Hmmm. When I open RegLite, both windbg48s are fine. When I delete one windbg48, the other one goes to red and becomes un-deleteable. I'm going to run Killbox, etc., and post new logs for you now though.
300 posts! We can pretend to be Sparta now?
Senior Member
Hmmm. When I open RegLite, both windbg48s are fine. When I delete one windbg48, the other one goes to red and becomes un-deleteable. I'm going to run Killbox, etc., and post new logs for you now though.
300 posts! We can pretend to be Sparta now?
Senior Member
Went into Safe Mode after Killboxing (accidentally went into Normal mode first, but then rebooted again into Safe). I found most of the files present, except for a couple of the SQMs and the last one (the win-dev....). Then I went through the rest of the instructions. Logs coming up, though I'm sure windbg48 is still there, and will probably come up in that log
Senior Member
I'm just curious... I see the log for ISeeYouXP doing the "looking for known rogues" bit but I don't see BraveSentry as one of the ones it lists as looking for. I know it's a clone or relative of the SpySheriff/SpyAxe kind, which are on there, but I didn't know if it was different enough. Of course, I think we're way past getting rid of BraveSentry.. I think SmitFraudFix did that back in post, like, 4
Logs!
Super Moderator
I haven't added a lot of rogues to ISeeYouXP lately. They aren't that hard to spot in a HijackThis log and there usually isn't enough of a difference, on many, to warrant adding to the script.
Run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (explained further down).
Note: + windbg48 has that little box looking character not -Code:HKEY_LOCAL_MACHINE\system\ControlSet001\Enum\Root\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48\0000\LogConf HKEY_LOCAL_MACHINE\system\ControlSet001\Enum\Root\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48\0000 HKEY_LOCAL_MACHINE\system\ControlSet001\Enum\Root\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48 HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ + windbg48 HKEY_LOCAL_MACHINE\system\ControlSet002\Enum\Root\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48\0000\LogConf HKEY_LOCAL_MACHINE\system\ControlSet002\Enum\Root\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48\0000 HKEY_LOCAL_MACHINE\system\ControlSet002\Enum\Root\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48 HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ + windbg48 HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48\0000\LogConf HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48\0000 HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48 HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\ + windbg48
To take ownership of the key do the following:
[list][*]Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.[*]Click-on Security in the top Menu[*]Select Take Ownership[*]Repeat these steps for all of the registry keys given above before continue to the next steps below.[*]Now leave RegistrarLite running and continue[*]Now run the fixME2.reg REGISTRY PATCH below in this message.[*]Tell me the results. Any error messages?[*]Now in RegistrarLite click View and then Refresh[*]Now navigate one at a time to each of the above keys we took ownership of to make sure they were deleted.[*]If any of the keys still exist, move on down to PART 2 - Setting Permissions for Everyone below!.[list]
Registry Patch
Download and unzip FixME2-reg.zip to your desktop.Double-click FixME2.reg and allow it to merge with the registry.
PART 2 - Setting Permissions for Everyone
Run the below if some of the registry keys still exist after running the above steps.
Now I want you to use Registar Lite again to navigate to each of the below keys (one at a time) by pasting them into the Address Bar and hitting return. But this time click the Security menu item and select Edit Permissions so we can change permissions to everyone ( I describe this down below the list of registry keys).
Note: + windbg48 has that little box looking character not -Code:HKEY_LOCAL_MACHINE\system\ControlSet001\Enum\Root\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48\0000\LogConf HKEY_LOCAL_MACHINE\system\ControlSet001\Enum\Root\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48\0000 HKEY_LOCAL_MACHINE\system\ControlSet001\Enum\Root\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48 HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ + windbg48 HKEY_LOCAL_MACHINE\system\ControlSet002\Enum\Root\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48\0000\LogConf HKEY_LOCAL_MACHINE\system\ControlSet002\Enum\Root\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48\0000 HKEY_LOCAL_MACHINE\system\ControlSet002\Enum\Root\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48 HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ + windbg48 HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48\0000\LogConf HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48\0000 HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WINDBG48 HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\ + windbg48
After click Edit Permissions, here is what I expect you to see in the Group or user names area of the form:
Everyone
SYSTEM
Select Everyone by clicking on it. Now at the bottom in the Permissions box click the check box for Full Control. The click Apply and then OK to get back to the main Registrar Lite screen. Now right click on the registry key and select Delete. The click View and Refresh. Check to see if the registry key just deleted truly deleted. If so, move on to the next to work thru the whole list. If it does not delete, boot into safe mode and repeat these exact same steps from safe mode.
Note: If you don't see the Everyone group, choose your user account name (if it shows) otherwise choose Administrator (if it shows). Reboot your PC!
Post fresh logs for:
HijackThis
ISeeYouXP
Last edited by ShadowPuterDude; 05-23-2007 at 07:11 PM.
a-squared Team - www.emsisoft.com
"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Senior Member
How do I type that little box looking character? EDIT: Never mind, I just navigated to it.
Also, I don't see Fixme2-reg in the message, so I'm stopped at that point.
Last edited by StckFigure; 05-23-2007 at 12:09 PM.
Super Moderator
Sorry about that. It's attached to my last post now.Originally Posted by StckFigure
a-squared Team - www.emsisoft.com
"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Senior Member
All three keys with the \Services\ +*windbg48 ending (CurrentControlSet, ControlSet001, and ControlSet002) are showing up as the red access denied folder. When I go through the steps to allow permissions, it proceeds as it should, but the folder stays red. I try to delete it, confirm the deletion, and then nothing happens (i.e., it's still there after a refresh). When I go back into the Permissions, it has reset itself to uncheck the permissions I checked. This one
<Code>
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\R oot\LEGACY_*00FF*00FF*00FF*00FF*00C0*00FF*0012WIND BG48
</Code>
and its subkeys had the red folder as well, but I was successful in deleting them.
Logs coming up
Senior Member
Another day, another pair of logs.
Super Moderator
OK, there are 3 registry keys that did not delete.
Download and unzip FixME3.zip to your Desktop.
Reboot to Safe Mode.
Double-click FixME3.reg and answer yes when asked if you want to merge with the registry.
Reboot to Normal Mode and check to see if the 3 keys listed in the Registry patch did in fact delete; if not double-click on FixReg.bat. A DOS window will briefly flash on the screen.
Reboot.
Attach a fresh ISeeYouXP log
a-squared Team - www.emsisoft.com
"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Senior Member
I'm assuming the three registry keys you're talking about are the same three I mentioned.. but unfortunately, those are still there, even after running the .bat file, appearing as red access denied folders in Reglite.
Here's the ISeeYouXP log, though it may look exactly the same. What is windbg48 anyway? Is it a trojan? Do we know what it does, or just that it's bad? And, is that the last remaining nugget of bad on my computer?
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote