Alert

Windows Registry Deletes Keys on Restart

OS: Windows 7 x64 Home Premium SP 1

I recently got hit by a drive-by download of some sort of malware that really screwed up a lot of things in my computer.

Here are the details:

Initial registry keys deleted from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - bfe, bits, mpssvc, sharedaccess, wscsvc, wuauserv

I managed to run a few malware scanners, but only the first one I ran detected the malware as a trojan and deleted it. I don't remember which one detected it because I downloaded a bunch of different scanners and ran them all (not at the same time). I'm pretty sure some of what I tried were Malwarebytes and microsoft malicious software removal tool.

I then ran the sfc /scannow from cmd. It said a few files that it found were corrupted and that it fixed them.

I also replaced each of the registry keys listed above with clean ones found from a computer with the exact same OS, and then I fixed permissions for each of the keys that required it by adding NT SERVICE/mpssvc (if I remember that string of characters correctly) and Everyone and setting full control for both. Then I ran some batch files to re-register dll's such as:

regsvr32 wuapi.dll
regsvr32 wuaueng.dll
regsvr32 wups.dll
regsvr32 wups2.dll
regsvr32 wuwebv.dll
regsvr32 wucltux.dll

(There were others but i don't remember at the moment)

Windows Update isn't even listed in the services listing until I run this command after every time I restart the computer:

regsvr32 wuaueng.dll

or else it just tells me that the service isn't running when I try to use Windows Update.

Although, my only other evident problem now is that the BITS registry key is auto-deleted when I restart the computer. The other keys I replaced remain, but I can't use Windows Update without this BITS key, as I get error code 80246008 when attempting to download new updates. I continue to receive the same error even after re-adding the BITS key to the registry, but I think the system needs to be restarted for the change in registry to actually take effect? So it ends up being a looping problem. Restart to have changes take effect, but delete the key that's supposed to be making the changes...***?

Everything I did in attempt to fix this problem was under instruction of websites I searched for solutions for about 9 hours straight. I can't find anything to solve these last remaining problems. Any help that doesn't involve a restore/recover is much appreciated! Really, I don't have any restore points and a recover would take days of tweaking all the settings of the numerous programs I'd have to get back onto my computer...

Discussion is locked
Follow
Reply to: Windows Registry Deletes Keys on Restart
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: Windows Registry Deletes Keys on Restart
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Nod. Been there.

Just last week I encountered a new nasty called ZeroAccess and could not find a tool to fix it. While I know how to rip it out, my dad didn't have a Windows 7 DVD so we could not remove it using a manual method.

But to get rid of the other pests we used Grif's advice at http://forums.cnet.com/7726-6132_102-5098912.html?tag=posts;msg5099421

I suggest you run those tools and see what remains. If nothing I have something to share and it's something folk rarely reveal. Ready? While we can remove most pests, repairing this OS is not a sure thing.
Bob

- Collapse -
Further away from the solution than before, it seems

Thanks, another person from another forum also already had me run those tools. One of them caught this ZeroAccess thing along with some (related?) registry keys. I promptly made sure everything was check-marked for deletion before confirming.

I re-did the registry keys for BITS before rebooting, yet they are still gone from the registry again after the restart. Additionally, I can't get windows update service to run at all now. It isn't even in the services list. The command "regsvr32 wuaueng.dll" throws the following error:
The module "wuaueng.dll" was loaded but the call to DllRegisterServer failed with error code 0x80070005.

- Collapse -
ZeroAccess. Sad to read that one.

The variant I encountered was not removable without doing some deep OS damage beyond what it had done already.

If tools don't remove it, and the usual repairs fail, we reinstall the OS if we are to avoid a call to Microsoft and their fees.
Bob

- Collapse -
PS. I made an assumption

That you are also reading other discussions about ZeroAccess. So far it appears to be quite nasty and the thread I'm following has not resulted in the OS being repaired. Many of the discussions end with "I reinstalled the OS."
Bob

- Collapse -
Fffff...

Update of things I've tried since this post:

I ran this program: http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe

Merged these registry keys: http://www.blackviper.com/downloads/Win7/Registry_Files/Default_W7_Home_Premium_64_SP1_Start_v100.zip?7501a5

Eset online scanner found the following:
http://i840.photobucket.com/albums/zz328/PictureAccountPhotos/eset.png

I chose the option to delete it.

Windows Update and BITS services are still missing. BITS and wuauserv look like this after my last restart:
http://i840.photobucket.com/albums/zz328/PictureAccountPhotos/bits.png
http://i840.photobucket.com/albums/zz328/PictureAccountPhotos/wuauserv.png

- Collapse -
I read this but

I can't impress upon you how nasty these things are getting and the damage is never a sure thing to repair.

You've tried the usual and pretty much what I did just a few weeks ago. I posted about it in the CNET Spyware forum too. My time was limited on how much time I could spend on ZeroAccess but I came away a little wiser and hoping that a good cure will show up soon.

Are you under the impression that Windows can always be repaired? If so, call Microsoft and let them try.
Bob

- Collapse -
Still Trying

I don't like to give up, I can afford to spend as much time on this as required. I know there are some situations where there just isn't a solution without a OS reinstall, but I won't visit this option till I've exhausted all others.

I'd rather spend time figuring out how this can be fixed (if it can be) and exploring this new territory to learn rather than giving up and spending it redoing all my program settings, because that's just a downright tedious bore. I won't end up calling Microsoft, though; I'd rather do a recovery if it comes to it.

While this is my main computer, I can live without it for the duration that it takes to resolve this. (Worried my keystrokes could be logged and sent to someone) I have a laptop right beside me that has all the same stuff on it, almost like an exact copy of this machine (except without the issues, since I never visited the website that created the problem).

I've got another thread running in another forum now, hopefully I'll get some more things to try out.

Thanks for the effort.

- Collapse -
Since you do want to keep trying ...

you might want to give Rogue Killer a shot:
http://www.sur-la-toile.com/RogueKiller/

If your French is not sufficient Tech Republic recently had a write up on it. I think you can view it without registering but if not, registration is free:
http://www.techrepublic.com/blog/itdojo/roguekiller-scans-systems-for-rootkits-registry-issues-and-more/3603?tag=nl.e101

Do be CAREFUL what you are deleting - "RogueKiller is not a tool that anyone can fire up and start pointing and clicking their way to a healthy PC. You need to use common sense when using RogueKiller; if you don't, you could delete a Registry entry that shouldn't be deleted."

- Collapse -
Thanks, but no need
- Collapse -
They are excellent on malware there.

Here I find we deal OK with common issues. But if you post about a pest, many times Mods will defer to specialty sites like that.

Grif's post about tools is usually enough for the usual pests but I'm seeing a new class of malware that is doing deeper damage.
Bob

CNET Forums