Guest SG Posted March 8, 2008 Posted March 8, 2008 C:\Users\User\AppData\Local\Temp\FLBPKKMMZXYZ.exe This rouge process is listed is Services. I have managed to Disable it, however I'd like to remove entirely. I found it in the Registry, but I cannot find a way to remove it. I've done everything I know even in the Safe Mode and it will not let you delete, modify or whatever. It has no Dependencies listed, the Service and Display names are the same "FLBPKKMMZXYZ" When running Regedit I ran it as Admin, I tried to set permissions on the Branch and was denied. Here is how it's listed..... Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FLBPKKMMZXYZ\0000] "Service"="FLBPKKMMZXYZ" "Legacy"=dword:00000001 "ConfigFlags"=dword:00000000 "Class"="LegacyDriver" "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}" "DeviceDesc"="FLBPKKMMZXYZ" The one thing I did do before trying to remove from it the Registry was delete the file from AppData\Local\Temp. Could this be preventing me from removing the Registry entry? I wouldn't think so, but it may be the first time in my life I was wrong :>) Appreciate any input on this. -- All the best, SG ALEX NICHOL (1935-2005) http://www.aumha.org/alex.htm You will never be forgotten my friend Quote
Guest Malke Posted March 8, 2008 Posted March 8, 2008 SG wrote: (snippage)<span style="color:blue"> > C:UsersUserAppDataLocalTempFLBPKKMMZXYZ.exe > > This rouge process is listed is Services. I have managed to Disable it, > however I'd like to remove entirely. I found it in the Registry, but I > cannot find a way to remove it. I've done everything I know even in the > Safe Mode and it will not let you delete, modify or whatever. > It has no Dependencies listed, the Service and Display names are the same > "FLBPKKMMZXYZ"</span> <span style="color:blue"> > The one thing I did do before trying to remove from it the Registry was > delete the file from AppDataLocalTemp. Could this be preventing me from > removing the Registry entry? I wouldn't think so, but it may be the first > time in my life I was wrong :>)</span> Your computer is infected and the methods you've used will not clean it. Go through these general malware removal steps systematically - http://www.elephantboycomputers.com/page2....emoving_Malware Include scanning with David Lipman's Multi_AV and follow instructions to do all scans in Safe Mode. Please see the special Notes regarding using Multi_AV in Vista. http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions http://tinyurl.com/yoeru3 - download link and more instructions When all else fails, run HijackThis and post your log in one of the specialty forums listed at the first link above (not here, please). Not all tools used will work in Vista and you will need to run them elevated. If you are unable to remove the infection by following the general steps, register at one of the HijackThis forums as suggested. Standard disclaimer: I can't see and test your computer myself, so these are just suggestions based on many years of being a professional computer tech; suggestions based on what you've written. You should not take my suggestions as a definitive diagnosis. If you can't do the work yourself (and there is no shame in admitting this isn't your cup of tea), take the machine to a professional computer repair shop (not your local equivalent of BigComputerStore/GeekSquad). Please be aware that not all local shops are skilled at removing malware and even if they are, your computer may be so infested that Windows will need to be clean-installed. If possible, have all your data backed up before you take the machine into a shop. Malke -- MS-MVP Elephant Boy Computers www.elephantboycomputers.com Don't Panic! Quote
Guest SG Posted March 8, 2008 Posted March 8, 2008 Malke, Thanks for the response. It's not my system, but one I'm working on. Just so you know I have been in this business for many years, was an MVP a few years back, but do to family obligations had to give it up. Years ago would download Viruses and take them apart to see how they worked. so I'm not a novice :>) <span style="color:blue"><span style="color:green"><span style="color:darkred"> >>>Your computer is infected and the methods you've used will not clean >>>it.<<<</span></span></span> As I said the executable is gone, the process is disabled, I just need to remove the Branch from the Registry. This system at one time was infected, but not now. I've worked in the Registry for many years, but this is a first that I cannot remove something, any other thoughts as to why it can't be removed?. -- All the best, SG ALEX NICHOL (1935-2005) http://www.aumha.org/alex.htm You will never be forgotten my friend "Malke" <malke@invalid.invalid> wrote in message news:uBHYxGTgIHA.2004@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > SG wrote: > > (snippage)<span style="color:green"> >> C:UsersUserAppDataLocalTempFLBPKKMMZXYZ.exe >> >> This rouge process is listed is Services. I have managed to Disable it, >> however I'd like to remove entirely. I found it in the Registry, but I >> cannot find a way to remove it. I've done everything I know even in the >> Safe Mode and it will not let you delete, modify or whatever. >> It has no Dependencies listed, the Service and Display names are the same >> "FLBPKKMMZXYZ"</span> ><span style="color:green"> >> The one thing I did do before trying to remove from it the Registry was >> delete the file from AppDataLocalTemp. Could this be preventing me from >> removing the Registry entry? I wouldn't think so, but it may be the first >> time in my life I was wrong :>)</span> > > Your computer is infected and the methods you've used will not clean it. > > Go through these general malware removal steps systematically - > http://www.elephantboycomputers.com/page2....emoving_Malware > > Include scanning with David Lipman's Multi_AV and follow instructions to > do > all scans in Safe Mode. Please see the special Notes regarding using > Multi_AV in Vista. > > http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions > http://tinyurl.com/yoeru3 - download link and more instructions > > When all else fails, run HijackThis and post your log in one of the > specialty forums listed at the first link above (not here, please). > > Not all tools used will work in Vista and you will need to run them > elevated. If you are unable to remove the infection by following the > general steps, register at one of the HijackThis forums as suggested. > > Standard disclaimer: I can't see and test your computer myself, so these > are > just suggestions based on many years of being a professional computer > tech; > suggestions based on what you've written. You should not take my > suggestions as a definitive diagnosis. If you can't do the work yourself > (and there is no shame in admitting this isn't your cup of tea), take the > machine to a professional computer repair shop (not your local equivalent > of BigComputerStore/GeekSquad). Please be aware that not all local shops > are skilled at removing malware and even if they are, your computer may be > so infested that Windows will need to be clean-installed. If possible, > have > all your data backed up before you take the machine into a shop. > > Malke > -- > MS-MVP > Elephant Boy Computers > www.elephantboycomputers.com > Don't Panic! </span> Quote
Guest Malke Posted March 8, 2008 Posted March 8, 2008 SG wrote: <span style="color:blue"> > Malke, > > Thanks for the response. It's not my system, but one I'm working on. Just > so you know I have been in this business for many years, was an MVP a few > years back, but do to family obligations had to give it up. Years ago > would download Viruses and take them apart to see how they worked. so I'm > not a novice :>) > <span style="color:green"><span style="color:darkred"> >>>>Your computer is infected and the methods you've used will not clean >>>>it.<<<</span></span> > > As I said the executable is gone, the process is disabled, I just need to > remove the Branch from the Registry. This system at one time was infected, > but not now. I've worked in the Registry for many years, but this is a > first that I cannot remove something, any other thoughts as to why it > can't be removed?. > </span> Thanks for your excellent explanation. If you are sure that nothing is respawning and the machine is really clean except for this one registry key, delete it from outside the operating system with either ERD Commander or a Bart's PE (if Bart's lets you work on a foreign registry - I don't know this). Malke -- MS-MVP Elephant Boy Computers www.elephantboycomputers.com Don't Panic! Quote
Guest Malke Posted March 8, 2008 Posted March 8, 2008 One other thought - and I hesitate to even mention this because I'm sure you've already tried it - you did try to take ownership of the key? If not, then do that and give the ownership to an account with administrative privileges. Also, I'm assuming that you ran regedit elevated since this is Vista. Malke -- MS-MVP Elephant Boy Computers www.elephantboycomputers.com Don't Panic! Quote
Guest Mikep Posted March 8, 2008 Posted March 8, 2008 "Malke" <malke@invalid.invalid> wrote in message news:%23yQF$uUgIHA.3352@TK2MSFTNGP04.phx.gbl...<span style="color:blue"> > One other thought - and I hesitate to even mention this because I'm sure > you've already tried it - you did try to take ownership of the key? If > not, > then do that and give the ownership to an account with administrative > privileges. Also, I'm assuming that you ran regedit elevated since this is > Vista. > > Malke > -- > MS-MVP > Elephant Boy Computers > www.elephantboycomputers.com > Don't Panic!</span> I think that this key is owned by the system -- and everyone has read access. It might be possible to grant full control to an admin like Malke suggests. Mike Quote
Guest SG Posted March 9, 2008 Posted March 9, 2008 Mike & Malke, Thanks for all the suggestions, but so far nothing. You cannot take take ownership of the key even with administrative privileges, it still says access denied. Haven't tried ERD Commander yet and I'd really like to do this without 3rd. party help it possible. If a rouge program can write to that branch then there's got to be away for me to as well. I'm missing something somewhere, just need to find out what. It's late so I won't fool with this again until sometime Sunday afternoon, but will be back if I find something and to read any other thought's you may have. -- All the best, SG ALEX NICHOL (1935-2005) http://www.aumha.org/alex.htm You will never be forgotten my friend "Mikep" <mikep@NOSPAMturboware.com> wrote in message news:ONEVgTXgIHA.320@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > > "Malke" <malke@invalid.invalid> wrote in message > news:%23yQF$uUgIHA.3352@TK2MSFTNGP04.phx.gbl...<span style="color:green"> >> One other thought - and I hesitate to even mention this because I'm sure >> you've already tried it - you did try to take ownership of the key? If >> not, >> then do that and give the ownership to an account with administrative >> privileges. Also, I'm assuming that you ran regedit elevated since this >> is >> Vista. >> >> Malke >> -- >> MS-MVP >> Elephant Boy Computers >> www.elephantboycomputers.com >> Don't Panic!</span> > > I think that this key is owned by the system -- and everyone has read > access. It might be possible to grant full control to an admin like Malke > suggests. > > Mike > </span> Quote
Guest Malke Posted March 9, 2008 Posted March 9, 2008 SG wrote: <span style="color:blue"> > Mike & Malke, > > Thanks for all the suggestions, but so far nothing. You cannot take take > ownership of the key even with administrative privileges, it still says > access denied. Haven't tried ERD Commander yet and I'd really like to do > this without 3rd. party help it possible. If a rouge program can write to > that branch then there's got to be away for me to as well. I'm missing > something somewhere, just need to find out what. It's late so I won't fool > with this again until sometime Sunday afternoon, but will be back if I > find something and to read any other thought's you may have. > </span> That's the difference between you - the man who takes apart viruses - and me - the woman who just wants to get the job done. ;-) I'd use ERD and be done with it. I don't have any other suggestions except you might want to post to AumHA to see what the expert malware fighters there have to say. Sorry I was unable to help you with this. If you do get it figured out, please let me know. Malke -- MS-MVP Elephant Boy Computers www.elephantboycomputers.com Don't Panic! Quote
Guest Mikep Posted March 9, 2008 Posted March 9, 2008 "SG" <sorry@nomail.com> wrote in message news:O%238LHYagIHA.4684@TK2MSFTNGP06.phx.gbl...<span style="color:blue"> > Mike & Malke, > > Thanks for all the suggestions, but so far nothing. You cannot take take > ownership of the key even with administrative privileges, it still says > access denied. Haven't tried ERD Commander yet and I'd really like to do > this without 3rd. party help it possible. If a rouge program can write to > that branch then there's got to be away for me to as well. I'm missing > something somewhere, just need to find out what. It's late so I won't fool > with this again until sometime Sunday afternoon, but will be back if I > find something and to read any other thought's you may have. > > -- > All the best, > SG > > ALEX NICHOL > (1935-2005) > http://www.aumha.org/alex.htm > You will never be forgotten my friend > > "Mikep" <mikep@NOSPAMturboware.com> wrote in message > news:ONEVgTXgIHA.320@TK2MSFTNGP02.phx.gbl...<span style="color:green"> >> >> "Malke" <malke@invalid.invalid> wrote in message >> news:%23yQF$uUgIHA.3352@TK2MSFTNGP04.phx.gbl...<span style="color:darkred"> >>> One other thought - and I hesitate to even mention this because I'm sure >>> you've already tried it - you did try to take ownership of the key? If >>> not, >>> then do that and give the ownership to an account with administrative >>> privileges. Also, I'm assuming that you ran regedit elevated since this >>> is >>> Vista. >>> >>> Malke >>> -- >>> MS-MVP >>> Elephant Boy Computers >>> www.elephantboycomputers.com >>> Don't Panic!</span> >> >> I think that this key is owned by the system -- and everyone has read >> access. It might be possible to grant full control to an admin like Malke >> suggests. >> >> Mike >></span> ></span> I was able to assign myself full control of a key in a CurrentControlSet\Enum .... entry. Right click on the key, select permissions and add. Then enter your user name in the 'object names to select' --- then check the 'full control' box. Mike Quote
Guest Malke Posted March 9, 2008 Posted March 9, 2008 Mikep wrote: <span style="color:blue"> > > I was able to assign myself full control of a key in a > CurrentControlSetEnum .... entry. Right click on the key, select > permissions and add. Then enter your user name in the 'object names to > select' --- then check the 'full control' box.</span> Yes, Mike - but presumably you're not working on an infected computer and SG is. That does make a big difference. I've had viruses/malware make it so I absolutely could not take ownership of a registry key and where the only way I could kill it was from outside the OS. I think SG is in the same boat with his client's machine; but he wants to figure out where the "block" is because he's that kind of guy (and I mean that in an admiring way). Malke -- MS-MVP Elephant Boy Computers www.elephantboycomputers.com Don't Panic! Quote
Guest SG Posted March 14, 2008 Posted March 14, 2008 Mike & Malke Sorry I hadn't responded in quite some days now. I want go into details, but just to let you both know I've been really sick since Thanksgiving and some days are unbearable. For the last week or so I've been in and out of the Hospital, but I'm at home now feeling a little better. Soon as I get a chance I'll let you both know how or if I can fix this problem. -- All the best, SG ALEX NICHOL (1935-2005) http://www.aumha.org/alex.htm You will never be forgotten my friend "Malke" <malke@invalid.invalid> wrote in message news:%23I$iP5igIHA.5780@TK2MSFTNGP06.phx.gbl...<span style="color:blue"> > Mikep wrote: ><span style="color:green"> >> >> I was able to assign myself full control of a key in a >> CurrentControlSetEnum .... entry. Right click on the key, select >> permissions and add. Then enter your user name in the 'object names to >> select' --- then check the 'full control' box.</span> > > Yes, Mike - but presumably you're not working on an infected computer and > SG > is. That does make a big difference. I've had viruses/malware make it so I > absolutely could not take ownership of a registry key and where the only > way I could kill it was from outside the OS. I think SG is in the same > boat > with his client's machine; but he wants to figure out where the "block" is > because he's that kind of guy (and I mean that in an admiring way). > > Malke > -- > MS-MVP > Elephant Boy Computers > www.elephantboycomputers.com > Don't Panic! </span> Quote
Guest Malke Posted March 14, 2008 Posted March 14, 2008 SG wrote: <span style="color:blue"> > Mike & Malke > > > Sorry I hadn't responded in quite some days now. I want go into details, > but just to let you both know I've been really sick since Thanksgiving and > some days are unbearable. For the last week or so I've been in and out of > the Hospital, but I'm at home now feeling a little better. Soon as I get a > chance I'll let you both know how or if I can fix this problem. > </span> It's nice of you to post back although one never really expects to hear from most people on Usenet, so please don't give it another thought. Concentrate your energies on what's really important - your health. I'm very sorry that you've been ill and wish you a speedy recovery. Malke -- MS-MVP Elephant Boy Computers www.elephantboycomputers.com Don't Panic! Quote
Guest SG Posted March 31, 2008 Posted March 31, 2008 Malke, Wanted to post my results back to you and MikeP. I was able to get rid of the AMWXRYTJRQBV.EXE and four others that I found in the Registry. However, I could only delete the branch that ended with the file names themselves, their were 4 each ,but this did get rid of the Processes running. The following Branch still remains, but no harm to the system and the files are gone as with the Registry entries. Still not sure why I cannot delete anything under this LEGACY Branch or how it was written to, but the system is fine and in the end is all that matters. Sorry it took so long to reply, I've posted a few reply's in these groups the past few weeks, but still not up to par as of yet. Getting a little better each day and hope the coming months will bring me back to once again feeling like a human :>) [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY] -- All the best, SG Is your computer system ready for Vista? https://winqual.microsoft.com/hcl/ "Malke" <malke@invalid.invalid> wrote in message news:ua8XENhhIHA.5204@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > SG wrote: ><span style="color:green"> >> Mike & Malke >> >> >> Sorry I hadn't responded in quite some days now. I want go into details, >> but just to let you both know I've been really sick since Thanksgiving >> and >> some days are unbearable. For the last week or so I've been in and out of >> the Hospital, but I'm at home now feeling a little better. Soon as I get >> a >> chance I'll let you both know how or if I can fix this problem. >></span> > > It's nice of you to post back although one never really expects to hear > from > most people on Usenet, so please don't give it another thought. > Concentrate > your energies on what's really important - your health. I'm very sorry > that > you've been ill and wish you a speedy recovery. > > Malke > -- > MS-MVP > Elephant Boy Computers > www.elephantboycomputers.com > Don't Panic! </span> Quote
Guest Malke Posted March 31, 2008 Posted March 31, 2008 SG wrote: <span style="color:blue"> > Malke, > > Wanted to post my results back to you and MikeP. > I was able to get rid of the AMWXRYTJRQBV.EXE and four others that I found > in the Registry. However, I could only delete the branch that ended with > the file names themselves, their were 4 each ,but this did get rid of the > Processes running. The following Branch still remains, but no harm to the > system and the files are gone as with the Registry entries. Still not sure > why I cannot delete anything under this LEGACY Branch or how it was > written to, but the system is fine and in the end is all that matters. > Sorry it took so long to reply, I've posted a few reply's in these groups > the past few weeks, but still not up to par as of yet. Getting a little > better each day and hope the coming months will bring me back to once > again feeling like a human :>) > > [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY] > </span> I'm glad to hear you're on the mend. As for the legacy keys, try taking ownership of them or delete them from outside the OS. Take care, Malke -- MS-MVP Elephant Boy Computers www.elephantboycomputers.com Don't Panic! Quote
Guest SG Posted March 31, 2008 Posted March 31, 2008 Hi Malke, I think I tried taking ownership, but can't remember. I'll give this a try and see what happens. -- All the best, SG Is your computer system ready for Vista? https://winqual.microsoft.com/hcl/ "Malke" <malke@invalid.invalid> wrote in message news:%23B$4KnykIHA.6032@TK2MSFTNGP03.phx.gbl...<span style="color:blue"> > SG wrote: ><span style="color:green"> >> Malke, >> >> Wanted to post my results back to you and MikeP. >> I was able to get rid of the AMWXRYTJRQBV.EXE and four others that I >> found >> in the Registry. However, I could only delete the branch that ended with >> the file names themselves, their were 4 each ,but this did get rid of the >> Processes running. The following Branch still remains, but no harm to the >> system and the files are gone as with the Registry entries. Still not >> sure >> why I cannot delete anything under this LEGACY Branch or how it was >> written to, but the system is fine and in the end is all that matters. >> Sorry it took so long to reply, I've posted a few reply's in these groups >> the past few weeks, but still not up to par as of yet. Getting a little >> better each day and hope the coming months will bring me back to once >> again feeling like a human :>) >> >> [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY] >></span> > > I'm glad to hear you're on the mend. As for the legacy keys, try taking > ownership of them or delete them from outside the OS. > > Take care, > > Malke > -- > MS-MVP > Elephant Boy Computers > www.elephantboycomputers.com > Don't Panic! </span> Quote
Guest SG Posted April 12, 2008 Posted April 12, 2008 Re: Rouge Process I cannot get rid of. SOLVED Hi Malke, Well I finally managed to get rid of the rouge registry branches. As I stated before nothing I did would let you modify or delete anything under the [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY] This afternoon I ran across a Blog by Aaron Stebner that deals with solving setup errors by using the SubInACL tool to repair Registry permissions. Although I had no setup errors, it got me thinking about the permissions part of his article. I followed his steps and ran the reset.cmd he describes and low and behold even without a reboot I was able to delete all 5 of the rouge branches without a hitch. AMWXRYTJRQBV FLBPKKMMZXYZ JRBJXZ NSC ZWLAMI His Blog about this is here.... http://blogs.msdn.com/astebner/archive/200.../04/739820.aspx This is a keeper and just my help many out there with other problems as well. Glad to have solved this although I had already got rid of the paths to the EXE's and stopped the services from running. It's just the rouge Branches bothered me because no matter what I did I could not remove them. -- All the best, SG Is your computer system ready for Vista? https://winqual.microsoft.com/hcl/ "Malke" <malke@invalid.invalid> wrote in message news:%23B$4KnykIHA.6032@TK2MSFTNGP03.phx.gbl...<span style="color:blue"> > SG wrote: ><span style="color:green"> >> Malke, >> >> Wanted to post my results back to you and MikeP. >> I was able to get rid of the AMWXRYTJRQBV.EXE and four others that I >> found >> in the Registry. However, I could only delete the branch that ended with >> the file names themselves, their were 4 each ,but this did get rid of the >> Processes running. The following Branch still remains, but no harm to the >> system and the files are gone as with the Registry entries. Still not >> sure >> why I cannot delete anything under this LEGACY Branch or how it was >> written to, but the system is fine and in the end is all that matters. >> Sorry it took so long to reply, I've posted a few reply's in these groups >> the past few weeks, but still not up to par as of yet. Getting a little >> better each day and hope the coming months will bring me back to once >> again feeling like a human :>) >> >> [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY] >></span> > > I'm glad to hear you're on the mend. As for the legacy keys, try taking > ownership of them or delete them from outside the OS. > > Take care, > > Malke > -- > MS-MVP > Elephant Boy Computers > www.elephantboycomputers.com > Don't Panic! </span> Quote
Guest Malke Posted April 12, 2008 Posted April 12, 2008 Re: Rouge Process I cannot get rid of. SOLVED SG wrote: <span style="color:blue"> > Hi Malke, > > Well I finally managed to get rid of the rouge registry branches. > As I stated before nothing I did would let you modify or delete anything > under the > [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY] > > This afternoon I ran across a Blog by Aaron Stebner that deals with > solving setup errors by using the SubInACL tool to repair Registry > permissions. Although I had no setup errors, it got me thinking about the > permissions part of his article. I followed his steps and ran the > reset.cmd he describes and low and behold even without a reboot I was able > to delete all 5 of the rouge branches without a hitch. > AMWXRYTJRQBV > FLBPKKMMZXYZ > JRBJXZ > NSC > ZWLAMI > > His Blog about this is here.... > http://blogs.msdn.com/astebner/archive/200.../04/739820.aspx > > This is a keeper and just my help many out there with other problems as > well. Glad to have solved this although I had already got rid of the paths > to the EXE's and stopped the services from running. It's just the rouge > Branches bothered me because no matter what I did I could not remove them. > </span> Thanks for the update and the link. Glad to hear everything is going well now. Malke -- MS-MVP Elephant Boy Computers www.elephantboycomputers.com Don't Panic! Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.