kimiraikkonen Posted January 18, 2018 ID:1201388 Share Posted January 18, 2018 (edited) Hello there, One of my machines using running on Windows Vista SP2 has a semi-serious problems, even i cannot name it. This is the final chance for me to figure out whether i'm safe or not. Here is the issue. I came across a malware a few years ago which is infected my machine through a non-secure JAVA web applet. After this infection, i immediately took some actions and tried neutralizing malware and cleaning as well, i also used Malwarebytes 1.x and 2.x series. After some years have passed, i still noticed that the nasty and non-existent registry entry of this malware is still visible by regedit, and GMER. I had no abnormal activity since then, and tried numerous rootkit removers listed below with following results: - GMER: Shows hidden driver service highlighted red but unable to remove / disable because it's not existed in fact (IMHO). - Sophos Anti-Rootkit: No malware is found, system is clean. - BitDefender Anti-Rootkit: No malware is found, system is clean (scan took very short though, not sure why). - Kaspersky TDSS Remover: No malware is found, system is clean. - Rootkit Hook Analyzer: No malware is found, system is clean. - Symantec TDSS Fix Tool: No malware is found, system is clean. -...and finally Malwarebytes Anti-Rootkit BETA along with Malwarebytes Premium (3.3.1) edition: System is clean, no malware is found. Although almost all of major removers say that the system is clean, i'm so picky that i have no idea why regedit and GMER display the presence of malware (PragmaXXXXX - random numbers), especially regedit shows error immediately when i click on this key as if it does NOT exist, but i can't do anything even i try a lot of methods including running regedit under SYSTEM account, running offline registry editor using recovery disc, and using command prompt. It seems a kind of very strange glitch in registry file, and it cannot be removed there eventhough the entry (PramaXXXXX) is shown. I'm attaching all the screenshots that would help on describing the issue, along with FRST log, addition.txt log and MBAM Anti-Rootkit log file. I'd be so grateful if there is any additional steps to take other than formatting the whole drive, as i have a lot of documents and installations with senstive configurations. Thanks in advance! Addition.txt FRST.txt system-log.txt Edited January 18, 2018 by kimiraikkonen Link to post Share on other sites More sharing options...
kevinf80 Posted January 18, 2018 ID:1201424 Share Posted January 18, 2018 Hello kimiraikkonen and welcome to Malwarebytes, The logs from FRST "FRST.txt" and "Addition.txt" are not complete, both have the last sections missing. Can you attach again, logs are saved here: C:\FRST\Logs Next, Run FRST one more time: Type or copy/paste the following in the edit box after "Search:".PRAGMAcxjvwfkfoe Click Search Registry button and post the log (Search.txt) it makes to your reply. Thank you, Kevin Link to post Share on other sites More sharing options...
kimiraikkonen Posted January 19, 2018 Author ID:1201725 Share Posted January 19, 2018 (edited) 23 hours ago, kevinf80 said: Hello kimiraikkonen and welcome to Malwarebytes, The logs from FRST "FRST.txt" and "Addition.txt" are not complete, both have the last sections missing. Can you attach again, logs are saved here: C:\FRST\Logs Next, Run FRST one more time: Type or copy/paste the following in the edit box after "Search:".PRAGMAcxjvwfkfoe Click Search Registry button and post the log (Search.txt) it makes to your reply. Thank you, Kevin Hello Kevin, Thank you for your response. I downloaded the latest Farbar Recovery Scan Tool from Malwarebytes website and ran registry search against "PRAGMAcxjvwfkfoe", the log file (SearchReg.txt) has been saved to the root folder of where FRST.exe is located. I'm attaching it. Then i re-ran FRST.exe to perform normal scan. I'm attaching the logs, too, interestingly it also saved log files (Frst, addition.txt) to the location where FRST is located, like registry search log, in addition to "C:\FRST\Logs" folder. Not a big deal. The nasty registry entry seems detected on the first line under "services" parent key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PRAGMAcxjvwfkfoe), but i cannot even touch it, display details it, or delete it, because registry editor (regedit) shows error as if the key does not exist, which is really strange. Despite this, all the rootkit scanners including Malwarebytes say that the system is fully clean. I'm really lost. Thanks a lot! Addition_19-01-2018 23.36.10.txt FRST_19-01-2018 23.36.10.txt SearchReg.txt Edited January 19, 2018 by kimiraikkonen Correction. Link to post Share on other sites More sharing options...
kevinf80 Posted January 19, 2018 ID:1201752 Share Posted January 19, 2018 Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. fixlist.txt Link to post Share on other sites More sharing options...
kimiraikkonen Posted January 19, 2018 Author ID:1201765 Share Posted January 19, 2018 48 minutes ago, kevinf80 said: Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. fixlist.txt Hi again, I did what you instructed, friend. Here is fixlog.txt attached. Thanks! Fixlog.txt Link to post Share on other sites More sharing options...
kevinf80 Posted January 19, 2018 ID:1201789 Share Posted January 19, 2018 I sort of guessed the result when just about every other scanner under the sun give clean logs... Try this please: Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. fixlist.txt Link to post Share on other sites More sharing options...
kimiraikkonen Posted January 22, 2018 Author ID:1202432 Share Posted January 22, 2018 (edited) On 1/20/2018 at 2:12 AM, kevinf80 said: I sort of guessed the result when just about every other scanner under the sun give clean logs... Try this please: Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. fixlist.txt Hi Kevin, Thanks for your reply. Before applying the last fixlist you posted, i checked the content of the script manually with notepad and i'm concerning that serious modifications are likely to happen if i run the script. I manually looked for the nasty .sys and .exe files by Explorer, none of them exists as fine, however although i'd like to run the fixlist script using FRST, i'm still being scared a bit that the system might crash, especially because of system and registry modifications. Could you please describe a bit how you made that script containing removal definitions of some random files, like "XSSVVRJHLQN.exe", "XGQGPAM.exe", "KODAE.exe" along with other .sys files and "exe" registry modification? I found almost ZERO results when i specifically searched for those files through Google, and locally, and I have no problem and significance of those files when i search manually, and executables work fine with no signs of malware as vast majority of malware removers have pointed. I just need to unlock and remove why "PRAGMAcxjvwfkfoe" key is still being found by regedit and GMER, but not with any other malware softwares including Malwarebytes. Please let me understand and relax, Best regards. Edited January 22, 2018 by kimiraikkonen Link to post Share on other sites More sharing options...
kevinf80 Posted January 22, 2018 ID:1202472 Share Posted January 22, 2018 All of the listed entries in FRST fix list are taken from logs produced by FRST, there is no magic involved. I only ask that you do not open the fixlist file when FRST fix is selected. If the file is open then the fix does not work... You can open it anytime you want, just make sure it is closed before running FRST... If "PRAGMAcxjvwfkfoe" is not removed this time I will give you another set of instructions to try from Recovery Environment... Post log from FRST fix whenever you are ready.... Link to post Share on other sites More sharing options...
kimiraikkonen Posted January 23, 2018 Author ID:1202619 Share Posted January 23, 2018 (edited) 13 hours ago, kevinf80 said: All of the listed entries in FRST fix list are taken from logs produced by FRST, there is no magic involved. I only ask that you do not open the fixlist file when FRST fix is selected. If the file is open then the fix does not work... You can open it anytime you want, just make sure it is closed before running FRST... If "PRAGMAcxjvwfkfoe" is not removed this time I will give you another set of instructions to try from Recovery Environment... Post log from FRST fix whenever you are ready.... Ok, i'll do it ASAP. One last thing before applying the last FRST fixlist you posted, friend. I see some official Microsoft entries are meant to be removed in this fixlist, i've taken their list from a trusted Microsoft OS reference book, attaching here (IP filter driver, tunneling driver etc.), and TpChoice.sys seems to be related to my laptop's touchpad...I'm a bit nervous now. Does removing those entries via fixlist cause networking and touch pad devices to malfunction? Studied a bit more, I also found out that the entries in FRST log are located and taken from Windows Registry, and marked by FRST with [X] if they're not present on file system actually (for example i checked TpChoice.sys is not in "drivers" folder just like other sys files marked by [X]), and the others are marked with ATTENTION, that are taken from LEGACY_xxxxx prefix, located under "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Enum\Root" if they're not core Microsoft processes (in temp folder), when i lookup these entries manually. Worse, those leftover entries cannot be removed manually even by administrator user who has no "full control" priviledge and needs to take ownership which is by design. Is that right? Edited January 23, 2018 by kimiraikkonen Link to post Share on other sites More sharing options...
kevinf80 Posted January 23, 2018 ID:1202622 Share Posted January 23, 2018 Yes I understand your concern, if you look at the entries you mention, Service in green, driver in red. As they appear in the log the service is stopped and the drivers are missing, So good house keeping is to remove the orphan service... That is why we list orphans to be removed S3 IpInIp; system32\DRIVERS\ipinip.sys [X] S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X] S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X] Link to post Share on other sites More sharing options...
kevinf80 Posted January 23, 2018 ID:1202623 Share Posted January 23, 2018 Same with the other service you mention, Service stopped and driver missing S3 TpChoice; system32\DRIVERS\TpChoice.sys [X] Link to post Share on other sites More sharing options...
kimiraikkonen Posted January 23, 2018 Author ID:1202627 Share Posted January 23, 2018 53 minutes ago, kevinf80 said: Yes I understand your concern, if you look at the entries you mention, Service in green, driver in red. As they appear in the log the service is stopped and the drivers are missing, So good house keeping is to remove the orphan service... That is why we list orphans to be removed S3 IpInIp; system32\DRIVERS\ipinip.sys [X] S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X] S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X] Hi Kevin, I did ran the last fixlist you posted. It took quite long, almost more than several minutes to complete, especially for the temporary folders to be flushed as i realized. I'm attaching the fixlog.txt but according to log PRAGMAcxjvwfkfoe entry still appears to be locked and cannot be removed. But when i lookup manually with regedit, and GMER, BINGO! PRAGMAcxjvwfkfoe is gone finally! But except notable exception! When i do a full search using regedit against "PRAGMAcxjvwfkfoe" key, the key appears to reside in Services subkey of multiple CurrentControlSets ranging from [CurrentControlSet002] to [CurrentControlSet 16]. CurrentControlSet, CurrentControlSet001 and CurrentControlSet017 does NOT have PRAGMAcxjvwfkfoe key! As far as i know, other CurrentControlSetxxx groups are the mirrors that are symbolically linked to main CurrentControlSet which is the key that the machine is running on. So i'm still feeling not OK. BTW, FRST is very interesting and intensive tool that scans through very deep locations even an advanced power user forgets to look up. What should i do now? Thank you! Fixlog.txt Link to post Share on other sites More sharing options...
kevinf80 Posted January 23, 2018 ID:1202733 Share Posted January 23, 2018 Thanks for the update, can you see if you can delete "Controlset002 to Controlset017" inclusive... Those Controlsets are more than likely remnants from a previous infection... Start with Controlset002, right click direct on that folder and select "Delete" if that fails, right click again, select "Permissions" In the new window make sure to select the correct user group or user, should be yourself with Admin rights. Select "Full" then select "Apply" then "OK" Right clcik again and try Delete... Link to post Share on other sites More sharing options...
kimiraikkonen Posted January 24, 2018 Author ID:1203126 Share Posted January 24, 2018 21 hours ago, kevinf80 said: Thanks for the update, can you see if you can delete "Controlset002 to Controlset017" inclusive... Those Controlsets are more than likely remnants from a previous infection... Start with Controlset002, right click direct on that folder and select "Delete" if that fails, right click again, select "Permissions" In the new window make sure to select the correct user group or user, should be yourself with Admin rights. Select "Full" then select "Apply" then "OK" Right clcik again and try Delete... Thanks for your suggestions @kevinf80, however as far as i read elsewhere on the internet; those ControlSetXXXX groups are holding information about services / drivers about Last Known Good Configuration and last successful boot configuration build data. So deleting them may cause problems especially because their numbering consist in such order between 002 and 016, note that 001 and 017 are clean, so deleting them would also break numbering sequence which is my concern. Also, note that i cannot delete PRAGMAcxjvwfkfoe thingy manually even with Admin rights and even with SYSTEM account from these extra ControlSets (002 to 016) due to error that is shown immediately when i click on that key, which was also the case for CurrentControlSet key before last FRST fixlist and your help have come into play as it's clean now. So i'd like to know whether you can create another FRST fixlist that would rip off and clean each PRAGMAcxjvwfkfoe key individually from ControlSets ranging from 002 ending with 016 without deleting entire ControlSetxxx key group? Please let me know, friend, Thanks for your great support so far though, Best regards. Link to post Share on other sites More sharing options...
kevinf80 Posted January 24, 2018 ID:1203276 Share Posted January 24, 2018 Having large numbers of Controlsets is not always a good thing, a normal system will run with CurrentControlSet, ControlSet001 and ControlSet002. 001 and 002 are alternating backups of "CurrentControlSet" ControlSet001 could be the last control set you booted with, while ControlSet002 would then be the last known good control set or as known " Last Known Good Configuration" , or the control set that last successfully booted Windows. The "CurrentControlSet" subkey is really a pointer to one of the ControlSet??? keys.. When you see many control sets listed in the registry they maybe mirrors of the CCS, CCS001 or CCS002. The could also be unique when manipulated by Malware/Infection.... We can try what you suggest, first we need a good reliable backup of your registry: Tweaking.com Registry Backup Download Tweaking.com Registry Backup from here, and save tweaking.com_registry_backup_portable.zip to your desktop. Now we need to create a new folder to extract the zipped contents into. Right click on the zipped folder you just downloaded and select "Extract All". Click the "Browse" button and from the list, expand "Computer", then expand "Windows (C:)", and click the "Make New Folder" button. Call this folder something you will remember...like "RegBackup" then click "Ok", and then click "Extract". From the newly extracted files, right click on and select Run as Administrator (XP users just double click) to start Tweaking.com Registry Backup.(Windows Vista/7/8/10 users: Accept UAC warning if it is enabled.) A screen like this should appear: Type a custom name in Backup Name if you want, then choose Backup Now. If backup is successful, a message will appear at the lower half of the screen with an option to view logs. The registry backup will be created in %WindowsDrive%\RegBackup by default. You can customize the path in Settings. Close Tweaking.com Registry Backup when done. Next, Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Post that log in your reply... Thanks, Kevin... fixlist.txt Link to post Share on other sites More sharing options...
kimiraikkonen Posted January 26, 2018 Author ID:1204031 Share Posted January 26, 2018 On 1/25/2018 at 12:58 AM, kevinf80 said: Having large numbers of Controlsets is not always a good thing, a normal system will run with CurrentControlSet, ControlSet001 and ControlSet002. 001 and 002 are alternating backups of "CurrentControlSet" ControlSet001 could be the last control set you booted with, while ControlSet002 would then be the last known good control set or as known " Last Known Good Configuration" , or the control set that last successfully booted Windows. The "CurrentControlSet" subkey is really a pointer to one of the ControlSet??? keys.. When you see many control sets listed in the registry they maybe mirrors of the CCS, CCS001 or CCS002. The could also be unique when manipulated by Malware/Infection.... We can try what you suggest, first we need a good reliable backup of your registry: Tweaking.com Registry Backup Download Tweaking.com Registry Backup from here, and save tweaking.com_registry_backup_portable.zip to your desktop. Now we need to create a new folder to extract the zipped contents into. Right click on the zipped folder you just downloaded and select "Extract All". Click the "Browse" button and from the list, expand "Computer", then expand "Windows (C:)", and click the "Make New Folder" button. Call this folder something you will remember...like "RegBackup" then click "Ok", and then click "Extract". From the newly extracted files, right click on and select Run as Administrator (XP users just double click) to start Tweaking.com Registry Backup.(Windows Vista/7/8/10 users: Accept UAC warning if it is enabled.) A screen like this should appear: Type a custom name in Backup Name if you want, then choose Backup Now. If backup is successful, a message will appear at the lower half of the screen with an option to view logs. The registry backup will be created in %WindowsDrive%\RegBackup by default. You can customize the path in Settings. Close Tweaking.com Registry Backup when done. Next, Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Post that log in your reply... Thanks, Kevin... fixlist.txt Hi @kevinf80 again, Sorry for quite late reply, i did what you instructed, dowloaded Registry Backup Tool, backed up registry without any failure. It's OK. Then i ran fixlist.txt under FRST, i got "not found" message in fixlog for the key named PRAGMAcxjvwfkfoe . Huh? I'm attaching the log here. The key appears to be present for the ControlSets between / inluding 002 to 016 under "Service" parent key, but i'm unable to delete it as you see. It had been deleted successfully from CurrentControlSet, ControlSet001 and ControlSet017 as can be seen from my previous post, though, thanks a lot for that. I don't know how your previous fixlist had worked for the keys mentioned above like a miracle, but it fails for the rest of ControlSets unfortunately. An interesting observation from me is here; when i look at ControlSet keys from 002 to 016, they only contain "Services" subkey and not others (Control, Enum, HW Services unlike 001 and 017), which contain PRAGMAcxjvwfkfoe key unlike 001 and 017, that makes me think that those extra problematic ControlSets (002 to 016) were failed to be removed by operating system because of the presence of PRAGMAcxjvwfkfoe key that probably was preventing the removal due to this unknown abnormal lock, probably when infection happened. I'm attaching some more screenshots, though. By the way, i'm so grateful for your strive and extremely sorry for keeping you busy with that silly problem which is driving me crazy. Is there anything that i can do more in conjunction with your great help? Best regards! Fixlog.txt Link to post Share on other sites More sharing options...
kevinf80 Posted January 26, 2018 ID:1204054 Share Posted January 26, 2018 We could try moving the entries (probably whole key is best option but try PRAGMAcxjvwfkfoe first) for ControlSet002 to ControlSet016 via Recovery Environment Options. you would need a USB flash drive and possibly installation DVD if normal method fails... FRST needs to be run from a USB stick (flashdrive) when used in the Recovery Environment. . Download FRST and save to your Flash drive. http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ Also dowmload and save fixlist.txt to same Flash drive Plug the flashdrive into the infected PC with FRST or FRST64 and "fixlist.txt" Enter System Recovery Options I give two methods, use whichever is convenient for you.To enter System Recovery Options from the Advanced Boot Options: Restart the computer. As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears. Use the arrow keys to select the Repair your computer menu item. Select Your Country as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account an click Next. To enter System Recovery Options by using Windows installation/repair disc: Insert the installation/repair disc. Restart your computer. If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings. Click Repair your computer. Select Your Country as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account/password if required and click Next. On the System Recovery Options menu you should get the following options:Startup Repair System Restore Windows Complete PC Restore Windows Memory Diagnostic Tool Command Prompt Select Command Prompt In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type E:\frst64 or E:\frst depending on your version. Press Enter Note: Replace letter E with the drive letter of your flash drive. The tool will start to run. When the tool opens click Yes to disclaimer. Press Fix button. It will make a log (Fixlog.txt) on the flash drive. Please copy and paste it to your reply. You should now be back to Command Prompt.... Type exit then hit enter boot back to normal windows. Post fixlog.txt fixlist.txt Link to post Share on other sites More sharing options...
kevinf80 Posted January 30, 2018 ID:1210726 Share Posted January 30, 2018 Due to the lack of feedback, this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread. Thanks Link to post Share on other sites More sharing options...
kevinf80 Posted February 2, 2018 ID:1211959 Share Posted February 2, 2018 Topic has been reopened per request. Thanks Link to post Share on other sites More sharing options...
kimiraikkonen Posted February 2, 2018 Author ID:1211970 Share Posted February 2, 2018 (edited) Hi Kevin, @kevinf80 After a few days have passed, i just noticed that the fixlist you posted have a little error, posted on post #17. The fixlist contains registry path "CurrentControlSet" prefix which seems wrong, it must be "ControlSet". I changed the lines to "ControlSetxxx" and voila! The ControlSet entries containing PRAGMAcxjvwfkfoe have been deleted by FRST! Great job! However i'm now trying to rename ControlSet018 to ControlSet002 to maintain the numbering order, and i also will change "Select" key's "LastKnownGood" value to 002 from 018. But the problem is, i even cannot rename ControlSet018 itself to 002 by launching regedit.exe using PsExec with -s switch (runs under SYSTEM account). I then realized that it fails because the some subkeys under ControlSet018\Services are owned by "TrustedInstaller", instead of SYSTEM account. Example: RDPCDD is a subkey under "ControlSet018\Services that contains subkeys owned by TrustedInstaller which has full control permissions. That's my finding, though. I'm now looking for a solution, by the help of new FRST fixlist miracle whether it can rename ControlSet 018 to 002 without breaking subkeys' ownerships / permissions, if you can create one. I'm attaching the screenshots of current situation. Best regards! Edited February 2, 2018 by kimiraikkonen Correction. Link to post Share on other sites More sharing options...
kevinf80 Posted February 2, 2018 ID:1212024 Share Posted February 2, 2018 Why do you want to change the number identity of a control set, I fear you may end up with a broken system. I see no reason why controlset018 could not just be removed with FRST.. My system runs ok with only CurrentControlSet and ControlSet001, these keys are just repeats, I realize last known good config is disabled in Windows 8, 8.1 and 10, advanced options are available to carry out system repairs. You are running Vista, i`ve not been familiar with Vista for many years and do not have a legitimate copy to load into a VM to test what you want to try... This Vista specific forum is still active: https://www.vistax64.com/ Maybe your best option for the advice you seek can be found there... Apologies I cannot help with registry actions any further. There is a General PC help forum here at Malwarebytes: https://forums.malwarebytes.com/forum/6-general-windows-pc-help/ Not sure if you will get the answers you seek there... Regards, Kevin.. Link to post Share on other sites More sharing options...
kimiraikkonen Posted February 5, 2018 Author ID:1212729 Share Posted February 5, 2018 On 2/3/2018 at 2:04 AM, kevinf80 said: Why do you want to change the number identity of a control set, I fear you may end up with a broken system. I see no reason why controlset018 could not just be removed with FRST.. My system runs ok with only CurrentControlSet and ControlSet001, these keys are just repeats, I realize last known good config is disabled in Windows 8, 8.1 and 10, advanced options are available to carry out system repairs. You are running Vista, i`ve not been familiar with Vista for many years and do not have a legitimate copy to load into a VM to test what you want to try... This Vista specific forum is still active: https://www.vistax64.com/ Maybe your best option for the advice you seek can be found there... Apologies I cannot help with registry actions any further. There is a General PC help forum here at Malwarebytes: https://forums.malwarebytes.com/forum/6-general-windows-pc-help/ Not sure if you will get the answers you seek there... Regards, Kevin.. Hi @kevinf80, I do not want to remove ControlSet018, i just want to rename it to 002 as it should be, to maintain numbering sequence. It holds the configuration data for "Last Known Good" environenment as it can be seen from the screenshot of "Select" key above. That's why i wanted to know whether FRST can rename it on-the-fly just like with the success of deleting them. It would be awesome. What i understood that FRST is doing great job like setting ACLs, permissions temporarily then deleting the undeletable keys. The manual renaming method is not working due to TrustedInstaller is the owner of subkeys as i stated above, so i though FRST can also take care of this issue. No matter, if you can't help any further, i'm extremely appreciate your help for what you've done so far, at least i have no signs of Pragma malware at the moment, and i feel very clean by means of your help. Best regards! Link to post Share on other sites More sharing options...
kevinf80 Posted February 5, 2018 ID:1212764 Share Posted February 5, 2018 As far as i`m aware renaming or renumbering ControlSets is not possible via regedit. Although FRST is a very powerful tool it does have built in protections, an action such as you ask will not happen, it will return an error... You could make a repair install if you have the installation dvd and license key.... https://www.vistax64.com/threads/repair-install-for-vista.88236/ Thank you, Kevin.... Link to post Share on other sites More sharing options...
kevinf80 Posted February 10, 2018 ID:1214394 Share Posted February 10, 2018 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks Link to post Share on other sites More sharing options...
Recommended Posts