Jump to content


  • Content Count

  • Joined

  • Last visited

About RvLeshrac

  • Rank
  1. I've noticed that this happens semi-randomly on a variety of machines, and re-installing SAS can 'fix' it (though the jury may be out on whether or not this is something to be 'fixed' per se). Same goes for when an update is attempted and the downloader silently fails to download the update. Not sure what causes it, but re-installing SAS takes care of the problem.
  2. Some spyware actively hides other spyware from scanning programs. The intent is for the software to be hidden and then reinstalled when the scanner 'isn't looking.' Rootkits are the worst example of this, but there are higher-level ways to hide things from the scanner as well, including active detection of the most popular scanning programs. The TDS rootkit, for example, uses a combination of the above. There's also the rare possibility that you've encountered a new variant of a dropper/etc that isn't in the definitions (SOMEONE has to be first, after all). In that case, a scan may remove the 'older' spyware, but not see the dropper as it continues to obtain new spyware to install. Keep in mind that this is extremely rare, and should be the last thought in your mind. With regard to Spy Guard/Winantivirus/etc, there are literally *hundreds* of variants of these applications. They're mostly harmless, just very annoying. SAS coupled with a good antivirus app will keep them from doing anything terribly malicious (AV heuristics will catch any keylogging, for example), so you may simply have to wait several days until new definitions are available to completely remove them. I wouldn't trust my bank account to a machine with one of them 'installed,' but the goal of those 'businesses' isn't to steal information from you, rather to scare/con you into paying for the 'product.' That way, they can stay just in the narrowest grey area of the law.
  3. In this *specific* case, the DLL listed (RQRHAQND.DLL) is likely preventing the deletion of those keys. There are literally dozens of ways for it to protect itself. Malwarebytes seems to have better luck than SAS when dealing *specifically* with Vundo, in my experience, so you may want to try that (if the Prerelease SAS doesn't work for you). I don't generally endorse Malwarebytes over SAS, as SAS tends to detect and remove more malware than MBAM (especially rootkits), but Vundo is a special case. The below steps likely won't help you (the DLL's the thing), but I'm going to post them anyway (since others might see this). In the general case: These keys are actually unimportant. The values and data have been removed, only the keys remain. The issue here is that Vundo alters the permissions on the keys, denying all but Read access to everyone. For some reason, the values and data are left open. I haven't tried the pre-release version of SAS, but if it doesn't remove them, the following steps may help. Please read through the ENTIRE list before proceeding. (Obligatory regedit warning: Deleting the wrong keys while editing the registry may make your system inoperable. The very nature of spyware/malware may cause your system to fail even when deleting the *correct* keys. If you don't feel comfortable doing the following, please request help from someone else. Caveat emptor et backup.) 1) Open Regedit 2) Navigate to the root key (in this case, HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} ) 3) Right-click the key in the left pane ( {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} ) 4) Left-click on Permissions 5) Click Add 6) Type 'Everyone' into the box, and click OK 7) Check the "Full Access" box, click OK Click 'Advanced' 9) Check both boxes (Inherit/Propagate) at the bottom of the dialog 10) Click OK, OK, and then delete the key. [if an error is displayed ('Unable to set/change...'), a DLL is protecting the key. Seek professional help.] 11) Press F5 to refresh. [if the key reappears, a DLL is recreating the key. Seek professional help.] 12) Reboot and rescan your system.
  • Create New...