Busted registry key.... Any fix?

[melloman]

I have a busted registry for a client. she got bugbear, and the dang thing got broke more than just a little.

Bugbear disabled the antivirus, and apparently in the process put the whammy on the HKEY_LOCAL_MACHINE\SOFTWARE\SYMANTEC keys.
I can't rename, remove or append the key. I can't change permissions on the key, and when I try, it says I can't change permissions on the symantec key's special settings, but I can set other permissions, and when I try to apply them, it errors out.

I can't get an add/remove on system works 2002, a removal by symantecs special cleaner for either norton system works or norton antivirus, and a totally manual reg hack uninstall gets stymied at the HKLM\...\symantec key.
I could not even import a key to the registry for symantec.

When regedit opens, it tells me I can't open the symantec key.

As is, we had to close the barn door with a different antivirus.

I tried updating XP pro to service pack 1 (really against my better judgement, with it's "keys to the kingdom" EULA and still nothing.

Anyone have any ideas on removal of a bad registry key? I don't really have another previous registry to get in, at this point.

Ideas?

[doubledragon5]

Have you tried system restore? Go back to the last time the system worked ok restore it and get rid of bug bear. She probably will have to reinstall most of her programs, but it beats doing a new install and starting over.

If that is out of the question than do a reinstall but leave out the "bugbear".

[melloman]

System restore has no image prior to the event, for some reason. No dice. Good idea though.

[Statica]

What are the permissions on the key? Select the key you need to edit, and go to EDIT > PERMISSIONS. If you dont have access to edit it, you might need to add it in as an administrator.

[melloman]

As for permissions, I AM administrator. I can't even add administrators the change permission. I can't even assign read permission.

that key is locked down solid. Unfortunately, I can't tell if it was bugbear (likely), Symantec (less likely but possible) or simply a broken reg key. All I can tell is nothing Symantec is getting in or out.

[Alfie]

Have you uninstalled Nortons?
Do a complete uninstall.
Go to Trendmicro and have housecall do a complete scan of the system to check for any traces of a virus.
Whether this will work,I don't know,try to export the registry to a file, once created,modify the backup and either merge or add it back to the registry.

[melloman]

Quote:

Originally posted by Alfie Have you uninstalled Nortons? Do a complete uninstall. Go to Trendmicro and have housecall do a complete scan of the system to check for any traces of a virus. Whether this will work,I don't know,try to export the registry to a file, once created,modify the backup and either merge or add it back to the registry.

Uninstall does not complete.
Total uninstall of all Symantec products utility downloaded does not work.
Manual registry hack uninstall does not work.
ALL for the same reason. The HKEY_LOCAL_MACHINE\SOFTWARE\SYMANTEC key and anything under it is damaged. No changing , importing, exporting, or changing permissions.

Two different removal tools say bugbear has left the scene.

I tried using the symantec diagnostic tool to tell me why it fails, but the tool fails, probably due to the inability to access the symantec key.

I have tried exporting the reg key, importing from another installation, but no go, for the same reasons.

thus the problem. No changing the key, no removal of the key, and no appending.

[Alfie]

Have you attempted to reinstall the software and then uninstall?
Sometimes this works.
Have you tried a registry cleaner?

[melloman]

I have tried an overinstall, a modify install and they both don't work.

tyhe registry key would need to get modified to make those installs work. It doesn't modify, therefore it doesn't work.

[doubledragon5]

Than the best way is to format and do a fresh reinstall.

[Hpro]

Have you tried regedt32.exe you cna find it in Windows\system32 and then take control of the KEY - there ain't nothing to stop this - if you need some help just let me know.. after this you can do almost everything you like to the machine and the virus.
Hpro

[melloman]

regedit and regedt32 give the same response, bad registry key, can't change permissions.

More and more it looks like removal is not an option, and it really sucks to think of reinstalling completely due to one bad software key, and not a windows key at that. It could run indefinitely without installing symantec software. Just nothing symantec would run on the box.

[Hpro]

O then try this - I think it helps - I think you have a problem with the ACCESS RIGHTS ON that COMPUTER - the Virus did lock you out - you need to get hold of the computer - meaning taking OWNERSHIP - and this for all the files including the registry -.

You can do this two ways - Setup a second Win2k and then slave the original drive to it - or use the repair option in form the WINDOWS START - boot of the CDROM - either one will work -
If you use the Slave option then all you have to do is to Setup norton AV scanner on the new installed window and then remove the virus - it will also clear out the registry as the virus can't load so the registry isn't locked - and the other option is even more easy as it will restore the original system files - leaving all other files intact..
One more thing it you could try to to unload the Caller of the Registry locker - THIS IS SOMETHING THE VIRUS DOES ON EACH BOOT and you CAN LOOK him out using SAFE MODE as for SAFE MODE most of the drivers and in fact also NAV doesn't load..

Control Panel - Administrative Tools - Services - and disable the caller of the service - you can find that one out by scrolling through the services and then especially check NAV and it's dependencies..
Hope this helps..
Hpro

[Statica]

Have you tried taking up auditing rights of the registry key?

[Hpro]

Yes and as we are in the registry - have you checked if the entries have set READ ONLY ATTRIBUTES?
I'm pretty sure that it can be done - BTW you can edit the registry with REGEDIT and REGEDT32 from the Recovery console - there is documentation on the micrsoft website on that one - ..
Hpro

[melloman]

Yes and as we are in the registry - have you checked if the entries have set READ ONLY ATTRIBUTES?
I'm pretty sure that it can be done - BTW you can edit the registry with REGEDIT and REGEDT32 from the Recovery console - there is documentation on the micrsoft website on that one - ..
Hpro

Yes I have tried to change them. repeatedly. read the previous posts.

I cannot take ownership of any rights, change, etc, no matter what I try.

[Hpro]

have you tried to take ownership of the drives volume - and files throuout EXPLORER?
Hpro