Jump to content
Alyssa3

Can’t delete registry keys created by malware

Recommended Posts

I have these two programs called Idle Buddy and SSO on my computer. I ran a scan with Malwarebytes and cleaned up 18 threats, two of which were Trojan.Roraccoon, and the rest were riskware or PUPs. After rescanning my computer with Malwarebytes, Emsisoft, Norton, and other scanners, only a few things popped up and I cleaned them up. After another rescan everything seemed clean... So I uninstalled the programs and thought I was safe. However, just today malwarebytes came up with two new threats, this time in the admin account in my computer, both riskware. This prompted me to rescan everything (scans came up clean). I then opened the program files and searched through to see if there were any files leftover from the virus. I got rid of several files associated with Idle Buddy and SSO, and I think they’re all gone now (but i’m not sure). Then, I checked the registry for anything weird. I saw three registry entries that had been created by SSO and Idle Buddy, but when I tried to delete them I was given an error that said that these keys could not be deleted. Is there any way I can get rid of these for good? I have a bad feeling that even though most of them were caught and quarantined/deleted, they may still be doing things behind the scenes (like what happened to my admin account)...

Here are the registry keys that I’m trying to delete:

HKLM\SOFTWARE\IdleBuddy

HKLM\SOFTWARE\WOW6432Node\IdleBuddy

HKLM\SOFTWARE\WOW6432Node\SSO

Share this post


Link to post
Share on other sites

Hello @Alyssa3 and :welcome:

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Share this post


Link to post
Share on other sites

Hi @Alyssa3

Please run the scans again using an account that has Admin rights. The logs show it was ran with an account that does not have admin rights.

Ran by ae325 (ATTENTION: The user is not administrator) on MSI (01-08-2018 10:50:35)

Thanks

Ron

 

Share this post


Link to post
Share on other sites

Can I click run as admin when I open the program? I don’t remember the password to my admin account

Share this post


Link to post
Share on other sites

Can I click run as admin when I open the program? I don’t remember the password to my admin account

Share this post


Link to post
Share on other sites

I'm sorry, but you will need to find, fix, obtain the Administrator password or not we won't be able to fix the computer. It requires any account that has admin rights.

Thank you

Ron

 

 

Share this post


Link to post
Share on other sites

How did you know those keys existed? Who said they're from an infection?

We could try a couple methods to remove them forced, but if their is no in-memory program protecting those keys then all you need to do is change the permissions on the keys and then delete them.

 

Share this post


Link to post
Share on other sites

I saw them while I was searching through my registry to see if there was anything left over from the scans. I just assumed that they were part of the infection because they had the same names as the programs\files that were detected as trojans and riskware by malwarebytes and other scans.

How can you tell if there’s a program protecting those keys?

Share this post


Link to post
Share on other sites

If you can't delete them manually then it's probably just a permissions issue.

I'm sorry but I'm leaving for vacation for a week. If this can wait please post back again in about a week and I'll follow back up with you, or if you like you can create another topic and see if someone can help you further with this.

Thank you

Ron

 

Share this post


Link to post
Share on other sites

Hi Ron,

Malwarebytes removed some remaining registry keys from the viruses the other day. There's one that I'll have to remove manually but I think I can do it by changing the permissions. I believe that the viruses may have damaged my computer though- it seems to be working harder than normal and is slightly slower, especially when I use a web browser like Chrome. I'll probably do a repair this weekend.

Thanks!

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.