A
Alex Clark
Hi all,
I've just cleared load of viruses off a friend's laptop but I've got an odd
problem with the registry. There's a reference to one of the infected files
I deleted in there in a couple of different places - one is in HKCR\CLSID,
the other is in
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\, but both are thoroughly locked.
The machine is XP Home, but I can see the security tab. I tried rebooting
into safe mode, I still cannot delete either of these keys. I tried to
alter the security permissions, take ownership, change effective permissions
etc, it gives me "Access Denied". I used a utility from Microsoft called
"psexec" to launch Regedit under the SYSTEM account to see if I could
override privs that way, but still no luck.
Other keys under the same parent keys will allow me to edit them just fine -
it's just these two keys that are locked out.
My assumption then was that some process was still running that had a lock
on these registry keys. A bit disturbing as that could only be a malicious
process, but a full antivirus scan in both safe mode and normal mode brought
up nothing but a few tracking cookies.
I tried the SysInternals Process Explorer tool to see if I could find any
process which had an open handle to those registry keys. Again, nothing.
So I'm running out of ideas as to why these keys should be locked at all.
I'm a software developer and *I* can't come up with a reasonable
explanation, other than a rootkit - I would actually love to know exactly
how this has been achieved, because it's baffling me!
Thanks,
Alex
I've just cleared load of viruses off a friend's laptop but I've got an odd
problem with the registry. There's a reference to one of the infected files
I deleted in there in a couple of different places - one is in HKCR\CLSID,
the other is in
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\, but both are thoroughly locked.
The machine is XP Home, but I can see the security tab. I tried rebooting
into safe mode, I still cannot delete either of these keys. I tried to
alter the security permissions, take ownership, change effective permissions
etc, it gives me "Access Denied". I used a utility from Microsoft called
"psexec" to launch Regedit under the SYSTEM account to see if I could
override privs that way, but still no luck.
Other keys under the same parent keys will allow me to edit them just fine -
it's just these two keys that are locked out.
My assumption then was that some process was still running that had a lock
on these registry keys. A bit disturbing as that could only be a malicious
process, but a full antivirus scan in both safe mode and normal mode brought
up nothing but a few tracking cookies.
I tried the SysInternals Process Explorer tool to see if I could find any
process which had an open handle to those registry keys. Again, nothing.
So I'm running out of ideas as to why these keys should be locked at all.
I'm a software developer and *I* can't come up with a reasonable
explanation, other than a rootkit - I would actually love to know exactly
how this has been achieved, because it's baffling me!
Thanks,
Alex