Microsoft
Software
Hardware
Network
Question : Removal of useless left-over software registry keys
I share a PC for research with others. All modifications, downloads and software installations are carefully monitored, but recently 3 keys appeared under \HKEY_CURRENT_USER\Softwar
e that are nowhere else in the registry as well as in the overall file system. I hope I can attach a screenshot when sending this, it shows a key for ISTbar, a self-installed application where one of the researchers told me, he removed it with Add/Remove Programs in Control Panel. 2 other guys told me, the same thing happened with Webdialer, apparently a Trojan Horse-type offshore pornographic self-dialing algorithm and VBouncer, an undesired system utility. Now, my question is 2-fold:
1) Can I simply remove such left-over keys from this specific location in the registry if there is abosolutely no other reference to these programs, their folders or files any more, or could this damage the registry? Note, that I had once a bad experience with a registry "cleaning" utility and since then prefer to watch what I install and how I uninstall it, and that has worked fine, since I don't allow any crap. With these Trojan Horses though, the other guys swear that they installed themselves against their will and that they removed them right away.
2) The install of VBouncer was slightly different. When running msconfig, I unchecked it from Startup (and that was AFTER I uninstalled VBouncer), then removed the ...\RUN- key in accordance with the IDG Book "More Windows Secrets" Part II - Local Secrets on page 693 and that works well, all leftovers in Startup are gone when following the procedure outlined there. But in the registry, VBouncer is not a key by itself. Instead, it is a subkey as follows:
\HKEY_CURRENT_USER\Softwar
e\VB and VBA Program Settings\VBouncer\Settings
Is \VB and VBA Program Settings a needed and valid key so that I have to leave it there, or is it a deception by the VBouncer people to make you think it is something meaningful? If it is meaningful, what is it for? If it has to remain there, can I then simply delete the \VBouncer key and with it the \Settings key underneath it?
Thank you very much in advance.
Sincerely,
Bernard
Answer : Removal of useless left-over software registry keys
If these are adware or spyware then Either downloading ad-ware 6.0 or spybot search and destroy should get rid of all remenents of them when you say trojan do you mean virus ? usually that is a term reserved for a type of computer virus.
http://www.lavasoftusa.com
/support/d
ownload/
http://security.kolla.de/
The first link is for ad-aware you'll need to the most recent build when you download if you do not have it then go into the program and choose to update it this will remove all occurances of V bouncer automatically.
it will also remove IST Bar
Ad-Aware reflist 20.04.2003 and Spybot S&D update 2003-04-24 can remove ISTbar/AUpdate.
Here is the Information on the ISTbar and it can cause security issues
Description
ISTbar is an IE toolbar, homepage- and search-hijacker provided by Integrated Search Technologies/CDT Inc.
Variants
ISTbar/AUpdate installs a TinyBar variant to implement its toolbar, and will be detected by the script at this site as TinyBar/B. The hijacker is aimed at my-internet.info and blazefind.com; distribution is managed by searchbarcash.com, its controlling server.
ISTbar/XXXToolbar is an update based around porn. It uses its own toolbar code. The hijacker is aimed at its controlling server xxxtoolbar.com, and slotch.com; distribution is controlled by toolbarcash.com.
ISTbar alse installs other parasites: both variants install porn pop-up producer RapidBlaster/lp; the AUpdate variant is also known to install DownloadPlus.
Also known as
The AUpdate variant is known as SearchBarCash-Hijacker by Ad-Aware.
Distribution
Installed by ActiveX drive-by download on affiliate sites, typically porn adverts, from April 2003.
What it does
Advertising
In the XXXToolbar variant, yes: opens pop-ups as directed by its controlling server. In AUpdate, no, though the TinyBar component could be used to open pop-ups in the future.
Both variants install other third-party software which includes advertising.
Privacy violation
No.
Security issues
Yes. Can download and execute arbitrary unsigned code from its controlling server. This is used both to update the software and to install third-party software.
Stability problems
None known.
Removal
There is a entry in Add/Remove Programs for 'MS AUpdate' (AUpdate variant) or 'ISTbar' (ISTbar variant). Unfortunately this doesn't remove the toolbar in the AUpdate variant, or RapidBlaster in either variant.
Ad-Aware reflist 20.04.2003 and Spybot S&D update 2003-04-24 can remove ISTbar/AUpdate.
Manual removal
AUpdate variant
Open the registry (click 'Start', choose 'Run' and enter 'regedit') and find the key HKEY_CURRENT_USER\Software
\Microsoft
\Windows\C
urrentVers
ion\Run. Delete the 'AutoUpdater' entry on the right (pointing to aupdate.exe). Find the key HKEY_CLASSES_ROOT\CLSID, and delete the subkey '{69550BE2-9A78-11D2-BA91-
0060082787
8D}'. Delete the subkey of the same name from HKEY_LOCAL_MACHINE\Softwar
e\Microsof
t\Internet
Explorer\Explorer Bars, and the entry of the same name from HKEY_LOCAL_MACHINE\Softwar
e\Microsof
t\Internet
Explorer\Toolbar.
Restart the computer and you should be able to delete the files 'aupdate.exe', 'aupdate.conf', 'aupdate.trk' and (if it is there) 'aupdate_uninstall.exe' from the System folder. (The System folder can be found inside the Windows folder; it is called 'System32' on Windows NT/2000/XP or just 'System' on Windows 95/98/Me.)
Finally you can restore your normal search settings (Internet Options->Programs->Reset Web Settings) and deal with RapidBlaster and DownloadPlus.
XXXToolbar variant
Open the registry (click 'Start', choose 'Run' and enter 'regedit') and find the key HKEY_CURRENT_USER\Software
\Microsoft
\Windows\C
urrentVers
ion\Run. Delete the 'IST Service' entry, if it is there. (Some early releases of XXXToolbar did not include this.)
Open a DOS command prompt window (form Start->Programs->Accessori
es) and enter the following commands:
cd "%WinDir%\System"
regsvr32 /u "\Program Files\ISTbar\istbar.dll"
Restart the computer and you should be able to delete the 'ISTbar' folder inside Program Files, and the 'istsvc.exe' file inside the Windows folder. You can also delete the registry keys HKEY_CURRENT_USER\Software
\ISTbar and HKEY_CLASSES_ROOT\Pugi.Pug
iObj (and .1) to clean up if you like.
Finally you can restore your normal search settings (Internet Options->Programs->Reset Web Settings) and deal with RapidBlaster.
Random Solutions
IIS runtime error in /OMA application, reregistering ASP.NET fails
Quick Help with MSSQL Select comparing dates
Right click on folder,can not open Properties and Sharing.
How Do I Deternine the Cause of a Faulting Application (msaccess)/module (msvcrt.dll)?
event id 539 account lockout?
access shell variables in egrep
ODBC - User DSN, System DSN, File DSN???
horizontal scroll bar missing
Sharepoint not sharing port80 with IIS Default WEbsite
Transfer from a AD domian windows 2000 to a different domain name on windows 2003
