Help deleting re-generating registry key ! (spybot related)

Darkst4r · 12 Jan 2012 at 00:56

Hi, I recently ran a spybot scan to check for nasties. To my surprise it reported on several potentially harmful entries which I swiftly deleted.

After re-running the immunize feature of Spybot (as an administrator) I get a message which reads : "The immunization could not complete, there are 15076 items still unprotected"

It goes on to say that other security software may be blocking them, but I have disabled my anti-virus and I still get the same message.

On reading the log generated by spybot it led me to the "Domains" Folder/Key in the registry. I have deleted this folder before but when I try to do so now it re-generates including all the contents which happen to be the items that Spybot cannot secure against. Included in them are some very shady looking website addresses that I have certainly not visited (yeah yeah you say but it's true !)

How can I delete the contents of this folder permanently ?

I have even tried to delete several manually to see if it made a difference to the spybot reported figure of 15076, but low and behold, they re-generate themselves again.

Can anyone please help me with this issue as I am concerned about my security

Thanks in advance.

Stoner81 · 12 Jan 2012 at 01:00

Try downloading and installing MalwareBytes Anti-malware, once done update it and then reboot to safe mode without networking and run a complete scan of your system. Upon completion allow the app to remove whatever it finds and then reboot normally and see if that fixes it.

Stoner81.

Darkst4r · 12 Jan 2012 at 02:15

Malwarebytes found nothing, problem persists.

Darkst4r · 12 Jan 2012 at 02:38

I've noticed it seems to be related to Internet explorer. All the other objects immunise apart from the ones under the Internet Explorer profile. I downloaded IE9 but no difference.

Deception · 12 Jan 2012 at 07:49

Delete contents of the folder and then change permission to read only on the folder via the security panel. Should stop anything on your account trying to write to it. Either that or make a new profile and delete it.. Are there any weird entries in msconfig?

edscdk · 12 Jan 2012 at 07:59

delete spybox

combofix.exe in safe mode,

kaspersky tdsskiller safe mode

then scan with malwarebytes (dont install the resident shield bit jsut scan)

ccleaner run the reg scan (will not fix any virus but will remove crud entries)

install and run microsoft security essentials

** currently there is at least one root kit the above process will not find (12 / jan / 2012) but if you have that Microsoft security essentialy will find and be unable to remove it (so at least you know something is wrong)

Darkst4r · 12 Jan 2012 at 13:28

Hi thanks a lot for the help. I couldn't settle last night knowing my computer was ill so seeing as I have the week off work I attempted to solve the problem myself before I read the replies.

After scanning with several anti malware programs and anti virus software including a boot time scan they all came up with nothing. I remembered my old friend "Hi-Jack This" and ran a scan.
On producing a logfile and having it parsed there were several entries under "015 -" relating to incorrect internet protocols and trusted website rules. Unfortunately Hi-jack this could not remove them, every time I tried they were again re-generated.

After getting increasingly annoyed I figured my machine was about due for a clean install, it's been about a year since my last one with a mobo, graphics card and ram upgrade inbetween so I bit the bullet, backed up my data and formatted the hard drive.

It's taken me most of the morning putting all my programs and settings back on, but I finally have my PC running better than ever and with no traces of the previous problem or any other.

Thanks again for the quick replies and help though.

Deception · 12 Jan 2012 at 13:38

Lets hope it stays that way

Darkst4r · 12 Jan 2012 at 13:56

Deception said:
Lets hope it stays that way

I hope so. I've never experienced such security holes and have certainly never had so much malware turn up until I changed from Firefox to Google Chrome. I think Spybot originally picked up about 8 harmful entries including Zedo and some other pretty high rish stuff.

Needless to say I apologised to Firefox and we are friends again

Stoner81 · 12 Jan 2012 at 14:04

Darkst4r said:
I hope so. I've never experienced such security holes and have certainly never had so much malware turn up until I changed from Firefox to Google Chrome. I think Spybot originally picked up about 8 harmful entries including Zedo and some other pretty high rish stuff.

Needless to say I apologised to Firefox and we are friends again

Install SpywareBlaster as it blocks against Zedo.

Stoner81.

Narj · 12 Jan 2012 at 15:31

Install Sandboxie and run your browser under that unless you really need to save stuff to disk. No more spyware.