Jump to content
prokaryote

Found Registry keys, SUPERAnti will not remove - Vundo ?

Recommended Posts

Hello everyone... i am considering a purchase of SUPERAnti, but i wanted to ask a question before i buy.

the scanner keeps finding

C:\WINDOWS\SYSTEM32\RQRHAQND.DLL

Unclassified.Unknown Origin

HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}

HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32

HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32#ThreadingModel

I tell SUPERAnti to remove the File AND the Keys, but SUPER does not remove anything, or they magically come back. Other sites have claimed that these are from "Vundo" ??

My question(s):

If SUPERAnti finds these, and i ask it to remove them, why aren't they removed? Are they really related to Vundo?

Will the PRO version with real time protection stop infections, if i accidentally browse to a web site that that is infected?

When you say lifetime updates, does that mean I get definitions AND software updates?

thanks for your time. So far your product is very very cool.

Share this post


Link to post
Share on other sites

EDITED to add:

here is the log fro SUPERAnti

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 01/09/2009 at 00:36 AM

Application Version : 4.24.1004

Core Rules Database Version : 3702

Trace Rules Database Version: 1678

Scan type : Complete Scan

Total Scan Time : 00:40:28

Memory items scanned : 524

Memory threats detected : 0

Registry items scanned : 7098

Registry threats detected : 5

File items scanned : 18403

File threats detected : 13

Unclassified.Unknown Origin

HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}

HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32

HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\RQRHAQND.DLL

HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}

Share this post


Link to post
Share on other sites

I am unsure as to why it is not removing them . SAS was the ONLY thing a few months ago that could remove all of it from everywhere after a reboot . Strange it is not removing them from your system . I wish I could help . Does it not ask to reboot when finished to remove ? If not , I would still reboot after removal . After that , I do not know but , hopefully you will get some help from the Admin shortly .

The Pro version will block alot just like an Antivirus or Antitrojan would . Lifetime means LIFETIME EVERYTHING . Updates , versions , the whole nine yards . Money well spent !

Share this post


Link to post
Share on other sites

In this *specific* case, the DLL listed (RQRHAQND.DLL) is likely preventing the deletion of those keys. There are literally dozens of ways for it to protect itself. Malwarebytes seems to have better luck than SAS when dealing *specifically* with Vundo, in my experience, so you may want to try that (if the Prerelease SAS doesn't work for you). I don't generally endorse Malwarebytes over SAS, as SAS tends to detect and remove more malware than MBAM (especially rootkits), but Vundo is a special case.

The below steps likely won't help you (the DLL's the thing), but I'm going to post them anyway (since others might see this).

In the general case:

These keys are actually unimportant. The values and data have been removed, only the keys remain.

The issue here is that Vundo alters the permissions on the keys, denying all but Read access to everyone. For some reason, the values and data are left open. I haven't tried the pre-release version of SAS, but if it doesn't remove them, the following steps may help. Please read through the ENTIRE list before proceeding.

(Obligatory regedit warning: Deleting the wrong keys while editing the registry may make your system inoperable. The very nature of spyware/malware may cause your system to fail even when deleting the *correct* keys. If you don't feel comfortable doing the following, please request help from someone else. Caveat emptor et backup.)

1) Open Regedit

2) Navigate to the root key (in this case, HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} )

3) Right-click the key in the left pane ( {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} )

4) Left-click on Permissions

5) Click Add

6) Type 'Everyone' into the box, and click OK

7) Check the "Full Access" box, click OK

8) Click 'Advanced'

9) Check both boxes (Inherit/Propagate) at the bottom of the dialog

10) Click OK, OK, and then delete the key. [if an error is displayed ('Unable to set/change...'), a DLL is protecting the key. Seek professional help.]

11) Press F5 to refresh. [if the key reappears, a DLL is recreating the key. Seek professional help.]

12) Reboot and rescan your system.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...