PDA

View Full Version : Removing Registry Item (found by TrjnRem}



blanco
30-07-2010, 11:26 PM
Win XP SP3. somebody else's PC.
Trojan remover shows a registry entry but will not remove or rename it: "HKLM\sys\current control set\services\MS Office Groove Audit service Y",
tagged "image path".
MS Office has been uninstalled using Revo and a system search shows no files related. THis does not show up in HiJackThis display or log.
Tried to delete/rename in regedit but no success. I think this is some kind of stealth add-on but I am not sure. If it is not meant to be there I would
like to get rid of it because it may be causing problems. My questions are: Shoud I be concerned about it and How can I get rid of it ?
Regards

feersumendjinn
31-07-2010, 04:59 AM
Try this
http://ccollomb.free.fr/unlocker/

blanco
31-07-2010, 06:41 AM
Thanks for the link but this is what I get:-

Reported Unsafe Website: Navigation Blocked

This website has been reported as unsafe
ccollomb.free.fr

We recommend that you do not continue to this website.
Go to my home page instead

This website has been reported to Microsoft for containing threats
to your computer that might reveal personal or financial information.

More information

This website has been reported to contain the following threats:

Malicious software threat: This site contains links to viruses or
other software programs that can reveal personal information
stored or typed on your computer to malicious persons.

Learn more about phishing
Learn more about malicious software
Report that this site does not contain threats
Disregard and continue (not recommended)

Speedy Gonzales
31-07-2010, 07:04 AM
Looks like its part of Office. What version of office? Unlocker is safe. Altho I doubt it'll unlock things in the registry

blanco
31-07-2010, 07:09 AM
Office 2007 was installed but I uninstalled with Revo.
Malwarebytes shows it as a possible stealth file but won't Zap it

Speedy Gonzales
31-07-2010, 07:13 AM
Get Ripoutoffice2007 from here http://www.refusetosuffer.com/

The link is on the right. Run it then wait for it to finish then reboot

blanco
31-07-2010, 07:17 AM
Thanks Speedy. I'll give it a go.

blanco
31-07-2010, 07:53 AM
Ran the ripout which reported success but reg item still there.
Found a page on reg entry delete which I haven't got time to explore at this time
Tomorrow, probably

Speedy Gonzales
31-07-2010, 08:02 AM
Go to start/run type services.msc

Does MS Office Groove Audit service Y appear here??

You may have to give yourself permission to delete HKLM\sys\current control set\services\MS Office Groove Audit service Y in the registry.

Go to start/run, type regedit. Go to HKLM\sys\current control set\services\ right mouse on it / select permissions. Select your name. Then tick full control then OK. Then delete that service (DON'T delete anything else)

If this is ghosted, you'll have to click on advanced button / owner. Select your username then / replace owner down the bottom, then OK.

Then select your username again tick allow full control. Then you should be able to delete that entry