Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#233128 - 10/09/2004 08:42 Registry question?
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
I've run into a computer that was unfortunately infected with that damn Huntbar. It installed a registry key that will not be deleted no matter how hard I try. How can I remove this key?

The owner of the machine will be very grateful for your help
_________________________
Matt

Top
#233129 - 10/09/2004 11:33 Re: Registry question? [Re: Dignan]
siberia37
old hand

Registered: 09/01/2002
Posts: 702
Loc: Tacoma,WA
Sounds like either the virus set the registry permissions which can be reset on the Key back to normal with regedit (on Windows XP you must use Regedt32 on Win2000). Or the virus is still running and is thus locking the registry key so you can't delete it.

Top
#233130 - 10/09/2004 11:52 Re: Registry question? [Re: siberia37]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
I think I've found every other component of the adware program. It isn't a virus (though I wish they'd be classified as such - how can something that behaves like this NOT be considered a virus), it's definitely an adware/spyware program. I got it on my own machine a few years ago, before I'd even heard of Ad-Aware or any such programs, and it was hell to remove. This variation is even tougher.

I'll see if I can change the permissions on the key. I can't get into the folder the key is in, though, so who knows.

Thanks for the help.
_________________________
Matt

Top
#233131 - 10/09/2004 14:27 Re: Registry question? [Re: Dignan]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31596
Loc: Seattle, WA
Quote:
I got it on my own machine a few years ago, before I'd even heard of Ad-Aware


Which brings up the question: Have you tried Ad-Aware and/or Spybot on your friend's computer? That's specifically what they're made to do: Remove that kind of stuff.


Quote:
It isn't a virus (though I wish they'd be classified as such - how can something that behaves like this NOT be considered a virus),


Agreed. I don't see why I should need two different programs to do virus scanning and spyware scanning. The line between viruses and spyware isn't just fuzzy any more, it's completely obliterated. They install the same way and use the same techniques to try to prevent you from deleting them. And they are equally undesirable.


Quote:
I'll see if I can change the permissions on the key. I can't get into the folder the key is in, though, so who knows.


Bastards. Anyway, regedt32 should help you there, as was suggested.
_________________________
Tony Fabris

Top
#233132 - 10/09/2004 14:51 Re: Registry question? [Re: tfabris]
Ezekiel
pooh-bah

Registered: 25/08/2000
Posts: 2413
Loc: NH USA
Quote:
The line between viruses and spyware isn't just fuzzy any more, it's completely obliterated. They install the same way and use the same techniques to try to prevent you from deleting them. And they are equally undesirable.


AMEN!

-Zeke
_________________________
WWFSMD?

Top
#233133 - 10/09/2004 16:02 Re: Registry question? [Re: tfabris]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
Quote:
Which brings up the question: Have you tried Ad-Aware and/or Spybot on your friend's computer? That's specifically what they're made to do: Remove that kind of stuff

Of course! I installed Ad-Aware and Spybot, the latest versions, latest reference files, and they installed that Pest Patrol program. They did find the components of the particular spyware program, and removed them. However, none of them could remove this registry key, though they all found it. Ad-Aware, disturbingly, did not give any sort of alert to let the user know it could not remove it. In fact, I think it may have been unaware that it couldn't, as it was listed in the quarantined files, but after deleting the quarantine, the key was still there.

What's worse is that even after removing other components of the program, after a restart you'll get them right back again. What's the difference between this and a virus again? I'd like someone to explain that to me. These companies suck.

By the way, have any of you downloaded the latest Ad-Aware (the SE version)? I wasn't aware it was such a change over version 6. I had 6 installed on this machine I was working on, and it found about 130 objects. THEN I installed SE, and that found over 200 afterwards. Pretty good. I wasn't aware that the new version was available, as the last time they "urged" users to upgrade, reference files stopped becoming available for the version I was using.
_________________________
Matt

Top
#233134 - 10/09/2004 17:10 Re: Registry question? [Re: Dignan]
image
old hand

Registered: 28/04/2002
Posts: 770
Loc: Los Angeles, CA
Quote:
What's worse is that even after removing other components of the program, after a restart you'll get them right back again. What's the difference between this and a virus again? I'd like someone to explain that to me. These companies suck.

for pesky adware, download ad aware and spybot, update the reference files then boot in SAFE MODE. what happens is that these annoying programs have failsafes, checking to see if their Run registry entry is existing. if not, then they recreate it immediately. So, logical thing is to kill the process beforehand? Nope, when their processes are killed, autorestart kicks in. how you ask? they actually have two processes running, one checking the other if they're alive. if not, then launch the missing process. ad aware tries to kill these processes on its own with its memory scan, but can only kill processes one at a time. hence the fact you can't get rid of this version of spyware. Safe mode gives you a clean slate to let you get rid of that thing.

anyway, upgrade to XP SP2 when you can, or use spywareblaster. that'll prevent you from auto-downloading most of these "iexplorer enhancements".

Top
#233135 - 17/09/2004 12:21 Re: Registry question? [Re: tfabris]
Ezekiel
pooh-bah

Registered: 25/08/2000
Posts: 2413
Loc: NH USA
Tony - Check out Virusscan Enterprise 8.0i. It now scans for spyware. I don't know how I missed this one (yeah I do - Mcaffee sucks about communicating to their customers about new releases!).

I've attached the new features summary from the install notes.

I'm just doing a test install today.

-Zeke


Attachments
232919-ReadMe.Txt (194 downloads)

_________________________
WWFSMD?

Top
#233136 - 17/09/2004 15:25 Re: Registry question? [Re: Ezekiel]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31596
Loc: Seattle, WA
Cool, so someone's finally doing it. Good for them!
_________________________
Tony Fabris

Top
#233137 - 18/09/2004 04:25 Re: Registry question? [Re: tfabris]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
Yeah, too bad it's McAfee. After working on many people's machines, I've grown a good deal of resentment towards that obnoxious program. At least Norton has the decency to uninstall properly, at least it appears to. McAfee goes kicking, screaming, and grasping for dear life.
_________________________
Matt

Top
#233138 - 19/09/2004 22:44 Re: Registry question? [Re: Dignan]
Ezekiel
pooh-bah

Registered: 25/08/2000
Posts: 2413
Loc: NH USA
I've not had much trouble with the enterprise versions, but I haven't cared much for the home versions I've had to use/configure. Which one has given you the greif?

-Zeke
_________________________
WWFSMD?

Top
#233139 - 19/09/2004 23:00 Re: Registry question? [Re: Ezekiel]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
I believe the one I see most often is the McAfee Security Center. It's basically their suite of products including virus scanner, spyware scanner, firewall, email protection, and a couple applications with uses that are difficult to discern.
_________________________
Matt

Top