Rouge Process I cannot get rid of.

  • Thread starter Thread starter SG
  • Start date Start date
S

SG

C:\Users\User\AppData\Local\Temp\FLBPKKMMZXYZ.exe

This rouge process is listed is Services. I have managed to Disable it,
however I'd like to remove entirely. I found it in the Registry, but I
cannot find a way to remove it. I've done everything I know even in the Safe
Mode and it will not let you delete, modify or whatever.
It has no Dependencies listed, the Service and Display names are the same
"FLBPKKMMZXYZ"


When running Regedit I ran it as Admin, I tried to set permissions on the
Branch and was denied. Here is how it's listed.....

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FLBPKKMMZXYZ\0000]
"Service"="FLBPKKMMZXYZ"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="FLBPKKMMZXYZ"

The one thing I did do before trying to remove from it the Registry was
delete the file from AppData\Local\Temp. Could this be preventing me from
removing the Registry entry? I wouldn't think so, but it may be the first
time in my life I was wrong :>)

Appreciate any input on this.

--
All the best,
SG

ALEX NICHOL
(1935-2005)
http://www.aumha.org/alex.htm
You will never be forgotten my friend
 
SG wrote:

(snippage)
C:\Users\User\AppData\Local\Temp\FLBPKKMMZXYZ.exe

This rouge process is listed is Services. I have managed to Disable it,
however I'd like to remove entirely. I found it in the Registry, but I
cannot find a way to remove it. I've done everything I know even in the
Safe Mode and it will not let you delete, modify or whatever.
It has no Dependencies listed, the Service and Display names are the same
"FLBPKKMMZXYZ"
The one thing I did do before trying to remove from it the Registry was
delete the file from AppData\Local\Temp. Could this be preventing me from
removing the Registry entry? I wouldn't think so, but it may be the first
time in my life I was wrong :>)

Your computer is infected and the methods you've used will not clean it.

Go through these general malware removal steps systematically -
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Include scanning with David Lipman's Multi_AV and follow instructions to do
all scans in Safe Mode. Please see the special Notes regarding using
Multi_AV in Vista.

http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
http://tinyurl.com/yoeru3 - download link and more instructions

When all else fails, run HijackThis and post your log in one of the
specialty forums listed at the first link above (not here, please).

Not all tools used will work in Vista and you will need to run them
elevated. If you are unable to remove the infection by following the
general steps, register at one of the HijackThis forums as suggested.

Standard disclaimer: I can't see and test your computer myself, so these are
just suggestions based on many years of being a professional computer tech;
suggestions based on what you've written. You should not take my
suggestions as a definitive diagnosis. If you can't do the work yourself
(and there is no shame in admitting this isn't your cup of tea), take the
machine to a professional computer repair shop (not your local equivalent
of BigComputerStore/GeekSquad). Please be aware that not all local shops
are skilled at removing malware and even if they are, your computer may be
so infested that Windows will need to be clean-installed. If possible, have
all your data backed up before you take the machine into a shop.

Malke
 
Malke,

Thanks for the response. It's not my system, but one I'm working on. Just so
you know I have been in this business for many years, was an MVP a few years
back, but do to family obligations had to give it up. Years ago would
download Viruses and take them apart to see how they worked. so I'm not a
novice :>)

As I said the executable is gone, the process is disabled, I just need to
remove the Branch from the Registry. This system at one time was infected,
but not now. I've worked in the Registry for many years, but this is a first
that I cannot remove something, any other thoughts as to why it can't be
removed?.

--
All the best,
SG

ALEX NICHOL
(1935-2005)
http://www.aumha.org/alex.htm
You will never be forgotten my friend
 
SG said:
Malke,

Thanks for the response. It's not my system, but one I'm working on. Just
so you know I have been in this business for many years, was an MVP a few
years back, but do to family obligations had to give it up. Years ago
would download Viruses and take them apart to see how they worked. so I'm
not a novice :>)


As I said the executable is gone, the process is disabled, I just need to
remove the Branch from the Registry. This system at one time was infected,
but not now. I've worked in the Registry for many years, but this is a
first that I cannot remove something, any other thoughts as to why it
can't be removed?.
Thanks for your excellent explanation. If you are sure that nothing is
respawning and the machine is really clean except for this one registry
key, delete it from outside the operating system with either ERD Commander
or a Bart's PE (if Bart's lets you work on a foreign registry - I don't
know this).

Malke
 
One other thought - and I hesitate to even mention this because I'm sure
you've already tried it - you did try to take ownership of the key? If not,
then do that and give the ownership to an account with administrative
privileges. Also, I'm assuming that you ran regedit elevated since this is
Vista.

Malke
 
Malke said:
One other thought - and I hesitate to even mention this because I'm sure
you've already tried it - you did try to take ownership of the key? If
not,
then do that and give the ownership to an account with administrative
privileges. Also, I'm assuming that you ran regedit elevated since this is
Vista.

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!

I think that this key is owned by the system -- and everyone has read
access. It might be possible to grant full control to an admin like Malke
suggests.

Mike
 
Mike & Malke,

Thanks for all the suggestions, but so far nothing. You cannot take take
ownership of the key even with administrative privileges, it still says
access denied. Haven't tried ERD Commander yet and I'd really like to do
this without 3rd. party help it possible. If a rouge program can write to
that branch then there's got to be away for me to as well. I'm missing
something somewhere, just need to find out what. It's late so I won't fool
with this again until sometime Sunday afternoon, but will be back if I find
something and to read any other thought's you may have.

--
All the best,
SG

ALEX NICHOL
(1935-2005)
http://www.aumha.org/alex.htm
You will never be forgotten my friend
 
SG said:
Mike & Malke,

Thanks for all the suggestions, but so far nothing. You cannot take take
ownership of the key even with administrative privileges, it still says
access denied. Haven't tried ERD Commander yet and I'd really like to do
this without 3rd. party help it possible. If a rouge program can write to
that branch then there's got to be away for me to as well. I'm missing
something somewhere, just need to find out what. It's late so I won't fool
with this again until sometime Sunday afternoon, but will be back if I
find something and to read any other thought's you may have.

That's the difference between you - the man who takes apart viruses - and me
- the woman who just wants to get the job done. ;-) I'd use ERD and be done
with it.

I don't have any other suggestions except you might want to post to AumHA to
see what the expert malware fighters there have to say. Sorry I was unable
to help you with this. If you do get it figured out, please let me know.

Malke
 
SG said:
Mike & Malke,

Thanks for all the suggestions, but so far nothing. You cannot take take
ownership of the key even with administrative privileges, it still says
access denied. Haven't tried ERD Commander yet and I'd really like to do
this without 3rd. party help it possible. If a rouge program can write to
that branch then there's got to be away for me to as well. I'm missing
something somewhere, just need to find out what. It's late so I won't fool
with this again until sometime Sunday afternoon, but will be back if I
find something and to read any other thought's you may have.

--
All the best,
SG

ALEX NICHOL
(1935-2005)
http://www.aumha.org/alex.htm
You will never be forgotten my friend

I was able to assign myself full control of a key in a
CurrentControlSet\Enum .... entry. Right click on the key, select
permissions and add. Then enter your user name in the 'object names to
select' --- then check the 'full control' box.

Mike
 
Mikep said:
I was able to assign myself full control of a key in a
CurrentControlSet\Enum .... entry. Right click on the key, select
permissions and add. Then enter your user name in the 'object names to
select' --- then check the 'full control' box.

Yes, Mike - but presumably you're not working on an infected computer and SG
is. That does make a big difference. I've had viruses/malware make it so I
absolutely could not take ownership of a registry key and where the only
way I could kill it was from outside the OS. I think SG is in the same boat
with his client's machine; but he wants to figure out where the "block" is
because he's that kind of guy (and I mean that in an admiring way).

Malke
 
Mike & Malke


Sorry I hadn't responded in quite some days now. I want go into details, but
just to let you both know I've been really sick since Thanksgiving and some
days are unbearable. For the last week or so I've been in and out of the
Hospital, but I'm at home now feeling a little better. Soon as I get a
chance I'll let you both know how or if I can fix this problem.

--
All the best,
SG

ALEX NICHOL
(1935-2005)
http://www.aumha.org/alex.htm
You will never be forgotten my friend
 
SG said:
Mike & Malke


Sorry I hadn't responded in quite some days now. I want go into details,
but just to let you both know I've been really sick since Thanksgiving and
some days are unbearable. For the last week or so I've been in and out of
the Hospital, but I'm at home now feeling a little better. Soon as I get a
chance I'll let you both know how or if I can fix this problem.

It's nice of you to post back although one never really expects to hear from
most people on Usenet, so please don't give it another thought. Concentrate
your energies on what's really important - your health. I'm very sorry that
you've been ill and wish you a speedy recovery.

Malke
 
Malke,

Wanted to post my results back to you and MikeP.
I was able to get rid of the AMWXRYTJRQBV.EXE and four others that I found
in the Registry. However, I could only delete the branch that ended with the
file names themselves, their were 4 each ,but this did get rid of the
Processes running. The following Branch still remains, but no harm to the
system and the files are gone as with the Registry entries. Still not sure
why I cannot delete anything under this LEGACY Branch or how it was written
to, but the system is fine and in the end is all that matters. Sorry it took
so long to reply, I've posted a few reply's in these groups the past few
weeks, but still not up to par as of yet. Getting a little better each day
and hope the coming months will bring me back to once again feeling like a
human :>)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY]

--
All the best,
SG

Is your computer system ready for Vista?
https://winqual.microsoft.com/hcl/
 
SG said:
Malke,

Wanted to post my results back to you and MikeP.
I was able to get rid of the AMWXRYTJRQBV.EXE and four others that I found
in the Registry. However, I could only delete the branch that ended with
the file names themselves, their were 4 each ,but this did get rid of the
Processes running. The following Branch still remains, but no harm to the
system and the files are gone as with the Registry entries. Still not sure
why I cannot delete anything under this LEGACY Branch or how it was
written to, but the system is fine and in the end is all that matters.
Sorry it took so long to reply, I've posted a few reply's in these groups
the past few weeks, but still not up to par as of yet. Getting a little
better each day and hope the coming months will bring me back to once
again feeling like a human :>)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY]

I'm glad to hear you're on the mend. As for the legacy keys, try taking
ownership of them or delete them from outside the OS.

Take care,

Malke
 
Hi Malke,

I think I tried taking ownership, but can't remember. I'll give this a try
and see what happens.

--
All the best,
SG

Is your computer system ready for Vista?
https://winqual.microsoft.com/hcl/

Malke said:
SG said:
Malke,

Wanted to post my results back to you and MikeP.
I was able to get rid of the AMWXRYTJRQBV.EXE and four others that I
found
in the Registry. However, I could only delete the branch that ended with
the file names themselves, their were 4 each ,but this did get rid of the
Processes running. The following Branch still remains, but no harm to the
system and the files are gone as with the Registry entries. Still not
sure
why I cannot delete anything under this LEGACY Branch or how it was
written to, but the system is fine and in the end is all that matters.
Sorry it took so long to reply, I've posted a few reply's in these groups
the past few weeks, but still not up to par as of yet. Getting a little
better each day and hope the coming months will bring me back to once
again feeling like a human :>)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY]

I'm glad to hear you're on the mend. As for the legacy keys, try taking
ownership of them or delete them from outside the OS.

Take care,

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!
 
Hi Malke,

Well I finally managed to get rid of the rouge registry branches.
As I stated before nothing I did would let you modify or delete anything
under the
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY]

This afternoon I ran across a Blog by Aaron Stebner that deals with solving
setup errors by using the SubInACL tool to repair Registry permissions.
Although I had no setup errors, it got me thinking about the permissions
part of his article. I followed his steps and ran the reset.cmd he describes
and low and behold even without a reboot I was able to delete all 5 of the
rouge branches without a hitch.
AMWXRYTJRQBV
FLBPKKMMZXYZ
JRBJXZ
NSC
ZWLAMI

His Blog about this is here....
http://blogs.msdn.com/astebner/archive/2006/09/04/739820.aspx

This is a keeper and just my help many out there with other problems as
well. Glad to have solved this although I had already got rid of the paths
to the EXE's and stopped the services from running. It's just the rouge
Branches bothered me because no matter what I did I could not remove them.

--
All the best,
SG

Is your computer system ready for Vista?
https://winqual.microsoft.com/hcl/

Malke said:
SG said:
Malke,

Wanted to post my results back to you and MikeP.
I was able to get rid of the AMWXRYTJRQBV.EXE and four others that I
found
in the Registry. However, I could only delete the branch that ended with
the file names themselves, their were 4 each ,but this did get rid of the
Processes running. The following Branch still remains, but no harm to the
system and the files are gone as with the Registry entries. Still not
sure
why I cannot delete anything under this LEGACY Branch or how it was
written to, but the system is fine and in the end is all that matters.
Sorry it took so long to reply, I've posted a few reply's in these groups
the past few weeks, but still not up to par as of yet. Getting a little
better each day and hope the coming months will bring me back to once
again feeling like a human :>)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY]

I'm glad to hear you're on the mend. As for the legacy keys, try taking
ownership of them or delete them from outside the OS.

Take care,

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!
 
SG said:
Hi Malke,

Well I finally managed to get rid of the rouge registry branches.
As I stated before nothing I did would let you modify or delete anything
under the
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY]

This afternoon I ran across a Blog by Aaron Stebner that deals with
solving setup errors by using the SubInACL tool to repair Registry
permissions. Although I had no setup errors, it got me thinking about the
permissions part of his article. I followed his steps and ran the
reset.cmd he describes and low and behold even without a reboot I was able
to delete all 5 of the rouge branches without a hitch.
AMWXRYTJRQBV
FLBPKKMMZXYZ
JRBJXZ
NSC
ZWLAMI

His Blog about this is here....
http://blogs.msdn.com/astebner/archive/2006/09/04/739820.aspx

This is a keeper and just my help many out there with other problems as
well. Glad to have solved this although I had already got rid of the paths
to the EXE's and stopped the services from running. It's just the rouge
Branches bothered me because no matter what I did I could not remove them.

Thanks for the update and the link. Glad to hear everything is going well
now.

Malke
 
Back
Top