of the registry key by the current owner.

I am logged in as administrator and it still doesnt work. When i select the key WinYhd it says "Cannot open WinYhd: error while opening key". Then i right click it and go permissions it says "You do not have permission to view the current permissions but you can make permission changes".

So i try that, and add 'Administrator' with full permissions then press okay and it says "access denied".


Any other ideas?

p.s i booted the pc up with miniPE, and was able to view the key however i still couldnt delete it or change the permissions.

[chaslang]

Are we taking about a registry key or are we taking about a service you need to stop, disable and delete?

If it is a Service, how does it show up in your Services list (use services.msc to see all services). What is the Name given in the list? And when you double click on the service name, what does it show for Display name:

Also what does it show for Startup type: and Service status:

[Sheezwack]

Well there is both actually, first i noticed the service called WinYhd that i couldnt remove, that belong to a dodgey account which appeared on my pc.

Then i found some registry keys matching the name WinYhd.

Here are the service details:

Service Name : WinYhd
Display Name : WinYhd
Description : Enables network access to local devices via iSCSI protocol.
Path to Exec: "C:\Program Files\Windows NT\BPW.exe"
Startup Type: Automatic
Service Status: Stopped
Log on as: .\BzlffMPOr


I have already removed the bpw.exe file, that whole directory was full of dodgey exe files which i removed with a boot image.

There was a dogey account BzlffMPOr in my users on windows xp which i removed. No idea when it appeared.

I have tried removing the service but i get some permission denied that SYSTEM did not have permission to remove it.

Quote:

The WinYhd Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.

The original reason i wanted to remove it apart from the fact I beleive its dodgey, is that I can't boot into safe mode and I Think that is the reason.



After i removed the user account and tried to boot in to safe mode, my event viewer gave me these messages:

Quote:

The WinYhd service was unable to log on as .\BzlffMPOr with the currently configured password due to the following error:
Logon failure: unknown user name or bad password.

After i deleted the exe file i got

Quote:

The WinYhd service was unable to log on as .\BzlffMPOr with the currently configured password due to the following error:
The system cannot find the file specified.

So i'm not sure what to do next

[chaslang]

You can try the below!

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to WinYhd ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

WinYhd

If you receive any error messages just ignore them and continue.

Now exit HJT and reboot when it tells you it needs to.


If the above does not work, you will have to continue on to the below to do our full cleaning procedures because it could mean other malware is at work.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy - ONLY IF you were not able to run Windows Defender
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

[Sheezwack]

Okay tried all of that, here is what happened:

In the first step the service was already stopped. However when i tried to change it from automatic to disabled i get "Permission Denied"

Next in HJT, i tried to delete the service but it said "Service WinYhd was not found in the registry". So it didnt do anything or tell me to reboot.



So i tried your steps for cleaning out with these results, I can't boot in safe mode so this was all done in normal mode.


Spybot: Found nothing

Counterspy: Found 3 items including troj.Goldun.BH Trojan and 2 low risk items. I dont have a registered cs so it wouldnt remove it.

Bitdefender: Found 2 items, (1 that i forgot to remove from ewido quarantine)

PandaActiveScan PRO: Found 1 cookie and removed it

I have attached the appropriate logs.

[Sheezwack]

And the next 3.

[chaslang]

WARNING: DO NOT DOUBLE CLICK ON THE BELOW REGISTRY PATCHES.

What is in the below three files in the root folder of drive C?

Code:

C:\
legacy~1.reg  Oct  1 2006         802  "legacy_winyhd.reg"
log.reg       Oct  1 2006          73  "log.reg"
winyhd.reg    Oct  1 2006        1996  "winyhd.reg"

DO NOT double click on them because it will try to add the contents of them into the registry! You need to open them with notepad or wordpad by right clicking on them and using Open with or Send to (if you have setup Send to properly).

You can rename the files to be
legacy_winyhd.txt
log.txt
winyhd.txt

And then you can attach them here. This will also prevent them from being run if something is using them.

[Sheezwack]

sorry i created those files, i was making a backup of the keys before i tried to delete them just incase they turned out to be something not dodgey.

So all they are is a copy of the keys

There are a couple of registry keys, one called legacy_winyhd which i can change the permission of and delete, but it just keeps coming back.

the other one WinYhd is the one i cant even delete. Here are the contents of that key:

Quote:

[HKEY_LOCAL_MACHINE\SYSTEM_ON_C\ControlSet002\Services\WinYhd]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"="\"C:\\Program Files\\Windows NT\\BPW.exe\""
"DisplayName"="WinYhd"
"ObjectName"=".\\BzlffMPOr"
"Description"="Enables network access to local devices via iSCSI protocol."

[HKEY_LOCAL_MACHINE\SYSTEM_ON_C\ControlSet002\Services\WinYhd\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

maybe there is something in there that helps.


From those other logs however does it look like i am infected with smitfraud or something? I can't boot in safe mode to delete it, i wonder if i boot up into miniPE if i can use the smitfraud removal tool however, i guess thats similar to safe mode.

[chaslang]

Quote:

Originally Posted by Sheezwack

From those other logs however does it look like i am infected with smitfraud or something? I can't boot in safe mode to delete it, i wonder if i boot up into miniPE if i can use the smitfraud removal tool however, i guess thats similar to safe mode.

What makes you think that?


What are the below two installed programs for?
SecurityOptimizer
Suite Specific

[chaslang]

Download the Registry Search Tool

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection in your antuvirus program, please allow this to run)

In the dialog that opens enter the following:

WinYhd

Press 'OK'

The search will run for a while then alert you when it is finished. Press 'OK' and copy the contents of the WordPad window and attach it to this thread.

[Sheezwack]

The only reason i suspected smitfraud is because of the newfiles.txt file and this line:

Quote:

******************************************************************************

Locating all files created in C:\WINDOWSX\System32\components within the last 90 days.
This folder is now being used by Trojan.FakeAlert.CX aka SmitFraud

No matches found.
******************************************************************************

But I'm probably reading it wrong?



Also have attached that file, i don't think it picked them all up however, probably because it doesnt have permission to read the other WinYhd keys (like the one in my previous post)

[chaslang]

Quote:

Originally Posted by Sheezwack

The only reason i suspected smitfraud is because of the newfiles.txt file and this line:

But I'm probably reading it wrong?

It said "No matches found" but even if it did find files in that folder. It would not necessarily mean they are bad.

You did not answer one of my questions:

Quote:

What are the below two installed programs for?
SecurityOptimizer
Suite Specific

Do you really have a registry key named SYSTEM_ON_C that is located under HKEY_LOCAL_MACHINE

[Sheezwack]

Sorry not sure what they are,

Security Optimizer looks dodgey and when i try to uninstall takes me to "http://notetol.com/uninstall.php"

Suite Specific doesnt show up in add\remove so i'm not sure what its related too.



I have bought a new HD so I think i might give up and do a fresh install!

[chaslang]

Quote:

Originally Posted by Sheezwack

I have bought a new HD so I think i might give up and do a fresh install!

Well that is your decision to make. If you want to continue to try and fix the WinYhd problem, my next steps are below.


Download and Install Registrar Lite (Make sure you select a download link from Majorgeeks and not the Author's)

Run Registrar Lite navigate to the following keys and take ownership of them (one at a time) I explain further down how to take ownership.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
HKEY_LOCAL_MACHINE\SYSTEM_ON_C

To take ownership of the key do the following:
Paste one of the lines from above into the Addres bar of RegistrarLite and hit Enter
Click-on the above Registry Key just to make sure it is selected.
Click-on Security in the Menu
Select Take Ownership
Tell me if you get any error messages and when you get one!

Now locate each of the below keys ( which are subkeys of the above keys we just took ownership of ) and select them (one at a time) and right click on them and select Delete

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINYHD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINYHD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINYHD
HKEY_LOCAL_MACHINE\SYSTEM_ON_C\ControlSet002\Services\WinYhd

After deleting them, click View and select Refresh in Registrar Lite. Double check to make sure all of them are gone. If not try repeating a second time and make sure you take ownership at the higher level of the key like I show in the first part of the procedure.

Let me know if you had any problems following this procedure. Attach a new log from RegSrch afterwards.

[Sheezwack]

I am still going to try fix it, will let you know how it goes.


On a side note, i keep recieving emails of the type "return to sender" that say an email i sent (which i didnt) got rejected. Many of the are some random name @myemaildomain.com.

Does this mean my computer is being used to send out spam or something? Or my mail server? How do you tell?

[chaslang]

Quote:

Originally Posted by Sheezwack

On a side note, i keep recieving emails of the type "return to sender" that say an email i sent (which i didnt) got rejected. Many of the are some random name @myemaildomain.com.

Does this mean my computer is being used to send out spam or something? Or my mail server? How do you tell?

You may or may not be spamming. It could just be the other way around that someone has your email address and is just sending this spam to you.


By the way, remember the Security Optimize program. Run the uninstall again and this time click the link at that site and lets see what happens. I ran it and have not noticed anything but I also did not have the Security Optimizer program installed.