Worm removal - Help with LEGACY key in Regedit

[SJS]

My Symantec antivirus detected an instance of the W32.Spybot.UBH on my
machine, however, it could only quarantine it, not delete it altogether. I
have been following the instructions on Symantec' website
(http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.ubh.html)
which, at one point, require deleting
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_SVKP

Unfortunately, RegEdit just won't allow me. When I locate the key, and press
delete, I get an 'Error Deleting Key' popup message. Any suggestion? As
always, thank you in advance for your ideas.

 

[Leythos]

My Symantec antivirus detected an instance of the W32.Spybot.UBH on my
machine, however, it could only quarantine it, not delete it altogether. I
have been following the instructions on Symantec' website
(http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.ubh.html)
which, at one point, require deleting
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_SVKP

Unfortunately, RegEdit just won't allow me. When I locate the key, and press
delete, I get an 'Error Deleting Key' popup message. Any suggestion? As
always, thank you in advance for your ideas.

Reboot in SAFE MODE and run AV software again.

Then, in SAFE MODE, edit the registry again.

 

[Doug Knox MS-MVP]

Right click the key in question. Select Permissions. Ensure that your username has full control. If not, modify the permissions. If your username isn't listed, click Add and add it to the list with Full control.

 

[David H. Lipman]

From: "SJS" <sjs[at]yahoo[dot]com>

| My Symantec antivirus detected an instance of the W32.Spybot.UBH on my
| machine, however, it could only quarantine it, not delete it altogether. I
| have been following the instructions on Symantec' website
| (http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.ubh.html)
| which, at one point, require deleting
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_SVKP
|
| Unfortunately, RegEdit just won't allow me. When I locate the key, and press
| delete, I get an 'Error Deleting Key' popup message. Any suggestion? As
| always, thank you in advance for your ideas.
|

Quarantining a file is good practice in case a file is deemed to be a falsely declared as
being infected. You can always dump the NAV quarantine later on if it truly infected.

Please read the following URL -- http://vil.nai.com/vil/content/v_135434.htm

Go to; start --> run
execute; services.msc

Look for a service called; SVKP

If you have it do the following...

Use the Resource Kit utility, DELSRV.EXE, and execute; delsrv SVKP
Reboot and then scan the system using the following Multi AV scanning tool.

I posted the DELSERV.EXE utility in a ZIP file...

Post Subject: DELSRV for Hacktool.Rootkit
Posted in: alt.binaries.comp.virus


Start with the McAfee module in the following Multi AV Scanning Tool...

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } 4 batch files, 6 Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend, Kasperski and McAfee Anti Virus Command
Line Scanners to remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[David H. Lipman]

From: "David H. Lipman" <[email protected]>

< snip >

| Use the Resource Kit utility, DELSRV.EXE, and execute; delsrv SVKP
| Reboot and then scan the system using the following Multi AV scanning tool.
|
| I posted the DELSERV.EXE utility in a ZIP file...
|
| Post Subject: DELSRV for Hacktool.Rootkit
| Posted in: alt.binaries.comp.virus

< snip >

Alternatively, instead of downloading DELSRV.EXE...

You can execute; sc delete SVKP

 

[SJS]

Thanks. It worked.


Right click the key in question. Select Permissions. Ensure that your
username has full control. If not, modify the permissions. If your username
isn't listed, click Add and add it to the list with Full control.

 

[Doug Knox MS-MVP]

You're welcome

 

[Guest]

Good one
Thanks
sachin

My Symantec antivirus detected an instance of the W32.Spybot.UBH on my
machine, however, it could only quarantine it, not delete it altogether. I
have been following the instructions on Symantec' website
(http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.ubh.html)
which, at one point, require deleting
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_SVKP

Unfortunately, RegEdit just won't allow me. When I locate the key, and press
delete, I get an 'Error Deleting Key' popup message. Any suggestion? As
always, thank you in advance for your ideas.

Reboot in SAFE MODE and run AV software again.

Then, in SAFE MODE, edit the registry again.

 

[Leythos]

Good one
Thanks
sachin

Here's another thing - if you can't delete the registry key, then reboot
from CD, select repair, go to the console, then delete the file that you
were trying to remove via the registry entry. Once you do this, reboot
in safe mode, remove the registry entry. If you do this, the file should
not be able to load and reinsert itself in the registry.

 

[Guest]

Is it necessary to remove any legacy registry keys? Do they present any threat?

 

[Malke]

Is it necessary to remove any legacy registry keys? Do they present
any threat?

Do a thorough scan in Safe Mode with your antivirus. If it still can't
remove the registry key, start regedit and navigate to the key.
Right-click on it and try Delete. If that doesn't work, use right-click
again and change its permissions to full control for your user account
and/or Administrator. Then you will be able to delete it.

Malke

 

[Guest]

Thanks Malke,

I'm referring to cases where new infections are NOT detected by AV and
anti-spyware, when you have to create your own fix. In addition, most
scanners will ignore the legacy keys, but not all.

Often times new infections are creating these keys, and permissions must be
changed to remove them. When helping others in an online community this can
be difficult and potentially dangerous for some users.

I don't think the legacy keys can do any harm. They are just non-dangerous
left-overs, and since they can be so difficult to remove, they can be left
alone. I'm looking the opinions of others.

 

[Malke]

Thanks Malke,

I'm referring to cases where new infections are NOT detected by AV and
anti-spyware, when you have to create your own fix. In addition, most
scanners will ignore the legacy keys, but not all.

Often times new infections are creating these keys, and permissions
must be changed to remove them. When helping others in an online
community this can be difficult and potentially dangerous for some
users.

I don't think the legacy keys can do any harm. They are just
non-dangerous left-overs, and since they can be so difficult to
remove, they can be left alone. I'm looking the opinions of others.

When I'm cleaning up a system, I always remove them. If you go to the
the forums on CastleCops, BleepingComputer, AumHA, etc. and look at
some of the instructions given by experts working with HJT logs you
will see that removing the Legacy keys is usually done. Those of us who
do this sort of thing for a living do not leave bits of malware lying
around in the system, including Legacy keys.

As for you giving advice in an online community, you will have to use
your own judgment based on your skill level, the community in question,
and the skill level of the people you are trying to help. One of the
many reasons we send people to the HJT forums is because of the high
level of expert help and hand-holding removing some malware requires.
Personally, if I feel that a poster can't manage the elaborate removal
steps necessary it is always better to suggest they take the machine to
a local professional. My motto when giving written technical advice on
a machine I haven't seen to people I don't know is "First, Do No Harm".
Naturally, what you do is your decision.

Malke