Can't remove registry key

I removed a virus from a Windows 7 64 bit computer. There is a registry key that I cannot remove that I think came from this virus. It is HCLM/system\currentcontrolset\services\gupdate\parameters. When I right click and select permissions it says "requested security information is either unavailable or can't be displayed"

I have tried running  psexec -i -d -s \regedit  as administrator but still can't get to it.

Can't get to it in safe mode or with all non MS services disabled.

I tried using subinacl  and followed these instructions https://secure.experts-exchange.com/askQuestion.jsp?taid=86
ajdratchAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pradeep DubeyConsultantCommented:
you can do it from recovery option also.

Boot the machine with the windows7 DVD and start command prompt by pressing Shift+F10 key.

now open registry and load the system registry key. Delete the key and unload the system key again.

Reboot machine into safe mode.
0
ajdratchAuthor Commented:
I did that and the key does not show up. I guess this means something is loading it at boot up?
0
Pradeep DubeyConsultantCommented:
okay run ccleaner and check for the startup items. it will show everything.. and from there you can locate that registry and do more.

www.ccleaner.com 

I'm using v 4.03.4151
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
Run regedt32 and take ownership of the key and then delete it.
0
aadihCommented:
Yes. A virus. May not show up in CCleaner startup items (great idea, however), if it is a rootkit infection.

Could you share the name of the virus you cleaned up?  Was it ZeroAccess (or its other variants)?
0
BillDLCommented:
ajdratch

Open Device Manager.

Start button > Control Panel.
If viewing as Details or small icons, click the "System and Security" link then click on "Device Manager"under the "System" heading in the new window.
If viewing large icons, just double-click on "Device Manager"

Alternatively, open Device Manager from the command prompt:    devmgmt.msc

Click the View menu, then click the "Show Hidden Devices" option.
Expand the section named "Non-Plug and Play Drivers".

Do you see one in there named "GUpdate"?

If so, Right-Click on it and choose "Properties", then open the "Drivers" tab.
Take a note of that it says under "Service Name", "Display Name", the path to the file that shows when you click the "Driver Details" button, and what is showing in the Startup Type field in the same tab.

Post the details here.  It may be possible to just uninstall this service after booting into the Administrator account.
0
McKnifeCommented:
The key does not show because "currentcontrolset" is always refers to the control set that is currently loaded. Offline, no set is loaded. It will be control set 001.
0
bneiCommented:
If the virus was ZeroAccess rootkit, here is documentation from malwarebytes on how to remove it.

http://malwaretips.com/blogs/zeroaccess-sirefef-virus/

Hope this helps.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeCommented:
Feedback, please
0
ajdratchAuthor Commented:
I have not been able to get reconnect to that computer. I should have access to it later this week
0
ajdratchAuthor Commented:
This took care of it
0
aadihCommented:
Great. You got it working. :-)
0
bneiCommented:
Glad you got her done!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.