|
 |  |  |  |  |  |  |
| Welcome to Windows Vista Forums. Our forum is dedicated to helping you find solutions with any problems, errors or issues you are experiencing with Windows Vista. The Vista forum also covers news and updates and has an extensive Windows Vista tutorial section that covers a wide range of tips and tricks. |
| |||||||
 |
| |
03-08-2008
| #1 (permalink) |
| Guest | Rouge Process I cannot get rid of. C:\Users\User\AppData\Local\Temp\FLBPKKMMZXYZ.exe This rouge process is listed is Services. I have managed to Disable it, however I'd like to remove entirely. I found it in the Registry, but I cannot find a way to remove it. I've done everything I know even in the Safe Mode and it will not let you delete, modify or whatever. It has no Dependencies listed, the Service and Display names are the same "FLBPKKMMZXYZ" When running Regedit I ran it as Admin, I tried to set permissions on the Branch and was denied. Here is how it's listed..... Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FLBPKKMMZXYZ\0000] "Service"="FLBPKKMMZXYZ" "Legacy"=dword:00000001 "ConfigFlags"=dword:00000000 "Class"="LegacyDriver" "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}" "DeviceDesc"="FLBPKKMMZXYZ" The one thing I did do before trying to remove from it the Registry was delete the file from AppData\Local\Temp. Could this be preventing me from removing the Registry entry? I wouldn't think so, but it may be the first time in my life I was wrong :>) Appreciate any input on this. -- All the best, SG ALEX NICHOL (1935-2005) http://www.aumha.org/alex.htm You will never be forgotten my friend |
My System Specs |
|
03-08-2008
| #2 (permalink) |
| Guest | Re: Rouge Process I cannot get rid of. SG wrote: (snippage) Quote: > C:\Users\User\AppData\Local\Temp\FLBPKKMMZXYZ.exe > > This rouge process is listed is Services. I have managed to Disable it, > however I'd like to remove entirely. I found it in the Registry, but I > cannot find a way to remove it. I've done everything I know even in the > Safe Mode and it will not let you delete, modify or whatever. > It has no Dependencies listed, the Service and Display names are the same > "FLBPKKMMZXYZ" Quote: > The one thing I did do before trying to remove from it the Registry was > delete the file from AppData\Local\Temp. Could this be preventing me from > removing the Registry entry? I wouldn't think so, but it may be the first > time in my life I was wrong :>) Go through these general malware removal steps systematically - http://www.elephantboycomputers.com/...moving_Malware Include scanning with David Lipman's Multi_AV and follow instructions to do all scans in Safe Mode. Please see the special Notes regarding using Multi_AV in Vista. http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions http://tinyurl.com/yoeru3 - download link and more instructions When all else fails, run HijackThis and post your log in one of the specialty forums listed at the first link above (not here, please). Not all tools used will work in Vista and you will need to run them elevated. If you are unable to remove the infection by following the general steps, register at one of the HijackThis forums as suggested. Standard disclaimer: I can't see and test your computer myself, so these are just suggestions based on many years of being a professional computer tech; suggestions based on what you've written. You should not take my suggestions as a definitive diagnosis. If you can't do the work yourself (and there is no shame in admitting this isn't your cup of tea), take the machine to a professional computer repair shop (not your local equivalent of BigComputerStore/GeekSquad). Please be aware that not all local shops are skilled at removing malware and even if they are, your computer may be so infested that Windows will need to be clean-installed. If possible, have all your data backed up before you take the machine into a shop. Malke -- MS-MVP Elephant Boy Computers www.elephantboycomputers.com Don't Panic! |
| My System Specs |
|
03-08-2008
| #3 (permalink) |
| Guest | Re: Rouge Process I cannot get rid of. Malke, Thanks for the response. It's not my system, but one I'm working on. Just so you know I have been in this business for many years, was an MVP a few years back, but do to family obligations had to give it up. Years ago would download Viruses and take them apart to see how they worked. so I'm not a novice :>) Quote: Quote: Quote: >>>Your computer is infected and the methods you've used will not clean >>>it.<<< remove the Branch from the Registry. This system at one time was infected, but not now. I've worked in the Registry for many years, but this is a first that I cannot remove something, any other thoughts as to why it can't be removed?. -- All the best, SG ALEX NICHOL (1935-2005) http://www.aumha.org/alex.htm You will never be forgotten my friend "Malke" <malke@xxxxxx> wrote in message news:uBHYxGTgIHA.2004@xxxxxx Quote: > SG wrote: > > (snippage) Quote: >> C:\Users\User\AppData\Local\Temp\FLBPKKMMZXYZ.exe >> >> This rouge process is listed is Services. I have managed to Disable it, >> however I'd like to remove entirely. I found it in the Registry, but I >> cannot find a way to remove it. I've done everything I know even in the >> Safe Mode and it will not let you delete, modify or whatever. >> It has no Dependencies listed, the Service and Display names are the same >> "FLBPKKMMZXYZ" Quote: >> The one thing I did do before trying to remove from it the Registry was >> delete the file from AppData\Local\Temp. Could this be preventing me from >> removing the Registry entry? I wouldn't think so, but it may be the first >> time in my life I was wrong :>) > Your computer is infected and the methods you've used will not clean it. > > Go through these general malware removal steps systematically - > http://www.elephantboycomputers.com/...moving_Malware > > Include scanning with David Lipman's Multi_AV and follow instructions to > do > all scans in Safe Mode. Please see the special Notes regarding using > Multi_AV in Vista. > > http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions > http://tinyurl.com/yoeru3 - download link and more instructions > > When all else fails, run HijackThis and post your log in one of the > specialty forums listed at the first link above (not here, please). > > Not all tools used will work in Vista and you will need to run them > elevated. If you are unable to remove the infection by following the > general steps, register at one of the HijackThis forums as suggested. > > Standard disclaimer: I can't see and test your computer myself, so these > are > just suggestions based on many years of being a professional computer > tech; > suggestions based on what you've written. You should not take my > suggestions as a definitive diagnosis. If you can't do the work yourself > (and there is no shame in admitting this isn't your cup of tea), take the > machine to a professional computer repair shop (not your local equivalent > of BigComputerStore/GeekSquad). Please be aware that not all local shops > are skilled at removing malware and even if they are, your computer may be > so infested that Windows will need to be clean-installed. If possible, > have > all your data backed up before you take the machine into a shop. > > Malke > -- > MS-MVP > Elephant Boy Computers > www.elephantboycomputers.com > Don't Panic! |
| My System Specs |
|
03-08-2008
| #4 (permalink) |
| Guest | Re: Rouge Process I cannot get rid of. SG wrote: Quote: > Malke, > > Thanks for the response. It's not my system, but one I'm working on. Just > so you know I have been in this business for many years, was an MVP a few > years back, but do to family obligations had to give it up. Years ago > would download Viruses and take them apart to see how they worked. so I'm > not a novice :>) > Quote: Quote: >>>>Your computer is infected and the methods you've used will not clean >>>>it.<<< > As I said the executable is gone, the process is disabled, I just need to > remove the Branch from the Registry. This system at one time was infected, > but not now. I've worked in the Registry for many years, but this is a > first that I cannot remove something, any other thoughts as to why it > can't be removed?. > respawning and the machine is really clean except for this one registry key, delete it from outside the operating system with either ERD Commander or a Bart's PE (if Bart's lets you work on a foreign registry - I don't know this). Malke -- MS-MVP Elephant Boy Computers www.elephantboycomputers.com Don't Panic! |
| My System Specs |
|
03-08-2008
| #5 (permalink) |
| Guest | Re: Rouge Process I cannot get rid of. One other thought - and I hesitate to even mention this because I'm sure you've already tried it - you did try to take ownership of the key? If not, then do that and give the ownership to an account with administrative privileges. Also, I'm assuming that you ran regedit elevated since this is Vista. Malke -- MS-MVP Elephant Boy Computers www.elephantboycomputers.com Don't Panic! |
| My System Specs |
|
03-08-2008
| #6 (permalink) |
| Guest | Re: Rouge Process I cannot get rid of. "Malke" <malke@xxxxxx> wrote in message news:%23yQF$uUgIHA.3352@xxxxxx Quote: > One other thought - and I hesitate to even mention this because I'm sure > you've already tried it - you did try to take ownership of the key? If > not, > then do that and give the ownership to an account with administrative > privileges. Also, I'm assuming that you ran regedit elevated since this is > Vista. > > Malke > -- > MS-MVP > Elephant Boy Computers > www.elephantboycomputers.com > Don't Panic! access. It might be possible to grant full control to an admin like Malke suggests. Mike |
| My System Specs |
|
03-09-2008
| #7 (permalink) |
| Guest | Re: Rouge Process I cannot get rid of. Mike & Malke, Thanks for all the suggestions, but so far nothing. You cannot take take ownership of the key even with administrative privileges, it still says access denied. Haven't tried ERD Commander yet and I'd really like to do this without 3rd. party help it possible. If a rouge program can write to that branch then there's got to be away for me to as well. I'm missing something somewhere, just need to find out what. It's late so I won't fool with this again until sometime Sunday afternoon, but will be back if I find something and to read any other thought's you may have. -- All the best, SG ALEX NICHOL (1935-2005) http://www.aumha.org/alex.htm You will never be forgotten my friend "Mikep" <mikep@xxxxxx> wrote in message news:ONEVgTXgIHA.320@xxxxxx Quote: > > "Malke" <malke@xxxxxx> wrote in message > news:%23yQF$uUgIHA.3352@xxxxxx Quote: >> One other thought - and I hesitate to even mention this because I'm sure >> you've already tried it - you did try to take ownership of the key? If >> not, >> then do that and give the ownership to an account with administrative >> privileges. Also, I'm assuming that you ran regedit elevated since this >> is >> Vista. >> >> Malke >> -- >> MS-MVP >> Elephant Boy Computers >> www.elephantboycomputers.com >> Don't Panic! > I think that this key is owned by the system -- and everyone has read > access. It might be possible to grant full control to an admin like Malke > suggests. > > Mike > |
| My System Specs |
|
03-09-2008
| #8 (permalink) |
| Guest | Re: Rouge Process I cannot get rid of. SG wrote: Quote: > Mike & Malke, > > Thanks for all the suggestions, but so far nothing. You cannot take take > ownership of the key even with administrative privileges, it still says > access denied. Haven't tried ERD Commander yet and I'd really like to do > this without 3rd. party help it possible. If a rouge program can write to > that branch then there's got to be away for me to as well. I'm missing > something somewhere, just need to find out what. It's late so I won't fool > with this again until sometime Sunday afternoon, but will be back if I > find something and to read any other thought's you may have. > - the woman who just wants to get the job done. ;-) I'd use ERD and be done with it. I don't have any other suggestions except you might want to post to AumHA to see what the expert malware fighters there have to say. Sorry I was unable to help you with this. If you do get it figured out, please let me know. Malke -- MS-MVP Elephant Boy Computers www.elephantboycomputers.com Don't Panic! |
| My System Specs |
|
03-09-2008
| #9 (permalink) |
| Guest | Re: Rouge Process I cannot get rid of. "SG" <sorry@xxxxxx> wrote in message news:O%238LHYagIHA.4684@xxxxxx Quote: > Mike & Malke, > > Thanks for all the suggestions, but so far nothing. You cannot take take > ownership of the key even with administrative privileges, it still says > access denied. Haven't tried ERD Commander yet and I'd really like to do > this without 3rd. party help it possible. If a rouge program can write to > that branch then there's got to be away for me to as well. I'm missing > something somewhere, just need to find out what. It's late so I won't fool > with this again until sometime Sunday afternoon, but will be back if I > find something and to read any other thought's you may have. > > -- > All the best, > SG > > ALEX NICHOL > (1935-2005) > http://www.aumha.org/alex.htm > You will never be forgotten my friend > > "Mikep" <mikep@xxxxxx> wrote in message > news:ONEVgTXgIHA.320@xxxxxx Quote: >> >> "Malke" <malke@xxxxxx> wrote in message >> news:%23yQF$uUgIHA.3352@xxxxxx Quote: >>> One other thought - and I hesitate to even mention this because I'm sure >>> you've already tried it - you did try to take ownership of the key? If >>> not, >>> then do that and give the ownership to an account with administrative >>> privileges. Also, I'm assuming that you ran regedit elevated since this >>> is >>> Vista. >>> >>> Malke >>> -- >>> MS-MVP >>> Elephant Boy Computers >>> www.elephantboycomputers.com >>> Don't Panic! >> I think that this key is owned by the system -- and everyone has read >> access. It might be possible to grant full control to an admin like Malke >> suggests. >> >> Mike >> CurrentControlSet\Enum .... entry. Right click on the key, select permissions and add. Then enter your user name in the 'object names to select' --- then check the 'full control' box. Mike |
| My System Specs |
|
03-09-2008
| #10 (permalink) |
| Guest | Re: Rouge Process I cannot get rid of. Mikep wrote: Quote: > > I was able to assign myself full control of a key in a > CurrentControlSet\Enum .... entry. Right click on the key, select > permissions and add. Then enter your user name in the 'object names to > select' --- then check the 'full control' box. is. That does make a big difference. I've had viruses/malware make it so I absolutely could not take ownership of a registry key and where the only way I could kill it was from outside the OS. I think SG is in the same boat with his client's machine; but he wants to figure out where the "block" is because he's that kind of guy (and I mean that in an admiring way). Malke -- MS-MVP Elephant Boy Computers www.elephantboycomputers.com Don't Panic! |
| My System Specs |
|
| Thread Tools | |
| |
Similar Threads | ||||
| Thread | Forum | |||
| Failover Guest Cluster -- 'The process cannot access the file becauseit is being used by another process.' | Virtual Server | |||
| Process ids | Vista General | |||
| Process count wrong when only one process matches criteria | PowerShell | |||
| get-process & stop-process by owner | PowerShell | |||
| Bug? Shouldn't Stop-Process automatically match Id if object is a process? | PowerShell | |||
