Windows registry woes :bang head:

[Silverfoot]

Sony Laptop - Win XP / Xandros

There are a few Start-up items, and registry keys that simply will not go away.

This is my friends PC. There are like 6 Reg Entrys (left overs from Norton AV) that when deleted, automaticlly regenerate. On top of that, M$ won't let me (him) access Msconfig. It says he does not have authorization.....He is the administrator on the OS.

So I boot into safe mode..It lets me into Msconfig, I change the items, but nothing is reflected. I go into Regedit, delete keys, they regenerate. System restore is disabled. There is no "Recovery partition" like some laptops.

The thing is too, I dont even leave regedit and they regen. All I have to do is click another folder, then back to where I was [HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENT_VERSION\RUN]
and they are there again. I have searched the whole registry looking for items and deleted them in several different orders, just incase there is a heirarchy, but to no avail. I have used Ace Utilities, CCleaner,Registry Mechanic and a couple others but they simply won't go away.

Please, if you have any idea what is going on help! If you need more info I'll get it to you asap.

Thanks in advance ~ this is making me looney. I can usually make Windows do whatever I want it to.

 

[redduc900]

What are the 6 Registry entries, and are they all located under the following Key... ?

HKEY_LOCAL_MACHINE | SOFTWARE | Microsoft | Windows | CurrentVersion | Run

If they're all located under the above Key, what are the String value names of each? In addition, check the permissions for the Run Key (right click the Run Key, and select 'Permissions' | "Security' tab). You may need to take ownership of it before you're able to delete any of the values under it (Start | Click 'Help and Support' | Search on "take ownership"... if you're unfamiliar with the process). You can also access help on permissions through the Registry's Help menu | 'Index' tab.

 

[Silverfoot]

What are the 6 Registry entries, and are they all located under the following Key... ?

HKEY_LOCAL_MACHINE | SOFTWARE | Microsoft | Windows | CurrentVersion | Run

If they're all located under the above Key, what are the String value names of each? In addition, check the permissions for the Run Key (Right click the Run Key, and select 'Permissions' | "Security' tab).

Get right back to you with that, have to hunt down the laptop, I saved a list just for this purpose Thanks

 

[Silverfoot]

Okay, here are the Keys, in the directory that I stated above

Key name: ccApp
Value: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

Key name: Symantec NetDriver Monitor
Value: CROGRA~1\SYMNET~\SNDMon.exe/Consumer

Key name: sunasServ
Value: C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe

Key name: SunasDTServ
Value: C:\Program Files\Sunbelt Software\Counterspy Client\sunasDTServ.exe

If this tells you anything, I would really appreciate it.

 

[El<(')>Maxi]

I'd try Symantec's website and look for detailed instructions on how to manually remove their AV as it looks like the remnants of that program. They usually have detailed removal instructions in case of a bad installation.

 

[redduc900]

I agree with El<(')>Max, also... you didn't mention whether or not you checked the permissions of the Run Key.

 

[El<(')>Maxi]

The last two are part of an AntiSpyware program. Have you tried uninstalling this via Add/Remove Programs?

http://www.processlibrary.com/directory/files/sunasServ/

 

[Silverfoot]

The last two are part of an AntiSpyware program. Have you tried uninstalling this via Add/Remove Programs?

http://www.processlibrary.com/directory/files/sunasServ/

Neither program are installed anymore. Haven't been for sometime, I guess he has been trying to rid the reg of this stuff for a month or so.

Didn't think about Key Permissions...I didn't know there was any such thing to be honest ~ never dealt with that. I just went in, okay, I see where to check it, thanks!

(Any idea why He isn't allowed to access Msconfig with and administrative account?)

 

[Know Nuttin]

you should also check services.msc for the Symantec apps. They may still be there and set to run

 

[redduc900]

(Any idea why He isn't allowed to access Msconfig with and administrative account?)

Since he can access MSConfig, but any changes that are made within the utility don't stick... and the same thing applies when attempting to make changes to the Registry; I'm beginning to think the problem is spyware/trojan/virus related. Although more times than not, access to MSConfig, the Registry, and Task Manager are totally restricted when that's the case... something a little different than your situation.

 

[Silverfoot]

We've done a fairly comprehensive scan (NOD32 / Trend) and found nothing, but far be it for me to say that either would have caught one of the new bugs these bored college kids are making.

Permissions were appropriate for what I was trying to accomplish. Booted into safe mode and while in HKEY_LOCAL_MACHINE removed the keys. Closed regedit, opened it back up and they remained gone....in safe mode. When I log back into normal windows under his account, they are back again....Also while in Safe Mode i got into MsConfig and modified it, but, alas...no worky.

...And finaly, nothing under services.msc.

Contacted Norton, they listened to the story, then tried selling us more software...Outstanding.....

I told the guy to wipe the XP partition and stick with Xandros..lol.

I appreciate your help here ~ if you can thin kof any other reason why it wouldn't allow me to delete registry keys, I am almost willing to do a rain dance at this point.

 

[El<(')>Maxi]

Try what I said in my first post for the first two keys. As far as the others go you need to look for services or .exe's that are loading on startup that recreate those registry keys when they run.

msconfig problems sounds like he has been playing with policies or some other security settings. That could be a little tougher to track down without alot of work. Does he have a restore point