Cannot remove registry entries

**Dehcbad25** · February 15th, 2005, 20:09 PM

I am cleaning a computer from Spyware, and there are a couple of entries that won't remove. I tried deleting manually, using a boot PE disk, and I have no luck. How can I get rid of those?
the entries are HKLM\Software\Microsoft\windows\currentcontrolset\uninstall\TTOOL_UNINSTALL
HKLM\Software\Microsoft\windows\currentcontrolset\uninstall\WinTools
HKLM\Software\Microsoft\windows\currentcontrolset\uninstall\WinTools_ESIES
This is driving me nuts. When I try to delete them it says error 5, access denied. If Spybot tries it cannot, even on reboot. If MS antispyware tries it freezes.
Suggestions?

**Reverend** · February 15th, 2005, 20:18 PM

Try the solution here

http://www.pchell.com/support/wintools.shtml

**Dehcbad25** · February 15th, 2005, 23:10 PM

Did not work
Hijackthis didn't see it even. Plus, there is no RunServices in the registry HKLM, or even in the rest of the registry. This registry entries are a pain

**zipp51** · February 16th, 2005, 00:04 AM

Hey Dehcbad,did you try setting your permissions before deletting the entry?Just a thought.

**Dehcbad25** · February 16th, 2005, 05:41 AM

well, I actually did thought about something like that, just ...set what permitions and where? "

I am logged in as admin, and the whole software hive is a file, so why I can delete some and some don't?? More

**cash_site** · February 17th, 2005, 00:42 AM

have you tried safe mode?

**Dehcbad25** · February 17th, 2005, 03:37 AM

Of course

That was the very first thing I tried. If I can't find a why to remove those entries by tomorrow I will have to format/reinstall the PC

**Curio** · February 17th, 2005, 23:26 PM

Right click the key and you will see a permissions bit, I'm in BartPE at the moment so can't check exactly what it says. If you have a BartPE disk use the regeditPE utility to open and edit the machine's registry (BartPE is a bootable 'Live' windows CD). You can also open the registry in a different mode by scripting but that shouldn't be necessary.

**rik** · February 18th, 2005, 03:49 AM

Are you sure that these don't have Services running in the background or maybe are in Startup?

Not trying to insult your intelligence...

**Dehcbad25** · February 18th, 2005, 06:01 AM

I used a miniBartPE, and I did try the regeditPE too
I did try again using the CD. RegeditPE gives me the following error when I try to delete "Cannot delete WinTools_ESIES: Error while deleting key"
And if I try to open it, it says "Cannot open WinTools_ESIES: Error while opening key"
The only registry tool that I could use to see the contents is Registry File Viewer, but this one, doesn't have the option to delete keys
@rik Don't worry about insulting my intelligence. There is nothing left of that to be insulted

Reminders are always good. You can't imagine how many times something seemed so difficult and then sudden I realize (or someone else) that I overlooked a very simple thing. This time, is not the case unfortunately. There is no extra services running. None of the programs related to those spyware run either. I tried in safe mode and thru live CD too

**Curio** · February 18th, 2005, 22:31 PM

If you cannot open in Bart it means that permissions are set against SYSTEM user as you run as SYSTEM in bart. R-click key in regedit (in windows as administrator) and select permissions, you should be able to take ownership then delete the key or at worst set permissions so nothing can open it - works as an innoculation as nothing can use or re-write the key.
Your posts are a little confusing though - you can use regedit, it just gives you an error right?

**Dehcbad25** · February 20th, 2005, 16:21 PM

Yes, it gave me an error in regedit.
I think I found the problem. It seems that the owner of the key, no longer exists in the computer. There was no owner, and it wouldn't allow me to add users either. They only thing I could do, was to take ownership. After taking ownership of each key (I assigned ownership to "administrators") I restarted, and I could see the permitions set. There was a user that had only hash, beside the usual users (SYSTEM, Administrators). That is why I was thinking that user could have been also the owner previously.
Thought, this confuses me a little. Isn't suppoused to pass the ownership to administrators if you delete the user?.
Anyhow, I could delete the entries, and finallly I cleaned out the computer from spyware.
I forgot that the registry can have permitions by key

. I looked at the file permitions (NTFS), but I didn't looked at the key permitions until you put

Quote:

R-click key in regedit

Thanks

**Curio** · March 3rd, 2005, 22:54 PM

If the owner is deleted then the sid would be left - something like S-1-5-21 I think a # was probably set purposely by the malicious software to prevent you from removing it.

**egghead** · March 4th, 2005, 01:13 AM

Quote:

Originally Posted by Curio

I think a # was probably set purposely by the malicious software to prevent you from removing it.

If that's the case, the average computer user will be stuck in a big way as this level of control is reserved for administrators and not for ad-aware and spybot etc.....

**Dehcbad25** · March 8th, 2005, 14:43 PM

IT was quite painfull. After I added an owner I could see the security settings, with the accounts and the SID. That is why I know it was either a temp account, or the account was deleted, but deleting the account just rollover the permitions to administrators group (if it is a user account).
Anyhow, it was good experience. I never had to touch the security settings in the registry, thought I knew how to access them. That is why I forgot where they were

I will probably check that very quickly next time something like this happens

February 15th, 2005, 20:09 PM	#1
Dehcbad25 Trying to break 7 TZ Veteran Join Date: Apr 2002 Location: Back in Civilization. Posts: 2,391	Cannot remove registry entries I am cleaning a computer from Spyware, and there are a couple of entries that won't remove. I tried deleting manually, using a boot PE disk, and I have no luck. How can I get rid of those? the entries are HKLM\Software\Microsoft\windows\currentcontrolset\uninstall\TTOOL_UNINSTALL HKLM\Software\Microsoft\windows\currentcontrolset\uninstall\WinTools HKLM\Software\Microsoft\windows\currentcontrolset\uninstall\WinTools_ESIES This is driving me nuts. When I try to delete them it says error 5, access denied. If Spybot tries it cannot, even on reboot. If MS antispyware tries it freezes. Suggestions? __________________

February 15th, 2005, 20:18 PM	#2
Reverend Head Honcho Administrator Join Date: Apr 2002 Location: England Posts: 10,934	Try the solution here http://www.pchell.com/support/wintools.shtml __________________ =========== Please Read The Forum Rules ===========

February 15th, 2005, 23:10 PM	#3
Dehcbad25 Trying to break 7 TZ Veteran Join Date: Apr 2002 Location: Back in Civilization. Posts: 2,391	Did not work Hijackthis didn't see it even. Plus, there is no RunServices in the registry HKLM, or even in the rest of the registry. This registry entries are a pain __________________

February 16th, 2005, 00:04 AM	#4
zipp51 Near Life Experienced TZ Veteran Join Date: Oct 2002 Location: Massachusetts Posts: 1,277	Hey Dehcbad,did you try setting your permissions before deletting the entry?Just a thought. __________________ The definition of insanity is doing the same thing over and over again and expecting different results. TheseAreMyComputers

February 16th, 2005, 05:41 AM	#5
Dehcbad25 Trying to break 7 TZ Veteran Join Date: Apr 2002 Location: Back in Civilization. Posts: 2,391	well, I actually did thought about something like that, just ...set what permitions and where? " I am logged in as admin, and the whole software hive is a file, so why I can delete some and some don't?? More __________________

February 17th, 2005, 00:42 AM	#6
cash_site Security Intelligence TZ Veteran Join Date: Jul 2002 Location: Software Paradise Posts: 4,210	have you tried safe mode? __________________ --- 0wN3D by 3gG ---

February 17th, 2005, 03:37 AM	#7
Dehcbad25 Trying to break 7 TZ Veteran Join Date: Apr 2002 Location: Back in Civilization. Posts: 2,391	Of course That was the very first thing I tried. If I can't find a why to remove those entries by tomorrow I will have to format/reinstall the PC __________________

February 17th, 2005, 23:26 PM	#8
Curio Triple Platinum Member Join Date: Nov 2004 Location: London Posts: 907	registry - oom cha. Right click the key and you will see a permissions bit, I'm in BartPE at the moment so can't check exactly what it says. If you have a BartPE disk use the regeditPE utility to open and edit the machine's registry (BartPE is a bootable 'Live' windows CD). You can also open the registry in a different mode by scripting but that shouldn't be necessary.

February 18th, 2005, 03:49 AM	#9
rik Old, Cranky and Perverted Super Moderator Join Date: Aug 2003 Location: Watching Your every move... Posts: 5,299	Are you sure that these don't have Services running in the background or maybe are in Startup? Not trying to insult your intelligence... __________________ Spyware Removal Tips \| Read the Forum Rules

February 18th, 2005, 06:01 AM	#10
Dehcbad25 Trying to break 7 TZ Veteran Join Date: Apr 2002 Location: Back in Civilization. Posts: 2,391	I used a miniBartPE, and I did try the regeditPE too I did try again using the CD. RegeditPE gives me the following error when I try to delete "Cannot delete WinTools_ESIES: Error while deleting key" And if I try to open it, it says "Cannot open WinTools_ESIES: Error while opening key" The only registry tool that I could use to see the contents is Registry File Viewer, but this one, doesn't have the option to delete keys @rik Don't worry about insulting my intelligence. There is nothing left of that to be insulted Reminders are always good. You can't imagine how many times something seemed so difficult and then sudden I realize (or someone else) that I overlooked a very simple thing. This time, is not the case unfortunately. There is no extra services running. None of the programs related to those spyware run either. I tried in safe mode and thru live CD too __________________

February 18th, 2005, 22:31 PM	#11
Curio Triple Platinum Member Join Date: Nov 2004 Location: London Posts: 907	If you cannot open in Bart it means that permissions are set against SYSTEM user as you run as SYSTEM in bart. R-click key in regedit (in windows as administrator) and select permissions, you should be able to take ownership then delete the key or at worst set permissions so nothing can open it - works as an innoculation as nothing can use or re-write the key. Your posts are a little confusing though - you can use regedit, it just gives you an error right?

March 3rd, 2005, 22:54 PM	#13
Curio Triple Platinum Member Join Date: Nov 2004 Location: London Posts: 907	If the owner is deleted then the sid would be left - something like S-1-5-21 I think a # was probably set purposely by the malicious software to prevent you from removing it.

March 8th, 2005, 14:43 PM	#15
Dehcbad25 Trying to break 7 TZ Veteran Join Date: Apr 2002 Location: Back in Civilization. Posts: 2,391	IT was quite painfull. After I added an owner I could see the security settings, with the accounts and the SID. That is why I know it was either a temp account, or the account was deleted, but deleting the account just rollover the permitions to administrators group (if it is a user account). Anyhow, it was good experience. I never had to touch the security settings in the registry, thought I knew how to access them. That is why I forgot where they were I will probably check that very quickly next time something like this happens __________________

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode