Results 1 to 15 of 15

Thread: Cannot remove registry entries

  1. #1
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,406

    Cannot remove registry entries

    I am cleaning a computer from Spyware, and there are a couple of entries that won't remove. I tried deleting manually, using a boot PE disk, and I have no luck. How can I get rid of those?
    the entries are HKLM\Software\Microsoft\windows\currentcontrolset\uninstall\TTOOL_UNINSTALL
    HKLM\Software\Microsoft\windows\currentcontrolset\uninstall\WinTools
    HKLM\Software\Microsoft\windows\currentcontrolset\uninstall\WinTools_ESIES
    This is driving me nuts. When I try to delete them it says error 5, access denied. If Spybot tries it cannot, even on reboot. If MS antispyware tries it freezes.
    Suggestions?

  2. #2
    Head Honcho Administrator Reverend's Avatar
    Join Date
    Apr 2002
    Location
    England
    Posts
    14,045

    =========== Please Read The Forum Rules ===========

  3. #3
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,406
    Did not work
    Hijackthis didn't see it even. Plus, there is no RunServices in the registry HKLM, or even in the rest of the registry. This registry entries are a pain

  4. #4
    Near Life Experienced TZ Veteran zipp51's Avatar
    Join Date
    Oct 2002
    Location
    Massachusetts
    Posts
    1,114
    Hey Dehcbad,did you try setting your permissions before deletting the entry?Just a thought.
    The definition of insanity is doing the same thing over and over again and expecting different results.

  5. #5
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,406
    well, I actually did thought about something like that, just ...set what permitions and where? "
    I am logged in as admin, and the whole software hive is a file, so why I can delete some and some don't?? More

  6. #6
    Security Intelligence TZ Veteran cash_site's Avatar
    Join Date
    Jul 2002
    Location
    Software Paradise
    Posts
    3,852
    have you tried safe mode?

    --- 0wN3D by 3gG ---

  7. #7
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,406
    Of course That was the very first thing I tried. If I can't find a why to remove those entries by tomorrow I will have to format/reinstall the PC

  8. #8
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899

    registry - oom cha.

    Right click the key and you will see a permissions bit, I'm in BartPE at the moment so can't check exactly what it says. If you have a BartPE disk use the regeditPE utility to open and edit the machine's registry (BartPE is a bootable 'Live' windows CD). You can also open the registry in a different mode by scripting but that shouldn't be necessary.

  9. #9
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,688
    Are you sure that these don't have Services running in the background or maybe are in Startup?

    Not trying to insult your intelligence...

  10. #10
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,406
    I used a miniBartPE, and I did try the regeditPE too
    I did try again using the CD. RegeditPE gives me the following error when I try to delete "Cannot delete WinTools_ESIES: Error while deleting key"
    And if I try to open it, it says "Cannot open WinTools_ESIES: Error while opening key"
    The only registry tool that I could use to see the contents is Registry File Viewer, but this one, doesn't have the option to delete keys
    @rik Don't worry about insulting my intelligence. There is nothing left of that to be insulted
    Reminders are always good. You can't imagine how many times something seemed so difficult and then sudden I realize (or someone else) that I overlooked a very simple thing. This time, is not the case unfortunately. There is no extra services running. None of the programs related to those spyware run either. I tried in safe mode and thru live CD too

  11. #11
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    If you cannot open in Bart it means that permissions are set against SYSTEM user as you run as SYSTEM in bart. R-click key in regedit (in windows as administrator) and select permissions, you should be able to take ownership then delete the key or at worst set permissions so nothing can open it - works as an innoculation as nothing can use or re-write the key.
    Your posts are a little confusing though - you can use regedit, it just gives you an error right?

  12. #12
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,406
    Yes, it gave me an error in regedit.
    I think I found the problem. It seems that the owner of the key, no longer exists in the computer. There was no owner, and it wouldn't allow me to add users either. They only thing I could do, was to take ownership. After taking ownership of each key (I assigned ownership to "administrators") I restarted, and I could see the permitions set. There was a user that had only hash, beside the usual users (SYSTEM, Administrators). That is why I was thinking that user could have been also the owner previously.
    Thought, this confuses me a little. Isn't suppoused to pass the ownership to administrators if you delete the user?.
    Anyhow, I could delete the entries, and finallly I cleaned out the computer from spyware.
    I forgot that the registry can have permitions by key . I looked at the file permitions (NTFS), but I didn't looked at the key permitions until you put
    R-click key in regedit

    Thanks

  13. #13
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    If the owner is deleted then the sid would be left - something like S-1-5-21 I think a # was probably set purposely by the malicious software to prevent you from removing it.

  14. #14
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,546
    Quote Originally Posted by Curio
    I think a # was probably set purposely by the malicious software to prevent you from removing it.
    If that's the case, the average computer user will be stuck in a big way as this level of control is reserved for administrators and not for ad-aware and spybot etc.....
    ------------------------------------------------------------



  15. #15
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,406
    IT was quite painfull. After I added an owner I could see the security settings, with the accounts and the SID. That is why I know it was either a temp account, or the account was deleted, but deleting the account just rollover the permitions to administrators group (if it is a user account).
    Anyhow, it was good experience. I never had to touch the security settings in the registry, thought I knew how to access them. That is why I forgot where they were
    I will probably check that very quickly next time something like this happens

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •