Microsoft Windows Vista Community Forums - Vistaheads
Recommended Download



Welcome to the Microsoft Windows Vista Community Forums - Vistaheads, YOUR Largest Resource for Windows Vista related information.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so , join our community today!

If you have any problems with the registration process or your account login, please contact us.

Driver Scanner

Rouge Process I cannot get rid of.

microsoft.public.windows.vista.security






Speedup My PC
Reply
  #1 (permalink)  
Old 03-08-2008
SG
 

Posts: n/a
Rouge Process I cannot get rid of.
C:\Users\User\AppData\Local\Temp\FLBPKKMMZXYZ.exe

This rouge process is listed is Services. I have managed to Disable it,
however I'd like to remove entirely. I found it in the Registry, but I
cannot find a way to remove it. I've done everything I know even in the Safe
Mode and it will not let you delete, modify or whatever.
It has no Dependencies listed, the Service and Display names are the same
"FLBPKKMMZXYZ"


When running Regedit I ran it as Admin, I tried to set permissions on the
Branch and was denied. Here is how it's listed.....

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_FLBPKKMMZXYZ\0000]
"Service"="FLBPKKMMZXYZ"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="FLBPKKMMZXYZ"

The one thing I did do before trying to remove from it the Registry was
delete the file from AppData\Local\Temp. Could this be preventing me from
removing the Registry entry? I wouldn't think so, but it may be the first
time in my life I was wrong :>)

Appreciate any input on this.

--
All the best,
SG

ALEX NICHOL
(1935-2005)
http://www.aumha.org/alex.htm
You will never be forgotten my friend

Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 03-08-2008
Malke
 

Posts: n/a
Re: Rouge Process I cannot get rid of.
SG wrote:

(snippage)
> C:\Users\User\AppData\Local\Temp\FLBPKKMMZXYZ.exe
>
> This rouge process is listed is Services. I have managed to Disable it,
> however I'd like to remove entirely. I found it in the Registry, but I
> cannot find a way to remove it. I've done everything I know even in the
> Safe Mode and it will not let you delete, modify or whatever.
> It has no Dependencies listed, the Service and Display names are the same
> "FLBPKKMMZXYZ"


> The one thing I did do before trying to remove from it the Registry was
> delete the file from AppData\Local\Temp. Could this be preventing me from
> removing the Registry entry? I wouldn't think so, but it may be the first
> time in my life I was wrong :>)


Your computer is infected and the methods you've used will not clean it.

Go through these general malware removal steps systematically -
http://www.elephantboycomputers.com/...moving_Malware

Include scanning with David Lipman's Multi_AV and follow instructions to do
all scans in Safe Mode. Please see the special Notes regarding using
Multi_AV in Vista.

http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
http://tinyurl.com/yoeru3 - download link and more instructions

When all else fails, run HijackThis and post your log in one of the
specialty forums listed at the first link above (not here, please).

Not all tools used will work in Vista and you will need to run them
elevated. If you are unable to remove the infection by following the
general steps, register at one of the HijackThis forums as suggested.

Standard disclaimer: I can't see and test your computer myself, so these are
just suggestions based on many years of being a professional computer tech;
suggestions based on what you've written. You should not take my
suggestions as a definitive diagnosis. If you can't do the work yourself
(and there is no shame in admitting this isn't your cup of tea), take the
machine to a professional computer repair shop (not your local equivalent
of BigComputerStore/GeekSquad). Please be aware that not all local shops
are skilled at removing malware and even if they are, your computer may be
so infested that Windows will need to be clean-installed. If possible, have
all your data backed up before you take the machine into a shop.

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!
Reply With Quote
  #3 (permalink)  
Old 03-08-2008
SG
 

Posts: n/a
Re: Rouge Process I cannot get rid of.
Malke,

Thanks for the response. It's not my system, but one I'm working on. Just so
you know I have been in this business for many years, was an MVP a few years
back, but do to family obligations had to give it up. Years ago would
download Viruses and take them apart to see how they worked. so I'm not a
novice :>)

>>>Your computer is infected and the methods you've used will not clean
>>>it.<<<


As I said the executable is gone, the process is disabled, I just need to
remove the Branch from the Registry. This system at one time was infected,
but not now. I've worked in the Registry for many years, but this is a first
that I cannot remove something, any other thoughts as to why it can't be
removed?.

--
All the best,
SG

ALEX NICHOL
(1935-2005)
http://www.aumha.org/alex.htm
You will never be forgotten my friend

"Malke" <malke@invalid.invalid> wrote in message
news:uBHYxGTgIHA.2004@TK2MSFTNGP05.phx.gbl...
> SG wrote:
>
> (snippage)
>> C:\Users\User\AppData\Local\Temp\FLBPKKMMZXYZ.exe
>>
>> This rouge process is listed is Services. I have managed to Disable it,
>> however I'd like to remove entirely. I found it in the Registry, but I
>> cannot find a way to remove it. I've done everything I know even in the
>> Safe Mode and it will not let you delete, modify or whatever.
>> It has no Dependencies listed, the Service and Display names are the same
>> "FLBPKKMMZXYZ"

>
>> The one thing I did do before trying to remove from it the Registry was
>> delete the file from AppData\Local\Temp. Could this be preventing me from
>> removing the Registry entry? I wouldn't think so, but it may be the first
>> time in my life I was wrong :>)

>
> Your computer is infected and the methods you've used will not clean it.
>
> Go through these general malware removal steps systematically -
> http://www.elephantboycomputers.com/...moving_Malware
>
> Include scanning with David Lipman's Multi_AV and follow instructions to
> do
> all scans in Safe Mode. Please see the special Notes regarding using
> Multi_AV in Vista.
>
> http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
> http://tinyurl.com/yoeru3 - download link and more instructions
>
> When all else fails, run HijackThis and post your log in one of the
> specialty forums listed at the first link above (not here, please).
>
> Not all tools used will work in Vista and you will need to run them
> elevated. If you are unable to remove the infection by following the
> general steps, register at one of the HijackThis forums as suggested.
>
> Standard disclaimer: I can't see and test your computer myself, so these
> are
> just suggestions based on many years of being a professional computer
> tech;
> suggestions based on what you've written. You should not take my
> suggestions as a definitive diagnosis. If you can't do the work yourself
> (and there is no shame in admitting this isn't your cup of tea), take the
> machine to a professional computer repair shop (not your local equivalent
> of BigComputerStore/GeekSquad). Please be aware that not all local shops
> are skilled at removing malware and even if they are, your computer may be
> so infested that Windows will need to be clean-installed. If possible,
> have
> all your data backed up before you take the machine into a shop.
>
> Malke
> --
> MS-MVP
> Elephant Boy Computers
> www.elephantboycomputers.com
> Don't Panic!


Reply With Quote
  #4 (permalink)  
Old 03-08-2008
Malke
 

Posts: n/a
Re: Rouge Process I cannot get rid of.
SG wrote:

> Malke,
>
> Thanks for the response. It's not my system, but one I'm working on. Just
> so you know I have been in this business for many years, was an MVP a few
> years back, but do to family obligations had to give it up. Years ago
> would download Viruses and take them apart to see how they worked. so I'm
> not a novice :>)
>
>>>>Your computer is infected and the methods you've used will not clean
>>>>it.<<<

>
> As I said the executable is gone, the process is disabled, I just need to
> remove the Branch from the Registry. This system at one time was infected,
> but not now. I've worked in the Registry for many years, but this is a
> first that I cannot remove something, any other thoughts as to why it
> can't be removed?.
>

Thanks for your excellent explanation. If you are sure that nothing is
respawning and the machine is really clean except for this one registry
key, delete it from outside the operating system with either ERD Commander
or a Bart's PE (if Bart's lets you work on a foreign registry - I don't
know this).

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!
Reply With Quote
  #5 (permalink)  
Old 03-08-2008
Malke
 

Posts: n/a
Re: Rouge Process I cannot get rid of.
One other thought - and I hesitate to even mention this because I'm sure
you've already tried it - you did try to take ownership of the key? If not,
then do that and give the ownership to an account with administrative
privileges. Also, I'm assuming that you ran regedit elevated since this is
Vista.

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!
Reply With Quote
  #6 (permalink)  
Old 03-09-2008
Mikep
 

Posts: n/a
Re: Rouge Process I cannot get rid of.

"Malke" <malke@invalid.invalid> wrote in message
news:%23yQF$uUgIHA.3352@TK2MSFTNGP04.phx.gbl...
> One other thought - and I hesitate to even mention this because I'm sure
> you've already tried it - you did try to take ownership of the key? If
> not,
> then do that and give the ownership to an account with administrative
> privileges. Also, I'm assuming that you ran regedit elevated since this is
> Vista.
>
> Malke
> --
> MS-MVP
> Elephant Boy Computers
> www.elephantboycomputers.com
> Don't Panic!


I think that this key is owned by the system -- and everyone has read
access. It might be possible to grant full control to an admin like Malke
suggests.

Mike


Reply With Quote
  #7 (permalink)  
Old 03-09-2008
SG
 

Posts: n/a
Re: Rouge Process I cannot get rid of.
Mike & Malke,

Thanks for all the suggestions, but so far nothing. You cannot take take
ownership of the key even with administrative privileges, it still says
access denied. Haven't tried ERD Commander yet and I'd really like to do
this without 3rd. party help it possible. If a rouge program can write to
that branch then there's got to be away for me to as well. I'm missing
something somewhere, just need to find out what. It's late so I won't fool
with this again until sometime Sunday afternoon, but will be back if I find
something and to read any other thought's you may have.

--
All the best,
SG

ALEX NICHOL
(1935-2005)
http://www.aumha.org/alex.htm
You will never be forgotten my friend

"Mikep" <mikep@NOSPAMturboware.com> wrote in message
news:ONEVgTXgIHA.320@TK2MSFTNGP02.phx.gbl...
>
> "Malke" <malke@invalid.invalid> wrote in message
> news:%23yQF$uUgIHA.3352@TK2MSFTNGP04.phx.gbl...
>> One other thought - and I hesitate to even mention this because I'm sure
>> you've already tried it - you did try to take ownership of the key? If
>> not,
>> then do that and give the ownership to an account with administrative
>> privileges. Also, I'm assuming that you ran regedit elevated since this
>> is
>> Vista.
>>
>> Malke
>> --
>> MS-MVP
>> Elephant Boy Computers
>> www.elephantboycomputers.com
>> Don't Panic!

>
> I think that this key is owned by the system -- and everyone has read
> access. It might be possible to grant full control to an admin like Malke
> suggests.
>
> Mike
>


Reply With Quote
  #8 (permalink)  
Old 03-09-2008
Malke
 

Posts: n/a
Re: Rouge Process I cannot get rid of.
SG wrote:

> Mike & Malke,
>
> Thanks for all the suggestions, but so far nothing. You cannot take take
> ownership of the key even with administrative privileges, it still says
> access denied. Haven't tried ERD Commander yet and I'd really like to do
> this without 3rd. party help it possible. If a rouge program can write to
> that branch then there's got to be away for me to as well. I'm missing
> something somewhere, just need to find out what. It's late so I won't fool
> with this again until sometime Sunday afternoon, but will be back if I
> find something and to read any other thought's you may have.
>


That's the difference between you - the man who takes apart viruses - and me
- the woman who just wants to get the job done. ;-) I'd use ERD and be done
with it.

I don't have any other suggestions except you might want to post to AumHA to
see what the expert malware fighters there have to say. Sorry I was unable
to help you with this. If you do get it figured out, please let me know.

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!
Reply With Quote
  #9 (permalink)  
Old 03-09-2008
Mikep
 

Posts: n/a
Re: Rouge Process I cannot get rid of.

"SG" <sorry@nomail.com> wrote in message
news:O%238LHYagIHA.4684@TK2MSFTNGP06.phx.gbl...
> Mike & Malke,
>
> Thanks for all the suggestions, but so far nothing. You cannot take take
> ownership of the key even with administrative privileges, it still says
> access denied. Haven't tried ERD Commander yet and I'd really like to do
> this without 3rd. party help it possible. If a rouge program can write to
> that branch then there's got to be away for me to as well. I'm missing
> something somewhere, just need to find out what. It's late so I won't fool
> with this again until sometime Sunday afternoon, but will be back if I
> find something and to read any other thought's you may have.
>
> --
> All the best,
> SG
>
> ALEX NICHOL
> (1935-2005)
> http://www.aumha.org/alex.htm
> You will never be forgotten my friend
>
> "Mikep" <mikep@NOSPAMturboware.com> wrote in message
> news:ONEVgTXgIHA.320@TK2MSFTNGP02.phx.gbl...
>>
>> "Malke" <malke@invalid.invalid> wrote in message
>> news:%23yQF$uUgIHA.3352@TK2MSFTNGP04.phx.gbl...
>>> One other thought - and I hesitate to even mention this because I'm sure
>>> you've already tried it - you did try to take ownership of the key? If
>>> not,
>>> then do that and give the ownership to an account with administrative
>>> privileges. Also, I'm assuming that you ran regedit elevated since this
>>> is
>>> Vista.
>>>
>>> Malke
>>> --
>>> MS-MVP
>>> Elephant Boy Computers
>>> www.elephantboycomputers.com
>>> Don't Panic!

>>
>> I think that this key is owned by the system -- and everyone has read
>> access. It might be possible to grant full control to an admin like Malke
>> suggests.
>>
>> Mike
>>

>


I was able to assign myself full control of a key in a
CurrentControlSet\Enum .... entry. Right click on the key, select
permissions and add. Then enter your user name in the 'object names to
select' --- then check the 'full control' box.

Mike


Reply With Quote
  #10 (permalink)  
Old 03-09-2008
Malke
 

Posts: n/a
Re: Rouge Process I cannot get rid of.
Mikep wrote:

>
> I was able to assign myself full control of a key in a
> CurrentControlSet\Enum .... entry. Right click on the key, select
> permissions and add. Then enter your user name in the 'object names to
> select' --- then check the 'full control' box.


Yes, Mike - but presumably you're not working on an infected computer and SG
is. That does make a big difference. I've had viruses/malware make it so I
absolutely could not take ownership of a registry key and where the only
way I could kill it was from outside the OS. I think SG is in the same boat
with his client's machine; but he wants to figure out where the "block" is
because he's that kind of guy (and I mean that in an admiring way).

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
croix rouge sur mon icone de connexion Michel microsoft.public.fr.windows.vista.general 0 02-10-2008 15:12
Getting rid of a Process/Service , un-installing Programs. (Frank? Pete Carr microsoft.public.windows.vista.general 3 01-03-2008 02:15
Getting rid of a Net Process/Service and un-installing programs fu Pete Carr microsoft.public.windows.vista.networking sharing 2 01-03-2008 00:39
Filtre anti-hameçonnage & croix rouge microsoft.public.fr.windows.vista.securite 7 10-31-2007 22:00
Petite croix rouge Filte anti-hameçonnage microsoft.public.fr.windows.vista.general 2 10-30-2007 19:17




All times are GMT +1. The time now is 12:26.




Driver Scanner - Free Scan Now

Vistaheads.com is part of the Heads Network. See also XPHeads.com , Win7Heads.com and Win8Heads.com.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 RC 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120