Unable to set new owner

[Brian]

I am working on removing a very stubborn piece of spyware. I got rid of the
DLL that was at the heart of the problem; however, in attempting to remove
the registry entries that call it, I have the following problem.

In Regedit, when I attempt to delete the registry key (actually, two subkeys
in HKLM\Software\Classes\CLSID...), I get this message:

Cannot delete <registry key name>: Error while deleting key.

Normally, I would next give myself permissions. Well, Administrators (of
whom I am a member) already has Full Control; however, all permission options
are grayed out. When I attempt to make any change, I get this message:

Unable to save permission changes on <registry subkey>. Access is denied.

OK. So the next step is to make myself the owner. Hmmm....I am already the
owner. If I attempt to changes the owner to Administrators, I get this
message:

Unable to set new owner on <registry key name>. Access is denied.

I have checked similar registry entries and have no problem editing
permissions or owner.

I am now mystified. What layer of registry security is there beyond that
visible via Regedit/Regedt32? How can I fix this problem?

 

[Tim Meddick]

I'm not too up on this subject, but it could be that there is an entry with
a null value within this key, preventing you from deleting it. You could do
worse than download & run RegDelNull.exe (Microsoft) from:

http://live.sysinternals.com/Files/RegDellNull.zip

 

[Randem]

Are you using AV, spyware or malware removal tools to help you are are you
attempting to do this by yourself?

Ref: http://www.randem.com/virusproblems.html


--
Randem Systems
Your Installation Specialist
The Top Inno Setup Script Generator
http://www.randem.com/innoscript.html
Disk Read Error Press Ctl+Alt+Del to Restart
http://www.randem.com/discus/messages/9402/9406.html?1236319938

 

[Brian]

Thanks for the tip, but it found no null registry entries. I then tried
RootKit Revealer, which found, among other things, but most notably, a
"security mismatch" on a particular WinLogon entry (which, of course, points
to the DLL that started this whole business but which I was able to remove
manually).

 

[Brian]

Both.

Malwarebytes' Anti-malware finds the registry entries pointing to the virus
file (which has been removed) but cannot. remove the registry entries. When I
attempt to remove them manually, I get the aforementioned security anomalies.
In addition, RootKit Revealer shows a "security mismatch" on the Winlogon
entry that points to the erstwhile virus file.

 

[Tim Meddick]

Brian,
Could I ask you, how did you remove it after Rootkit Revealer found
it, I thought it wouldn't delete? Did RootkitRevealer delete it?

 

[Brian]

Long story. The actual file was a DLL in system32. Normally, I can simply
deny access to the file to everyone, then reboot, and the file cannot be
loaded because nobody has rights to it. Then, I give myself access to the
file and delete it, then remove the registry entries that call the
virus/spyware. In this case, though, it would not let me change the security
on the file. My next step would be to boot to the Recovery Console and delete
it via the command line. However, this laptop kept giving me a pci.sys
bluescreen error when attempting to boot to the Windows CD to get to the
Recovery Console.

So, I finally removed the hard drive from the laptop, connected it to
another computer so that I was boot to the drive on the other PC, not the
drive containing the virus, and deleted the file manually via Windows
Explorer.

Once I put the hard drive back into the laptop, the virus does not appear to
be active any longer; however, its original installation evidently did
something very strange to the relevant registry entries (two in CLSID & one
in WinLogon): it shows me as the owner & with full rights but will not allow
me to delete the keys, change ownership, or change any rights.

I have never seen anything like this before. I can usually get rid of these
manually if they elude AntiMalware. And this is my first experience with
RootKit Revealer - I found it as a link related to your earlier link pointing
me to RegDelNull.

This is why I normally insist that all my clients be configured as
non-administrators on their computers and have separate administrator
accounts to be used only when installing devices or software.
Non-administrative users get their spyware in their temporary folders, not
System32. But, some, in their infinite wisdom, just have to have it their
way...

 

[Tim Meddick]

I see, a long hard road then! You seem to be quite a resourceful person -
not letting anything get in your way, sort of thing. I have heard that the
way to make a reg key undeletable is to put a 'null' value as the last part
of the entries' name. I also thought that this was how RootKits created
their so-called undeletable reg entries. That is why I made the reference
to the RegDelNull.exe program, which should remove such entries. There were
a few programs that came up on a google search (for "RootKit and Undeletable
Reg Entries") which included this page with a host of specialized malware
removers on it you might be interested in:

http://wareseeker.com/free-rootkit-cleaner/

This is also a good reason to back up your registry hives on a
regular basis. Win NT-based systems [all] don't have an in-built method for
backing up the registry like Win98 used to do, and you cannot do it manually
from within Windows as the hives are reported as always being in use. I use
a small [free] program called ERUNT.exe (very similar to the MS
application - ERU.exe - that was available for Win98) which you can
configure easily to automate the process to give you a backup of the
registry for, say, every day of the week, with an included method of quickly
restoring the backup (either from within Windows or, if the current registry
is compromised and un-startable, from the Recovery Console)

You can get ERUNT.exe from:

http://www.larshederer.homepage.t-online.de/erunt