Kelly or other regedit gurus

[cegee]

Hi,

Some recent postings on Altnet spyware have brought up a problem I
have been dealing with. I have an Altnet registry key with subkeys
that I am unable to delete. Both Adaware and Spybot were unable to
delete as well.

I did some googling and came up with this.

begin quote----------------------

Try this: Right click the registry key of the offending key (Altnet)
then
select "Permissions". In the "Advance Tab", select your User Account
name
then check the box to replace owner. Click OK. Next, in the
"Security"
tab, select your User Account name then select the box for full
control.
Click OK. Try deleting the offending keys now and it should be gone.

Note: Prior doing the above, please back-up your registry.
end quote---------------------------------------------------

The only problem is that when trying to set my account as owner,
regedit reports that it is unable to do so. I did manage to find one
other case where someone just went into the other account on their
machine and ran regedit and managed to delete it but there are five
accounts on this home machine, all password protected. I would prefer
it if there were some way of doing it within my own account and cannot
figure out why it is that Altnet has made it impossible to reset the
ownership. Annoying damn spyware!!!

So is there any way of doing this?

Thanks,
Ceegee

 

[Ron Sommer]

Your quote applies to XP Pro.
Boot to the Administrator account in Safe Mode.

 

[cegee]

Your quote applies to XP Pro.
Boot to the Administrator account in Safe Mode.

Thanks Ron. I didn't realize the instructions were for XP Pro. I am
running XP Home. Going into the Administrator account in Safe Mode
however, had no effect on my ability to delete the key. It still
remains undeletable but thanks for the heads up.

Ceegee

 

[Yves Leclerc]

You should be able to run AD Aware and Sypbot in Safe Mode. They "should"
be able to now remove the file.]

Or you could always try Microsoft AntiSpyware Beta.

 

[ceegee]

You should be able to run AD Aware and Sypbot in Safe Mode. They "should"
be able to now remove the file.]

Or you could always try Microsoft AntiSpyware Beta.

Thanks Ron. I didn't realize the instructions were for XP Pro. I am
running XP Home. Going into the Administrator account in Safe Mode
however, had no effect on my ability to delete the key. It still
remains undeletable but thanks for the heads up.

Ceegee

Thanks,

Sorry for my long absence from the thread. I basically have solved the
problem but not in any way I would have liked or could recommend. My
hard drive crashed shortly after writing my last message and the
registry with its offending entry along with everything else on the
drive was toast. <sigh> Two weeks for the manufacturer to ship a hard
drive to honor their warranty. Not happy.

So although my problem is solved in a way, I am still left with the
question of isn't there an easier way of deleting a spyware registry
entry that has deemed itself owned by we are not sure whom on a multi
user XP home system?

There doesn't seem to be short of going into each user's login and
trying to delete it from there. A regular PITA on a system with 5
users.

Thank you everyone for your kind help.

Ceegee

 

[Yves Leclerc]

The "true" Administrator account "should" allow you ULTIMATE control on
deleteing the file. This account should be available in 'Safe Mode"

The other way it to "Not get spyware to install" onto your system.
SpywareBlaster helps by blocking spyware from installing themselves, from
"known web sites" (????).

You should be able to run AD Aware and Sypbot in Safe Mode. They "should"
be able to now remove the file.]

Or you could always try Microsoft AntiSpyware Beta.

On Mon, 10 Jan 2005 04:36:02 -0600, "Ron Sommer"

Your quote applies to XP Pro.
Boot to the Administrator account in Safe Mode.
Thanks Ron. I didn't realize the instructions were for XP Pro. I am
running XP Home. Going into the Administrator account in Safe Mode
however, had no effect on my ability to delete the key. It still
remains undeletable but thanks for the heads up.

Ceegee

Thanks,

Sorry for my long absence from the thread. I basically have solved the
problem but not in any way I would have liked or could recommend. My
hard drive crashed shortly after writing my last message and the
registry with its offending entry along with everything else on the
drive was toast. <sigh> Two weeks for the manufacturer to ship a hard
drive to honor their warranty. Not happy.

So although my problem is solved in a way, I am still left with the
question of isn't there an easier way of deleting a spyware registry
entry that has deemed itself owned by we are not sure whom on a multi
user XP home system?

There doesn't seem to be short of going into each user's login and
trying to delete it from there. A regular PITA on a system with 5
users.

Thank you everyone for your kind help.

Ceegee

 

[ceegee]

The "true" Administrator account "should" allow you ULTIMATE control on
deleteing the file. This account should be available in 'Safe Mode"

I did this, Yves, and even in the Administrator account in Safe Mode,
this sucker would not delete. Someone else suggested running Adaware
and Spybot Search and Destroy in Safe Mode. While I have both of
these, if regedit itself could not get rid of this in Safe Mode, I'm
not sure that these could either and it's too late to try.

The other way it to "Not get spyware to install" onto your system.
SpywareBlaster helps by blocking spyware from installing themselves, from
"known web sites" (????).

I agree with the above statement. I was running Spywareblaster as well
as the immunize function of Spybot, Spyware Guard, and a Host file all
of which are resident and try to prevent spyware. The damn stuff is
just getting too clever for words!!! If it was just me on this
computer, I probably wouldn't have too many spyware problems. My
children bring them home for me

ceegee

 

[Kelly]

In a way. But what you need to keep in mind is that registry entries are
either entered via HKLM - meaning Local Machine (system wide) or HKCU -
meaning Current User (per user). That said, all cleaners should be run
under both.

And if you are keen to reading the cleaner keys, they will be noted as to
which area of the system/registry the troublesome keys are located. Thus
can be removed manually. Without getting into more, and not knowing the
extent of what you want to do or understand, nor the cleaners you are
trusting........

--
All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

You should be able to run AD Aware and Sypbot in Safe Mode. They "should"
be able to now remove the file.]

Or you could always try Microsoft AntiSpyware Beta.

On Mon, 10 Jan 2005 04:36:02 -0600, "Ron Sommer"

Your quote applies to XP Pro.
Boot to the Administrator account in Safe Mode.
Thanks Ron. I didn't realize the instructions were for XP Pro. I am
running XP Home. Going into the Administrator account in Safe Mode
however, had no effect on my ability to delete the key. It still
remains undeletable but thanks for the heads up.

Ceegee

Thanks,

Sorry for my long absence from the thread. I basically have solved the
problem but not in any way I would have liked or could recommend. My
hard drive crashed shortly after writing my last message and the
registry with its offending entry along with everything else on the
drive was toast. <sigh> Two weeks for the manufacturer to ship a hard
drive to honor their warranty. Not happy.

So although my problem is solved in a way, I am still left with the
question of isn't there an easier way of deleting a spyware registry
entry that has deemed itself owned by we are not sure whom on a multi
user XP home system?

There doesn't seem to be short of going into each user's login and
trying to delete it from there. A regular PITA on a system with 5
users.

Thank you everyone for your kind help.

Ceegee

 

[ceegee]

Hi Kelly,

Thank you for joining the thread, Kelly.

In a way. But what you need to keep in mind is that registry entries are
either entered via HKLM - meaning Local Machine (system wide) or HKCU -
meaning Current User (per user). That said, all cleaners should be run
under both.

Not sure what you mean by cleaners here. Anti-spyware software?

And if you are keen to reading the cleaner keys, they will be noted as to
which area of the system/registry the troublesome keys are located. Thus
can be removed manually. Without getting into more, and not knowing the
extent of what you want to do or understand, nor the cleaners you are
trusting........

I will admit that the registry is tabula rasa to me but I am trying to
understand as much as I can to deal with the problem should I run into
it again.

Can you confirm that the technique of taking ownership of the key is
available only within XP Pro? From within the Permissions/Advanced or
some other area of regedit is there at least some area where it is at
least possible to see which account owns a particular key?

Spyware seems to be getting tougher and tougher for the average
person,even one who uses a lot of anti spyware cleaners, to get rid
of. Adaware claimed it was deleting this key but you could run it
again right away and there it would be. Spybot at least was more
honest. It would say it needed to reboot in order to get rid of it.
When it would run on reboot it would report it still there. And then
you couldn't get rid of it using regedit even in Safe Mode in the
Administrator's Account.

I'm stubborn enough to want to get it off even though I'm not even
sure if it wasn't just an orphan key.

I did try MS beta antispyware prog as I thought the people who
invented the registry ought to be able to deal with a registry entry
problem but, I had one of those rare systems that suffered severe
memory leaks from it and it never completed a scan.

The path to the key was HKEY_LOCAL_MACHINE/SOFTWARE/Altnet.

Thanks.

Ceegee

 

[Kelly]

Most welcome.

If you are wanting to understand more, do not ever reply on an anti-virus
program, ever. Ownership of a key has nothing to do with this. Point
blank:

Run these three:

Run Ad-Aware SE, Spybot and HijackThis:
http://www.majorgeeks.com/downloads31.html

Note: Update each program, once installed, before running.

While running XP, the above programs are just about fool proof. If you
question an entry, use their forums. Will post it below.

However, the paths can be easily read and dealt with. It takes, at times
having the Windows Explorer/System or System32 folder open, as the Task
Manager to end a process as having the runkey open at the same time to
complete the process. They can replenish before your eyes. This is not
difficult, it just takes understanding.

Browser Hijack and Malware Removal Forums
http://forums.net-integration.net/index.php?c=19

How to obtain the most effective support
http://www.net-integration.net/tools/procedure.html

Spyware, Thiefware, Browser Hijackers, etc. Parasites Forum
http://forums.spywareinfo.com/index.php?s=7dc481729338294fb5d64090b77ef364&showtopic=9882


--
All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com