Unable to set new owner

Here you can find everything you need to know about Dll-Files. You can also share your knowledge regarding the topic.

Moderators: DllAdmin, DLLADMIN ONLY

Post Reply
brian
Posts: 4
Joined: 20 Apr 2009, 23:00

Unable to set new owner

Post by brian »

I am working on removing a very stubborn piece of spyware. I got rid of the
DLL that was at the heart of the problem; however, in attempting to remove
the registry entries that call it, I have the following problem.

In Regedit, when I attempt to delete the registry key (actually, two subkeys
in HKLM\Software\Classes\CLSID...), I get this message:

Cannot delete <registry key name>: Error while deleting key.

Normally, I would next give myself permissions. Well, Administrators (of
whom I am a member) already has Full Control; however, all permission options
are grayed out. When I attempt to make any change, I get this message:

Unable to save permission changes on <registry subkey>. Access is denied.

OK. So the next step is to make myself the owner. Hmmm....I am already the
owner. If I attempt to changes the owner to Administrators, I get this
message:

Unable to set new owner on <registry key name>. Access is denied.

I have checked similar registry entries and have no problem editing
permissions or owner.

I am now mystified. What layer of registry security is there beyond that
visible via Regedit/Regedt32? How can I fix this problem?

randem
Posts: 17
Joined: 14 Mar 2009, 00:00

Re: Unable to set new owner

Post by randem »

Are you using AV, spyware or malware removal tools to help you are are you
attempting to do this by yourself?

Ref: http://www.randem.com/virusproblems.html


--
Randem Systems
Your Installation Specialist
The Top Inno Setup Script Generator
http://www.randem.com/innoscript.html
Disk Read Error Press Ctl+Alt+Del to Restart
http://www.randem.com/discus/messages/9 ... 1236319938



"Brian" <Brian@discussions.microsoft.com> wrote in message
news:93CF00F7-293F-4334-80C3-06B9D9F3DF46@microsoft.com...
>I am working on removing a very stubborn piece of spyware. I got rid of the
> DLL that was at the heart of the problem; however, in attempting to remove
> the registry entries that call it, I have the following problem.
>
> In Regedit, when I attempt to delete the registry key (actually, two
> subkeys
> in HKLM\Software\Classes\CLSID...), I get this message:
>
> Cannot delete <registry key name>: Error while deleting key.
>
> Normally, I would next give myself permissions. Well, Administrators (of
> whom I am a member) already has Full Control; however, all permission
> options
> are grayed out. When I attempt to make any change, I get this message:
>
> Unable to save permission changes on <registry subkey>. Access is denied.
>
> OK. So the next step is to make myself the owner. Hmmm....I am already the
> owner. If I attempt to changes the owner to Administrators, I get this
> message:
>
> Unable to set new owner on <registry key name>. Access is denied.
>
> I have checked similar registry entries and have no problem editing
> permissions or owner.
>
> I am now mystified. What layer of registry security is there beyond that
> visible via Regedit/Regedt32? How can I fix this problem?

brian
Posts: 4
Joined: 20 Apr 2009, 23:00

Re: Unable to set new owner

Post by brian »

Thanks for the tip, but it found no null registry entries. I then tried
RootKit Revealer, which found, among other things, but most notably, a
"security mismatch" on a particular WinLogon entry (which, of course, points
to the DLL that started this whole business but which I was able to remove
manually).

"Tim Meddick" wrote:

> I'm not too up on this subject, but it could be that there is an entry with
> a null value within this key, preventing you from deleting it. You could do
> worse than download & run RegDelNull.exe (Microsoft) from:
>
> http://live.sysinternals.com/Files/RegDellNull.zip
>
> --
>
> Cheers, Tim Meddick, Peckham, London.
>
>
> "Brian" <Brian@discussions.microsoft.com> wrote in message
> news:93CF00F7-293F-4334-80C3-06B9D9F3DF46@microsoft.com...
> >I am working on removing a very stubborn piece of spyware. I got rid of the
> > DLL that was at the heart of the problem; however, in attempting to remove
> > the registry entries that call it, I have the following problem.
> >
> > In Regedit, when I attempt to delete the registry key (actually, two
> > subkeys
> > in HKLM\Software\Classes\CLSID...), I get this message:
> >
> > Cannot delete <registry key name>: Error while deleting key.
> >
> > Normally, I would next give myself permissions. Well, Administrators (of
> > whom I am a member) already has Full Control; however, all permission
> > options
> > are grayed out. When I attempt to make any change, I get this message:
> >
> > Unable to save permission changes on <registry subkey>. Access is denied.
> >
> > OK. So the next step is to make myself the owner. Hmmm....I am already the
> > owner. If I attempt to changes the owner to Administrators, I get this
> > message:
> >
> > Unable to set new owner on <registry key name>. Access is denied.
> >
> > I have checked similar registry entries and have no problem editing
> > permissions or owner.
> >
> > I am now mystified. What layer of registry security is there beyond that
> > visible via Regedit/Regedt32? How can I fix this problem?
>
>
>

brian
Posts: 4
Joined: 20 Apr 2009, 23:00

Re: Unable to set new owner

Post by brian »

Both.

Malwarebytes' Anti-malware finds the registry entries pointing to the virus
file (which has been removed) but cannot. remove the registry entries. When I
attempt to remove them manually, I get the aforementioned security anomalies.
In addition, RootKit Revealer shows a "security mismatch" on the Winlogon
entry that points to the erstwhile virus file.

"Randem" wrote:

> Are you using AV, spyware or malware removal tools to help you are are you
> attempting to do this by yourself?
>
> Ref: http://www.randem.com/virusproblems.html
>
>
> --
> Randem Systems
> Your Installation Specialist
> The Top Inno Setup Script Generator
> http://www.randem.com/innoscript.html
> Disk Read Error Press Ctl+Alt+Del to Restart
> http://www.randem.com/discus/messages/9 ... 1236319938
>
>
>
> "Brian" <Brian@discussions.microsoft.com> wrote in message
> news:93CF00F7-293F-4334-80C3-06B9D9F3DF46@microsoft.com...
> >I am working on removing a very stubborn piece of spyware. I got rid of the
> > DLL that was at the heart of the problem; however, in attempting to remove
> > the registry entries that call it, I have the following problem.
> >
> > In Regedit, when I attempt to delete the registry key (actually, two
> > subkeys
> > in HKLM\Software\Classes\CLSID...), I get this message:
> >
> > Cannot delete <registry key name>: Error while deleting key.
> >
> > Normally, I would next give myself permissions. Well, Administrators (of
> > whom I am a member) already has Full Control; however, all permission
> > options
> > are grayed out. When I attempt to make any change, I get this message:
> >
> > Unable to save permission changes on <registry subkey>. Access is denied.
> >
> > OK. So the next step is to make myself the owner. Hmmm....I am already the
> > owner. If I attempt to changes the owner to Administrators, I get this
> > message:
> >
> > Unable to set new owner on <registry key name>. Access is denied.
> >
> > I have checked similar registry entries and have no problem editing
> > permissions or owner.
> >
> > I am now mystified. What layer of registry security is there beyond that
> > visible via Regedit/Regedt32? How can I fix this problem?
>
>
>

brian
Posts: 4
Joined: 20 Apr 2009, 23:00

Re: Unable to set new owner

Post by brian »

Long story. The actual file was a DLL in system32. Normally, I can simply
deny access to the file to everyone, then reboot, and the file cannot be
loaded because nobody has rights to it. Then, I give myself access to the
file and delete it, then remove the registry entries that call the
virus/spyware. In this case, though, it would not let me change the security
on the file. My next step would be to boot to the Recovery Console and delete
it via the command line. However, this laptop kept giving me a pci.sys
bluescreen error when attempting to boot to the Windows CD to get to the
Recovery Console.

So, I finally removed the hard drive from the laptop, connected it to
another computer so that I was boot to the drive on the other PC, not the
drive containing the virus, and deleted the file manually via Windows
Explorer.

Once I put the hard drive back into the laptop, the virus does not appear to
be active any longer; however, its original installation evidently did
something very strange to the relevant registry entries (two in CLSID & one
in WinLogon): it shows me as the owner & with full rights but will not allow
me to delete the keys, change ownership, or change any rights.

I have never seen anything like this before. I can usually get rid of these
manually if they elude AntiMalware. And this is my first experience with
RootKit Revealer - I found it as a link related to your earlier link pointing
me to RegDelNull.

This is why I normally insist that all my clients be configured as
non-administrators on their computers and have separate administrator
accounts to be used only when installing devices or software.
Non-administrative users get their spyware in their temporary folders, not
System32. But, some, in their infinite wisdom, just have to have it their
way...

"Tim Meddick" wrote:

> Brian,
> Could I ask you, how did you remove it after Rootkit Revealer found
> it, I thought it wouldn't delete? Did RootkitRevealer delete it?
>
> --
>
> Cheers, Tim Meddick, Peckham, London.
>
>
> "Brian" <Brian@discussions.microsoft.com> wrote in message
> news:8D0B6501-1A28-4EE4-B18D-D0861F78BCC0@microsoft.com...
> > Thanks for the tip, but it found no null registry entries. I then tried
> > RootKit Revealer, which found, among other things, but most notably, a
> > "security mismatch" on a particular WinLogon entry (which, of course,
> > points
> > to the DLL that started this whole business but which I was able to remove
> > manually).
> >
> > "Tim Meddick" wrote:
> >
> >> I'm not too up on this subject, but it could be that there is an entry
> >> with
> >> a null value within this key, preventing you from deleting it. You could
> >> do
> >> worse than download & run RegDelNull.exe (Microsoft) from:
> >>
> >> http://live.sysinternals.com/Files/RegDellNull.zip
> >>
> >> --
> >>
> >> Cheers, Tim Meddick, Peckham, London.
> >>
> >>
> >> "Brian" <Brian@discussions.microsoft.com> wrote in message
> >> news:93CF00F7-293F-4334-80C3-06B9D9F3DF46@microsoft.com...
> >> >I am working on removing a very stubborn piece of spyware. I got rid of
> >> >the
> >> > DLL that was at the heart of the problem; however, in attempting to
> >> > remove
> >> > the registry entries that call it, I have the following problem.
> >> >
> >> > In Regedit, when I attempt to delete the registry key (actually, two
> >> > subkeys
> >> > in HKLM\Software\Classes\CLSID...), I get this message:
> >> >
> >> > Cannot delete <registry key name>: Error while deleting key.
> >> >
> >> > Normally, I would next give myself permissions. Well, Administrators
> >> > (of
> >> > whom I am a member) already has Full Control; however, all permission
> >> > options
> >> > are grayed out. When I attempt to make any change, I get this message:
> >> >
> >> > Unable to save permission changes on <registry subkey>. Access is
> >> > denied.
> >> >
> >> > OK. So the next step is to make myself the owner. Hmmm....I am already
> >> > the
> >> > owner. If I attempt to changes the owner to Administrators, I get this
> >> > message:
> >> >
> >> > Unable to set new owner on <registry key name>. Access is denied.
> >> >
> >> > I have checked similar registry entries and have no problem editing
> >> > permissions or owner.
> >> >
> >> > I am now mystified. What layer of registry security is there beyond
> >> > that
> >> > visible via Regedit/Regedt32? How can I fix this problem?
> >>
> >>
> >>
>
>
>

Post Reply