can't remove entries from registry

[jeff]

Archived from groups: microsoft.public.windowsnt.registry (More info?)

I'm trying to clean up after a virus infection on an XP Pro SP2 machine. I
have a list of all the registry entries added by the virus, and want to
manually delete them. I can find them easily enough, but when I try to
delete them I get an 'unable to delete all occurrences' message (or words
very similar!).

I'm not very experienced in editing the registry - I usually use a util to
keep it tuned - and I know how dangerous it can be. But although I've
removed the virus exe from the machine, and prevented firewall_anti from
loading or running, I still have all these registry entries that I'd like to
get rid of. What's the right way to do it please? I'm right-clicking the
reg entry concerned and choosing delete. Edit/Delete gives me the same
message. As I say, I have what seems like an accurate list of the reg
entries made by the virus (from Sophos).

Any pointers greatly appreciated, thanks

 

[Calvin]

Archived from groups: microsoft.public.windowsnt.registry (More info?)

Hi Jeff,

I'm more experienced with NT4, but these comments should apply equally to XP:

Most people are unaware of it, but NT actually has security settings on registry
settings, just like it does on files on a NTFS volume. When you try to delete
one of the registry entries and get a refusal from the system, it is likely that
the virus has set the permissions to prevent you from deleting it.

With the offending registry key highlighted, select 'Security > Permissions'
from the menu and set the permissions back to 'Everyone - Full Control', then
you will be allowed to delete it. Be aware that you may need to tick the box for
'replace on all sub-keys' as well, if the key you are trying to delete has
subkeys underneath it - a locked key further down the branch you are trying to
kill will cause the same 'refused' symptoms you described.

Use extreme care of course !

Hope this helps,

Calvin.

 

[chone]

I get the same trouble, but after I delete the registry key. the same key will appear again. how to due it!

 

[fattony]

try it from safe mode, you also need to see what files the registry entries point to and delete those files as well, you may need to boot into the recovery console to remove the files if they are in use

for the registry as mentioned above use the everyone full control permissions to make sure you can remove it, but obviously if it still denies u, it's because of open handles are still accessing that registry location, so hopefully safe mode will be your friend

 

[CaJazzman]

I too have an entry that keeps coming back. I've tried to remove it, in the safe mode, which I can delete it but it still comes back. The registry key is in:
HKey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\RunOnce.
The string is C:\Program Files\Lavasoft\Ad Aware\Remove.exe. I've deleted this entry so many times I'm just so confussed, and am not sure what else to do. I've even posted at Lavasoft and they say it's nothing to do with their software. I get a message when I start up the pc, saying that windows is unable to find, C:\Program Files\Lavasoft\Ad Aware\Remove.exe. So, when I delete it it will work the next time I reboot, but then it's back again, when I go into the registry. Please help, cause I'm just so confussed, and wish I didn't have this error.

 

[jcjim990]

Well, editing registry is too difficult for me.I think using software like TuneUp360 to edit registry like cleaning up would be better for computer novice like me. i have been using TuneUp360 for several months and i found that it is very powerful!

 

[buwish]

This topic has been closed by Buwish