Rouge Process I cannot get rid of.

Posted: 03-08-2008, 03:13 PM
C:\Users\User\AppData\Local\Temp\FLBPKKMMZXYZ.exe

This rouge process is listed is Services. I have managed to Disable it,
however I'd like to remove entirely. I found it in the Registry, but I
cannot find a way to remove it. I've done everything I know even in the Safe
Mode and it will not let you delete, modify or whatever.
It has no Dependencies listed, the Service and Display names are the same
"FLBPKKMMZXYZ"


When running Regedit I ran it as Admin, I tried to set permissions on the
Branch and was denied. Here is how it's listed.....

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_FLBPKKMMZXYZ\0000]
"Service"="FLBPKKMMZXYZ"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="FLBPKKMMZXYZ"

The one thing I did do before trying to remove from it the Registry was
delete the file from AppData\Local\Temp. Could this be preventing me from
removing the Registry entry? I wouldn't think so, but it may be the first
time in my life I was wrong :>)

Appreciate any input on this.

--
All the best,
SG

ALEX NICHOL
(1935-2005)
http://www.aumha.org/alex.htm
You will never be forgotten my friend

Rouge Process I cannot get rid of.


Responses to "Rouge Process I cannot get rid of."

Malke
Guest
Posts: n/a
 
Re: Rouge Process I cannot get rid of.
Posted: 03-08-2008, 03:32 PM

SG wrote:

(snippage)
> C:\Users\User\AppData\Local\Temp\FLBPKKMMZXYZ.exe
>
> This rouge process is listed is Services. I have managed to Disable it,
> however I'd like to remove entirely. I found it in the Registry, but I
> cannot find a way to remove it. I've done everything I know even in the
> Safe Mode and it will not let you delete, modify or whatever.
> It has no Dependencies listed, the Service and Display names are the same
> "FLBPKKMMZXYZ"
> The one thing I did do before trying to remove from it the Registry was
> delete the file from AppData\Local\Temp. Could this be preventing me from
> removing the Registry entry? I wouldn't think so, but it may be the first
> time in my life I was wrong :>)
Your computer is infected and the methods you've used will not clean it.

Go through these general malware removal steps systematically -
http://www.elephantboycomputers.com/...moving_Malware

Include scanning with David Lipman's Multi_AV and follow instructions to do
all scans in Safe Mode. Please see the special Notes regarding using
Multi_AV in Vista.

http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
http://tinyurl.com/yoeru3 - download link and more instructions

When all else fails, run HijackThis and post your log in one of the
specialty forums listed at the first link above (not here, please).

Not all tools used will work in Vista and you will need to run them
elevated. If you are unable to remove the infection by following the
general steps, register at one of the HijackThis forums as suggested.

Standard disclaimer: I can't see and test your computer myself, so these are
just suggestions based on many years of being a professional computer tech;
suggestions based on what you've written. You should not take my
suggestions as a definitive diagnosis. If you can't do the work yourself
(and there is no shame in admitting this isn't your cup of tea), take the
machine to a professional computer repair shop (not your local equivalent
of BigComputerStore/GeekSquad). Please be aware that not all local shops
are skilled at removing malware and even if they are, your computer may be
so infested that Windows will need to be clean-installed. If possible, have
all your data backed up before you take the machine into a shop.

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!
SG
Guest
Posts: n/a
 
Re: Rouge Process I cannot get rid of.
Posted: 03-08-2008, 04:46 PM
Malke,

Thanks for the response. It's not my system, but one I'm working on. Just so
you know I have been in this business for many years, was an MVP a few years
back, but do to family obligations had to give it up. Years ago would
download Viruses and take them apart to see how they worked. so I'm not a
novice :>)
>>>Your computer is infected and the methods you've used will not clean
>>>it.<<<
As I said the executable is gone, the process is disabled, I just need to
remove the Branch from the Registry. This system at one time was infected,
but not now. I've worked in the Registry for many years, but this is a first
that I cannot remove something, any other thoughts as to why it can't be
removed?.

--
All the best,
SG

ALEX NICHOL
(1935-2005)
http://www.aumha.org/alex.htm
You will never be forgotten my friend

"Malke" <malke@invalid.invalid> wrote in message
news:uBHYxGTgIHA.2004@TK2MSFTNGP05.phx.gbl...
> SG wrote:
>
> (snippage)
>> C:\Users\User\AppData\Local\Temp\FLBPKKMMZXYZ.exe
>>
>> This rouge process is listed is Services. I have managed to Disable it,
>> however I'd like to remove entirely. I found it in the Registry, but I
>> cannot find a way to remove it. I've done everything I know even in the
>> Safe Mode and it will not let you delete, modify or whatever.
>> It has no Dependencies listed, the Service and Display names are the same
>> "FLBPKKMMZXYZ"
>
>> The one thing I did do before trying to remove from it the Registry was
>> delete the file from AppData\Local\Temp. Could this be preventing me from
>> removing the Registry entry? I wouldn't think so, but it may be the first
>> time in my life I was wrong :>)
>
> Your computer is infected and the methods you've used will not clean it.
>
> Go through these general malware removal steps systematically -
> http://www.elephantboycomputers.com/...moving_Malware
>
> Include scanning with David Lipman's Multi_AV and follow instructions to
> do
> all scans in Safe Mode. Please see the special Notes regarding using
> Multi_AV in Vista.
>
> http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
> http://tinyurl.com/yoeru3 - download link and more instructions
>
> When all else fails, run HijackThis and post your log in one of the
> specialty forums listed at the first link above (not here, please).
>
> Not all tools used will work in Vista and you will need to run them
> elevated. If you are unable to remove the infection by following the
> general steps, register at one of the HijackThis forums as suggested.
>
> Standard disclaimer: I can't see and test your computer myself, so these
> are
> just suggestions based on many years of being a professional computer
> tech;
> suggestions based on what you've written. You should not take my
> suggestions as a definitive diagnosis. If you can't do the work yourself
> (and there is no shame in admitting this isn't your cup of tea), take the
> machine to a professional computer repair shop (not your local equivalent
> of BigComputerStore/GeekSquad). Please be aware that not all local shops
> are skilled at removing malware and even if they are, your computer may be
> so infested that Windows will need to be clean-installed. If possible,
> have
> all your data backed up before you take the machine into a shop.
>
> Malke
> --
> MS-MVP
> Elephant Boy Computers
> www.elephantboycomputers.com
> Don't Panic!
Malke
Guest
Posts: n/a
 
Re: Rouge Process I cannot get rid of.
Posted: 03-08-2008, 06:02 PM
SG wrote:
> Malke,
>
> Thanks for the response. It's not my system, but one I'm working on. Just
> so you know I have been in this business for many years, was an MVP a few
> years back, but do to family obligations had to give it up. Years ago
> would download Viruses and take them apart to see how they worked. so I'm
> not a novice :>)
>
>>>>Your computer is infected and the methods you've used will not clean
>>>>it.<<<
>
> As I said the executable is gone, the process is disabled, I just need to
> remove the Branch from the Registry. This system at one time was infected,
> but not now. I've worked in the Registry for many years, but this is a
> first that I cannot remove something, any other thoughts as to why it
> can't be removed?.
>
Thanks for your excellent explanation. If you are sure that nothing is
respawning and the machine is really clean except for this one registry
key, delete it from outside the operating system with either ERD Commander
or a Bart's PE (if Bart's lets you work on a foreign registry - I don't
know this).

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!
Malke
Guest
Posts: n/a
 
Re: Rouge Process I cannot get rid of.
Posted: 03-08-2008, 06:39 PM
One other thought - and I hesitate to even mention this because I'm sure
you've already tried it - you did try to take ownership of the key? If not,
then do that and give the ownership to an account with administrative
privileges. Also, I'm assuming that you ran regedit elevated since this is
Vista.

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!
Mikep
Guest
Posts: n/a
 
Re: Rouge Process I cannot get rid of.
Posted: 03-08-2008, 11:31 PM

"Malke" <malke@invalid.invalid> wrote in message
news:%23yQF$uUgIHA.3352@TK2MSFTNGP04.phx.gbl...
> One other thought - and I hesitate to even mention this because I'm sure
> you've already tried it - you did try to take ownership of the key? If
> not,
> then do that and give the ownership to an account with administrative
> privileges. Also, I'm assuming that you ran regedit elevated since this is
> Vista.
>
> Malke
> --
> MS-MVP
> Elephant Boy Computers
> www.elephantboycomputers.com
> Don't Panic!
I think that this key is owned by the system -- and everyone has read
access. It might be possible to grant full control to an admin like Malke
suggests.

Mike


SG
Guest
Posts: n/a
 
Re: Rouge Process I cannot get rid of.
Posted: 03-09-2008, 05:25 AM
Mike & Malke,

Thanks for all the suggestions, but so far nothing. You cannot take take
ownership of the key even with administrative privileges, it still says
access denied. Haven't tried ERD Commander yet and I'd really like to do
this without 3rd. party help it possible. If a rouge program can write to
that branch then there's got to be away for me to as well. I'm missing
something somewhere, just need to find out what. It's late so I won't fool
with this again until sometime Sunday afternoon, but will be back if I find
something and to read any other thought's you may have.

--
All the best,
SG

ALEX NICHOL
(1935-2005)
http://www.aumha.org/alex.htm
You will never be forgotten my friend

"Mikep" <mikep@NOSPAMturboware.com> wrote in message
news:ONEVgTXgIHA.320@TK2MSFTNGP02.phx.gbl...
>
> "Malke" <malke@invalid.invalid> wrote in message
> news:%23yQF$uUgIHA.3352@TK2MSFTNGP04.phx.gbl...
>> One other thought - and I hesitate to even mention this because I'm sure
>> you've already tried it - you did try to take ownership of the key? If
>> not,
>> then do that and give the ownership to an account with administrative
>> privileges. Also, I'm assuming that you ran regedit elevated since this
>> is
>> Vista.
>>
>> Malke
>> --
>> MS-MVP
>> Elephant Boy Computers
>> www.elephantboycomputers.com
>> Don't Panic!
>
> I think that this key is owned by the system -- and everyone has read
> access. It might be possible to grant full control to an admin like Malke
> suggests.
>
> Mike
>
Malke
Guest
Posts: n/a
 
Re: Rouge Process I cannot get rid of.
Posted: 03-09-2008, 12:35 PM
SG wrote:
> Mike & Malke,
>
> Thanks for all the suggestions, but so far nothing. You cannot take take
> ownership of the key even with administrative privileges, it still says
> access denied. Haven't tried ERD Commander yet and I'd really like to do
> this without 3rd. party help it possible. If a rouge program can write to
> that branch then there's got to be away for me to as well. I'm missing
> something somewhere, just need to find out what. It's late so I won't fool
> with this again until sometime Sunday afternoon, but will be back if I
> find something and to read any other thought's you may have.
>
That's the difference between you - the man who takes apart viruses - and me
- the woman who just wants to get the job done. ;-) I'd use ERD and be done
with it.

I don't have any other suggestions except you might want to post to AumHA to
see what the expert malware fighters there have to say. Sorry I was unable
to help you with this. If you do get it figured out, please let me know.

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!
Mikep
Guest
Posts: n/a
 
Re: Rouge Process I cannot get rid of.
Posted: 03-09-2008, 05:08 PM

"SG" <sorry@nomail.com> wrote in message
news:O%238LHYagIHA.4684@TK2MSFTNGP06.phx.gbl...
> Mike & Malke,
>
> Thanks for all the suggestions, but so far nothing. You cannot take take
> ownership of the key even with administrative privileges, it still says
> access denied. Haven't tried ERD Commander yet and I'd really like to do
> this without 3rd. party help it possible. If a rouge program can write to
> that branch then there's got to be away for me to as well. I'm missing
> something somewhere, just need to find out what. It's late so I won't fool
> with this again until sometime Sunday afternoon, but will be back if I
> find something and to read any other thought's you may have.
>
> --
> All the best,
> SG
>
> ALEX NICHOL
> (1935-2005)
> http://www.aumha.org/alex.htm
> You will never be forgotten my friend
>
> "Mikep" <mikep@NOSPAMturboware.com> wrote in message
> news:ONEVgTXgIHA.320@TK2MSFTNGP02.phx.gbl...
>>
>> "Malke" <malke@invalid.invalid> wrote in message
>> news:%23yQF$uUgIHA.3352@TK2MSFTNGP04.phx.gbl...
>>> One other thought - and I hesitate to even mention this because I'm sure
>>> you've already tried it - you did try to take ownership of the key? If
>>> not,
>>> then do that and give the ownership to an account with administrative
>>> privileges. Also, I'm assuming that you ran regedit elevated since this
>>> is
>>> Vista.
>>>
>>> Malke
>>> --
>>> MS-MVP
>>> Elephant Boy Computers
>>> www.elephantboycomputers.com
>>> Don't Panic!
>>
>> I think that this key is owned by the system -- and everyone has read
>> access. It might be possible to grant full control to an admin like Malke
>> suggests.
>>
>> Mike
>>
>
I was able to assign myself full control of a key in a
CurrentControlSet\Enum .... entry. Right click on the key, select
permissions and add. Then enter your user name in the 'object names to
select' --- then check the 'full control' box.

Mike


Malke
Guest
Posts: n/a
 
Re: Rouge Process I cannot get rid of.
Posted: 03-09-2008, 09:41 PM
Mikep wrote:
>
> I was able to assign myself full control of a key in a
> CurrentControlSet\Enum .... entry. Right click on the key, select
> permissions and add. Then enter your user name in the 'object names to
> select' --- then check the 'full control' box.
Yes, Mike - but presumably you're not working on an infected computer and SG
is. That does make a big difference. I've had viruses/malware make it so I
absolutely could not take ownership of a registry key and where the only
way I could kill it was from outside the OS. I think SG is in the same boat
with his client's machine; but he wants to figure out where the "block" is
because he's that kind of guy (and I mean that in an admiring way).

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!
 
LinkBack Thread Tools Display Modes
 


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
STOP:C000021a Process System Process Terminated Unexpectedly Robert J. Rando Windows XP Device Drivers 6 12-26-2005 12:56 AM
rouge frames in finished movie Gooner Windows XP Movie Maker 0 05-10-2004 04:24 PM
STOP 0xC000021A {Fatal System Error} The Windows Logon Process system process te T.C. Windows XP 0 07-26-2003 09:19 PM
ccd process David Windows XP Performance & Maintenance 0 07-25-2003 09:48 PM
cmd process Henry Windows XP Performance & Maintenance 1 07-07-2003 06:11 AM