ajdratch
asked on
Can't remove registry key
I removed a virus from a Windows 7 64 bit computer. There is a registry key that I cannot remove that I think came from this virus. It is HCLM/system\currentcontrol
I have tried running psexec -i -d -s \regedit as administrator but still can't get to it.
Can't get to it in safe mode or with all non MS services disabled.
I tried using subinacl and followed these instructions https://www.experts-exchange.com/askQuestion.jsp?taid=86
I have tried running psexec -i -d -s \regedit as administrator but still can't get to it.
Can't get to it in safe mode or with all non MS services disabled.
I tried using subinacl and followed these instructions https://www.experts-exchange.com/askQuestion.jsp?taid=86
ASKER
I did that and the key does not show up. I guess this means something is loading it at boot up?
okay run ccleaner and check for the startup items. it will show everything.. and from there you can locate that registry and do more.
www.ccleaner.com
I'm using v 4.03.4151
www.ccleaner.com
I'm using v 4.03.4151
Run regedt32 and take ownership of the key and then delete it.
Yes. A virus. May not show up in CCleaner startup items (great idea, however), if it is a rootkit infection.
Could you share the name of the virus you cleaned up? Was it ZeroAccess (or its other variants)?
Could you share the name of the virus you cleaned up? Was it ZeroAccess (or its other variants)?
ajdratch --
Use
1) http://technet.microsoft.com/en-us/library/cc753024(v=ws.10).aspx or
2 Unlocker http://www.majorgeeks.com/download4660.html
Use
1) http://technet.microsoft.com/en-us/library/cc753024(v=ws.10).aspx or
2 Unlocker http://www.majorgeeks.com/download4660.html
ajdratch
Open Device Manager.
Start button > Control Panel.
If viewing as Details or small icons, click the "System and Security" link then click on "Device Manager"under the "System" heading in the new window.
If viewing large icons, just double-click on "Device Manager"
Alternatively, open Device Manager from the command prompt: devmgmt.msc
Click the View menu, then click the "Show Hidden Devices" option.
Expand the section named "Non-Plug and Play Drivers".
Do you see one in there named "GUpdate"?
If so, Right-Click on it and choose "Properties", then open the "Drivers" tab.
Take a note of that it says under "Service Name", "Display Name", the path to the file that shows when you click the "Driver Details" button, and what is showing in the Startup Type field in the same tab.
Post the details here. It may be possible to just uninstall this service after booting into the Administrator account.
Open Device Manager.
Start button > Control Panel.
If viewing as Details or small icons, click the "System and Security" link then click on "Device Manager"under the "System" heading in the new window.
If viewing large icons, just double-click on "Device Manager"
Alternatively, open Device Manager from the command prompt: devmgmt.msc
Click the View menu, then click the "Show Hidden Devices" option.
Expand the section named "Non-Plug and Play Drivers".
Do you see one in there named "GUpdate"?
If so, Right-Click on it and choose "Properties", then open the "Drivers" tab.
Take a note of that it says under "Service Name", "Display Name", the path to the file that shows when you click the "Driver Details" button, and what is showing in the Startup Type field in the same tab.
Post the details here. It may be possible to just uninstall this service after booting into the Administrator account.
The key does not show because "currentcontrolset" is always refers to the control set that is currently loaded. Offline, no set is loaded. It will be control set 001.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Feedback, please
ASKER
I have not been able to get reconnect to that computer. I should have access to it later this week
ASKER
This took care of it
Great. You got it working. :-)
Glad you got her done!
Boot the machine with the windows7 DVD and start command prompt by pressing Shift+F10 key.
now open registry and load the system registry key. Delete the key and unload the system key again.
Reboot machine into safe mode.