I am cleaning a computer from Spyware, and there are a couple of entries that won't remove. I tried deleting manually, using a boot PE disk, and I have no luck. How can I get rid of those?
the entries are HKLM\Software\Microsoft\windows\currentcontrolset\uninstall\TTOOL_UNINSTALL
HKLM\Software\Microsoft\windows\currentcontrolset\uninstall\WinTools
HKLM\Software\Microsoft\windows\currentcontrolset\uninstall\WinTools_ESIES
This is driving me nuts. When I try to delete them it says error 5, access denied. If Spybot tries it cannot, even on reboot. If MS antispyware tries it freezes.
Suggestions?

Try the solution here

http://www.pchell.com/support/wintools.shtml

Did not work
Hijackthis didn't see it even. Plus, there is no RunServices in the registry HKLM, or even in the rest of the registry. This registry entries are a pain :p

Hey Dehcbad,did you try setting your permissions before deletting the entry?Just a thought. :D

well, I actually did thought about something like that, just ...set what permitions and where? ":confused:
I am logged in as admin, and the whole software hive is a file, so why I can delete some and some don't?? More :confused:

have you tried safe mode?

Of course :D That was the very first thing I tried. If I can't find a why to remove those entries by tomorrow I will have to format/reinstall the PC :(

Right click the key and you will see a permissions bit, I'm in BartPE at the moment so can't check exactly what it says. If you have a BartPE disk use the regeditPE utility to open and edit the machine's registry (BartPE is a bootable 'Live' windows CD). You can also open the registry in a different mode by scripting but that shouldn't be necessary.

Are you sure that these don't have Services running in the background or maybe are in Startup?

Not trying to insult your intelligence...

I used a miniBartPE, and I did try the regeditPE too
I did try again using the CD. RegeditPE gives me the following error when I try to delete "Cannot delete WinTools_ESIES: Error while deleting key"
And if I try to open it, it says "Cannot open WinTools_ESIES: Error while opening key"
The only registry tool that I could use to see the contents is Registry File Viewer, but this one, doesn't have the option to delete keys
@rik Don't worry about insulting my intelligence. There is nothing left of that to be insulted :p
Reminders are always good. You can't imagine how many times something seemed so difficult and then sudden I realize (or someone else) that I overlooked a very simple thing. This time, is not the case unfortunately. There is no extra services running. None of the programs related to those spyware run either. I tried in safe mode and thru live CD too

If you cannot open in Bart it means that permissions are set against SYSTEM user as you run as SYSTEM in bart. R-click key in regedit (in windows as administrator) and select permissions, you should be able to take ownership then delete the key or at worst set permissions so nothing can open it - works as an innoculation as nothing can use or re-write the key.
Your posts are a little confusing though - you can use regedit, it just gives you an error right?

Yes, it gave me an error in regedit.
I think I found the problem. It seems that the owner of the key, no longer exists in the computer. There was no owner, and it wouldn't allow me to add users either. They only thing I could do, was to take ownership. After taking ownership of each key (I assigned ownership to "administrators") I restarted, and I could see the permitions set. There was a user that had only hash, beside the usual users (SYSTEM, Administrators). That is why I was thinking that user could have been also the owner previously.
Thought, this confuses me a little. Isn't suppoused to pass the ownership to administrators if you delete the user?.
Anyhow, I could delete the entries, and finallly I cleaned out the computer from spyware.
I forgot that the registry can have permitions by key :p. I looked at the file permitions (NTFS), but I didn't looked at the key permitions until you put R-click key in regedit :p
Thanks

If the owner is deleted then the sid would be left - something like S-1-5-21 I think a # was probably set purposely by the malicious software to prevent you from removing it.

I think a # was probably set purposely by the malicious software to prevent you from removing it.

If that's the case, the average computer user will be stuck in a big way as this level of control is reserved for administrators and not for ad-aware and spybot etc.....

IT was quite painfull. After I added an owner I could see the security settings, with the accounts and the SID. That is why I know it was either a temp account, or the account was deleted, but deleting the account just rollover the permitions to administrators group (if it is a user account).
Anyhow, it was good experience. I never had to touch the security settings in the registry, thought I knew how to access them. That is why I forgot where they were :p
I will probably check that very quickly next time something like this happens ;)