Question

delete a key in the registry

Asked by: nobus

Hello,

i am looking for a solution for this problem :
after deleting some malware, i have some wintools keys left in the registry.
when i try to delete them, i get an error saying it cannot be deleted.

any insight or thoughts about how to delete these stubborn keys is welcome
OS is windows XP SP1 upgraded to SP2

thanks in advance for all reactions !

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2005-01-08 at 02:57:02ID21266660
Tags

registry

,

delete

,

key

Topic

Operating Systems Miscellaneous

Participating Experts
11
Points
500
Comments
65

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Malware?  Spyware?  Help!!
    System: Windows XP Pro Office XP Pro Help! I believe this is malware, but I can't seem to get rid of it. It mysteriously re-appears on every boot. Wma eggs.exe found in a file named license else poke. It shows up on hijack this list and startup menu. I have gone to the r...
  2. Registry Key Permissions Missing
    I have a Windows XP SP2 computer that is having trouble reinstalling quicktime, it gives a permissions error during the process. I've traced the problem to several registry keys. The user is an administrator on the computer, but they can't view/modify/delete several keys re...
  3. stubborn malware
    Having a problem with a virus on our network. Start menus on Windows XP Sp2 getting changed was the first found symptom. Submenu folders get removed and new "submenus" get created which are in fact exes and not folders. Exes also get created in some folders with exe...
  4. MALWARE
    HI ALL I HAVE A MALWARE PROBLEM OR SOMETHIG LIKE THAT I HAVE A RESIDENT UCLEANER PROBLEM THAT ASK ME TO BUY EVERY TIME ASLO A ERROR SAFE I CANT DEAL WITH IT , I USE A LOT OF ANTI SPAM, ANTI VIRUS, ETC BUT NOTHING MY SOLUTION WAS DELETE DE DOCUMENT AND SETTINGS USERS AND STA...
  5. PC infected with  spyware / malware
    Hi Experts! My computer is again infected with spyware. I use Win XP Pro SP2. A month ago, I reformatted the HDD because I was not able to remove all of these spyware. Now they are back and I don't want to reformat the HDD again. My anti-virus software is Panda and it stopp...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: nekogamiPosted on 2005-01-08 at 03:32:04ID: 12991628

Hi there,

i think the best solution would be that you start your Computer in Safe Mode by pressing F8 at the start and try it there. If it doesn´t help look if you have the rights to delete those registry keys. Are you logged in as Adminstrator? and what is the exact error message you get.

Good Luck

 

by: nobusPosted on 2005-01-08 at 03:35:00ID: 12991633

i tried that in safe mode, and i have full rights, and i am logged in as admin

 

by: nekogamiPosted on 2005-01-08 at 03:43:55ID: 12991651

then look if not some program is still accessing the registry key. Just try regmon

http://www.sysinternals.com/ntw2k/source/regmon.shtml

 

by: SystmProgPosted on 2005-01-08 at 03:45:16ID: 12991654

Hi :-) nobus

Ok here it is. Fix ur regitry for any duplicate entries and functions in it :-

find and correct invalid file and folder references in Windows 9x/NT/ME/2000/XP Registry;
find and delete empty registry keys;
find and correct invalid font entries;
find and delete obsolete Start Menu items;
find and correct invalid application paths;
find and correct invalid registered help files;
find and correct invalid shared DLL references;
search for matches of invalid entries on user's computer;
open folders to which invalid registry keys refer;
open Windows RegEdit at invalid registry entries;
full registry backup before any changes;
backup only modified registry entries as RegEdit4 files, so you are always able to restore certain registry changes;
save the list of found invalid entries into text file;
print the list of found invalid entries;

download it from the following link :-
http://www.fixregistry.com/download.htm

Tx
SP

 

by: SystmProgPosted on 2005-01-08 at 03:46:33ID: 12991655

>>>after deleting some malware, i

Are you sure you have deleted all malware processes from ur system ? If no then try running the followings :-

running sfc from the run box, and if virus or malware is suspected, run all those, preferably in safe mode :

CWshredder     http://www.majorgeeks.com/download4086.html
     Spybot :        http://www.download.com/3000-8022-10122137.html
     adaware :      http://www.lavasoftusa.com/
     STINGER  :   http://vil.nai.com/vil/stinger/  
http://housecall.trendmicro.com/                                       online scan for trojans
http://www.ravantivirus.com/scan/
http://www.spychecker.com/program/coolwebshredder.html          CWshredder
http://www.spychecker.com/program/hijackthis.html                        download
http://www.hijackthis.de/index.php?langselect=english                         check the log

 

by: nobusPosted on 2005-01-08 at 03:57:56ID: 12991687

hey there; i would like an answer to my question : how do i delete that key?
SystmProg, you keep feeding me my own answer ! i still don't mind, but it does not help !

 

by: nekogamiPosted on 2005-01-08 at 04:10:25ID: 12991724

just look what programm is accessing the registry key and kill it with the Task Manager (Str+Alt+Del) and then try to delete the key.

 

by: SystmProgPosted on 2005-01-08 at 04:11:48ID: 12991726

but which key you can't delete ?

 

by: nobusPosted on 2005-01-08 at 04:30:54ID: 12991766

i said it in my first post, but ok, here goes again : (2 times for 1 cent)
Wintools is the key i cannot delete in several places

 

by: nobusPosted on 2005-01-08 at 04:31:57ID: 12991771

and how must i see which program is accessing the key? Task manager shows nothing special

 

by: SystmProgPosted on 2005-01-08 at 04:40:22ID: 12991793

What error message do u get ?

Access is Deniend ?

 

by: nobusPosted on 2005-01-08 at 04:44:08ID: 12991805

>>>    i get an error saying it cannot be deleted.   <<<  
   

 

by: SystmProgPosted on 2005-01-08 at 04:47:45ID: 12991814

Have you logged in as Administrator ?


 

by: nobusPosted on 2005-01-08 at 04:50:09ID: 12991827

read my post dated as per today 03:35 please

 

by: SystmProgPosted on 2005-01-08 at 04:50:39ID: 12991830

Any malware process is blocking you from deleting this registry key and this process is running in Task Manager.

Can you post Task Manager process ?

 

by: SystmProgPosted on 2005-01-08 at 05:01:56ID: 12991889

>>> am looking for a solution for this problem :
after deleting some malware, i have some wintools keys left in the registry.
when i try to delete them, i get an error saying it cannot be deleted.

Do u think that i am making you fool and struggling here for points ?

"Can't delete WinTools" because any process it may be a malware or not is blocking u from deleting this key.

If not process then any service is running.

It will be helpful for me if you post all task manager processes running in background.

Thank U
SystmProg

 

by: rindiPosted on 2005-01-08 at 05:05:29ID: 12991902

Right click the key you want to change, select permissions and then take ownership of the key, as you would in the filesystem. Then you should also be able to change the attributes of the key so you are allowed to delete it.

 

by: nobusPosted on 2005-01-08 at 05:26:56ID: 12992002

rindi, read my post dated per 3:35 please !

Systmprog  >>   Do u think that i am making you fool and struggling here for points ?   <<< i certainly hope not, because you were always willing to respond; i will post the results from Task Manager asap, but i do not see anything suspicious. But i take it another person can sse things i don't.  I just would be happy resolving this; i am learning from every problem i had, and of course, i can do fresh install, but since i cannot delete these keys, it is kinda stinging me, and i would want to solve it - i would have learned something again!

and i tried your link to fix your registry, but this does not let me go to a key and delete it; they simply scan, and let you do things to the selected keys (it was not among them)

 

by: SystmProgPosted on 2005-01-08 at 05:33:58ID: 12992031

OK
Cool

As a professional i have exp. in Microsoft Products and how they interact with each other. So please post a log of processes.

 

by: nobusPosted on 2005-01-08 at 05:34:03ID: 12992032

i'm sorry, but how would i post a process list from task manager? i see no possibility to save it in a txt file.  The only thing i see is taking a screen picture, and save it.

the exact error i get is :

cannot remove wintools an error occured at the removal of the key   (...translated)

 

by: SystmProgPosted on 2005-01-08 at 05:39:17ID: 12992054

no translated

please provide the exact error message

and post the log of process tlist.exe command

 

by: rindiPosted on 2005-01-08 at 05:44:59ID: 12992092

Have you tried to delete all the sub-keys of that key individually?

 

by: SystmProgPosted on 2005-01-08 at 05:45:37ID: 12992098

 

by: SystmProgPosted on 2005-01-08 at 05:46:55ID: 12992104

Sorry posted wrong

 

by: nobusPosted on 2005-01-08 at 05:58:51ID: 12992162

Ok update :

exact error in dutch :  kan Wintools niet verwijderen : er is een fout opgetreden bij het verwijderen van de sleutel

rindi, i have followed your suggestion, but if i try to delete a subkey, i get the message : cannot delete all entries (even on a single one)

tlist.exe command is not recognised in a dos box - how do i run it? or do i miss something?

 

by: SystmProgPosted on 2005-01-08 at 06:03:11ID: 12992174

Sorry :-) its my fault that i forced you to sumbit exact error. I don't know this is in dutch.

Ok

http://www.spychecker.com/program/hijackthis.html
download this a small program
save log and post it here.



 

by: rindiPosted on 2005-01-08 at 06:07:40ID: 12992198

How are the permissions set for that single key? Does the administrator have the right to delete that key?

 

by: SystmProgPosted on 2005-01-08 at 06:15:00ID: 12992237

Administrator has rights to delete anything on the system.

ok try to delete using the Safe Mode

if not success then post the log

 

by: rindiPosted on 2005-01-08 at 06:23:30ID: 12992307

I don't agree. The administrator doesn't always have all rights. and even if he has Full control, that still doesn't mean he has the right to delete a key. Full Control only means he can delegate other rights. For certain things only the system has delete rights and not the admin.

 

by: SystmProgPosted on 2005-01-08 at 06:28:39ID: 12992358

I am talking about the File Folders and Registry permission set

not about the System Services which runs under System Account.

 

by: rindiPosted on 2005-01-08 at 06:30:23ID: 12992379

Sorry, I didn't notice.

 

by: SystmProgPosted on 2005-01-08 at 06:32:52ID: 12992399

:-)

 

by: nobusPosted on 2005-01-08 at 06:34:33ID: 12992417

systmProg, the hijackThis file is clean, but if you want to look at it, :

Logfile of HijackThis v1.98.2
Scan saved at 15:33:47, on 08/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Eelen Katrin\Mijn documenten\Mijn eBooks\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Mpath\Assets\Blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.skynet.be:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

 

by: SystmProgPosted on 2005-01-08 at 06:43:46ID: 12992476


Kill those processes and then try :-

C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Messenger\msmsgs.exe

and using Hijack Fix the following and restart ur computer

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

and they try ?

 

by: SystmProgPosted on 2005-01-08 at 06:44:29ID: 12992477

>>>wintools keys

Tell me the registry location for this key

 

by: stevenlewisPosted on 2005-01-08 at 07:01:38ID: 12992532

nobus, try this
take ownership of the key and sub keys
from the advanced button of permissions
also check the effective permissions

 

by: nobusPosted on 2005-01-08 at 07:08:22ID: 12992550

HKey_Local_Machine\Software\Wintools
HKey_Local_Machine\System\ControlSet001\Enum\Root\Legacy_WintoolsSVC
HKey_Local_Machine\System\ControlSet002\Enum\Root\Legacy_WintoolsSVC
HKey_Local_Machine\System\ControlSet002\Services\WintoolsSVC
HKey_Local_Machine\System\ControlSet003\Enum\Root\Legacy_WintoolsSVC
HKey_Local_Machine\System\ControlSet003\Services\WintoolsSVC
HKey_Local_Machine\System\CurrentControlSet\Enum\Root\Legacy_WintoolsSVC
HKey_Local_Machine\System\CurrentControlSet\Services\WintoolsSVC
and in the value Last key

 

by: SystmProgPosted on 2005-01-08 at 08:12:45ID: 12992786

See my post for
<<<If not process then any service is running>>>

HKey_Local_Machine\System\CurrentControlSet\Services\WintoolsSVC

Stop this service from Services.msc snap-in and then try to delete the registry

Tx
SP


 

by: SystmProgPosted on 2005-01-08 at 08:14:20ID: 12992793

a service named "WintoolsSVC" or some similar name is running in the background and it is used by the svchost.exe process running in ur Task Manager.

 

by: nobusPosted on 2005-01-08 at 08:27:07ID: 12992848

i can not find a Wintools service in the services list

 

by: stevenlewisPosted on 2005-01-08 at 08:32:49ID: 12992871

who is shown as the owner of the reg key?

 

by: nobusPosted on 2005-01-08 at 08:41:28ID: 12992917

the owner is the administrator

 

by: stevenlewisPosted on 2005-01-08 at 08:42:26ID: 12992921

make yourself (your logon name) the owner

 

by: nobusPosted on 2005-01-08 at 09:06:17ID: 12993023

i logon automatically as administrator; there are no other accounts, but i'll make another one for testing

 

by: NicPapageorgiuPosted on 2005-01-08 at 10:05:05ID: 12993342

Tou can export the registry and work on it offline and then import it from the recovery console

or for the faint of heart and lazy (like myself)

This is the best reg tool I have found and use  http://www.tucows.com/preview/195992.html

 

by: spiderfixPosted on 2005-01-08 at 10:37:12ID: 12993500

Registered *.dll(s) are most likely preventing the deletion. In Run... try

regsvr32 /u wtoolsb.dll
regsvr32 /u btiein.dll
regsvr32 /u f3ezsetp.dll
regsvr32 /u toolbar.dll
regsvr32 /u SToolbar.dll

or

regsvr32 /u "\Program Files\Common Files\WinTools\WToolsB.dll"
regsvr32 /u "\Program Files\Common Files\WinTools\btiein.dll"
regsvr32 /u "\Program Files\Toolbar\toolbar.dll"
regsvr32 /u "\Program Files\Search Toolbar\SToolbar.dll"

If those fail there are more here...
http://www.intermute.com/spysubtract/researchcenter/HuntBar.html

 

by: way12goPosted on 2005-01-08 at 11:01:40ID: 12993577

Right click the registry key and then give your self access to delete the key and then delete it. You can also use Lavasoft's Reg Hancer. Also use " Seememe " to diagnose windows problems. Also see to it that you disabled/unchecked " simple file sharing " in the explorer--->folder options--> " tab " view ---> last option. I suppose disablong unchecking/disabling this option puts a tab/page for setting access rights in different ..areas!?

 

by: way12goPosted on 2005-01-08 at 11:02:50ID: 12993581

To delete certain registry keys you need to assign permissions for them to get deleted. For example: The Legacy registry keys.

 

by: huntersvcsPosted on 2005-01-08 at 13:12:57ID: 12994096

OK - my standard answer for deleting IMPOSIBLE entries in the registry:  it's actually easy if you know the routine!  Some entries in the registry can only be deleted by the SYSTEM.  Not even the administrator can do that!

Open a DOS window.  Type in:  at 12:00 interactive regedit.exe

This means that at 12:00 the registry will be opened with SYSTEM privileges!  Change the time however you will - you should be able to delete anything at this time - even system drivers and services.

Just be careful what you delete - use the export function before you try anything if you're not 100% sure.  That way, you can always go back to the beginning.

Hope this helps.
Rick

 

by: SystmProgPosted on 2005-01-08 at 21:38:38ID: 12995516


HKey_Local_Machine\Software\Wintools      
This is the software entry, you will be able to delete it when you stop the service.

HKey_Local_Machine\System\ControlSet001\Enum\Root\Legacy_WintoolsSVC
HKey_Local_Machine\System\ControlSet002\Enum\Root\Legacy_WintoolsSVC
HKey_Local_Machine\System\ControlSet002\Services\WintoolsSVC
HKey_Local_Machine\System\ControlSet003\Enum\Root\Legacy_WintoolsSVC
HKey_Local_Machine\System\ControlSet003\Services\WintoolsSVC
HKey_Local_Machine\System\CurrentControlSet\Enum\Root\Legacy_WintoolsSVC
This controlSet is not used currently in ur system. You have restarted ur system many times so it is cloned to CurrentControlSet.

HKey_Local_Machine\System\CurrentControlSet\Services\WintoolsSVC
and in the value Last key

Here it is :-
HKey_Local_Machine\System\CurrentControlSet\Services\WintoolsSVC

See the following value in the Right Pane

"Description"= "something"
DisplayName"="Application Management or something
"ImagePath"="will be a file name , something.DLL"

Find the service in services.msc snap-in shown "DisplayName" and stop it.

If can not find then
Use HighJackThis utility to remove this file (in ImagePath) at reboot.

Thank U
SystmProg

Try it and let us know.

 

by: manthPosted on 2005-01-08 at 23:18:36ID: 12995703

I believe you can directly access the registry from the recovery console...

 

by: nobusPosted on 2005-01-09 at 00:14:28ID: 12995801

update :

- spiderfix : i tried your suggestion, but none of these entries exist
---------------------
- SystmProg :   HKey_Local_Machine\System\CurrentControlSet\Services\WintoolsSVC

See the following value in the Right Pane

"Description"= "something"
DisplayName"="Application Management or something
"ImagePath"="will be a file name , something.DLL"

no such values in right pane, only : standard - Reg_SZ - no value set
There is a Enum subfolder with following values :
standard         - Reg_SZ        - no value set
0                    - Reg_SZ        - Root\Legacy_wintoolssvc\0000
Count              - Reg_Dword   - 0x0000001(1)
NextInstance    - Reg_Dword   - 0x0000001(1)
-----------------------------

huntersvc : i set the at command for 1 min later, no error, nothing happened; but does that stay active or how can i take that command out again?
--------------------------------------------
manth :  will try the recovery console now

 

by: SystmProgPosted on 2005-01-09 at 00:36:32ID: 12995846

Ok

You have this much keys and subkeys created in ur Registry :-


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINTOOLSSVC]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINTOOLSSVC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINTOOLSSVC\0000]
"Service"="WinToolsSvc"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINTOOLSSVC\0000]
"DeviceDesc"="WinTools for IE service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WINTOOLSSVC]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WINTOOLSSVC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_WINTOOLSSVC]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_WINTOOLSSVC\0000 ]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINTOOLSSVC]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINTOOLSSVC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINTOOLSSVC\0000]
"Service"="WinToolsSvc"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINTOOLSSVC\0000]
"DeviceDesc"="WinTools for IE service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WINTOOLSSVC]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WINTOOLSSVC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\00 00]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\00 00]
"Service"="WinToolsSvc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\00 00]
"DeviceDesc"="WinTools for IE service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WINTOOLSSVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WINTOOLSSVC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_WINTOOLSSVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_WINTOOLSSVC\0000 ]

If yes then post quick i will give you a good solution !!!

Tx
SP

 

by: SystmProgPosted on 2005-01-09 at 00:37:05ID: 12995848

and this is a SPYWARE

 

by: SystmProgPosted on 2005-01-09 at 00:42:22ID: 12995853

In safe mode you delete this folders:

C:\Program Files\Common files\WinTools
C:\PROGRA~1\Toolbar

Reboot and run HighJackThis again and fix and post a new log.



 

by: SystmProgPosted on 2005-01-09 at 00:44:00ID: 12995854

Here is the full removal process :-

Removal
TrafficSyndicate offer two uninstaller files for HuntBar/TS, which have been reported not to work properly.

HuntBar/Side may put an entry called 'MSIETS' in the Control Panel's Add/Remove Programs option, which should remove this variant.

HuntBar/MSLink and HuntBar/BTLink have two entries in the Control Panel's Add/Remove Programs option, called 'Internet 404' and 'Tools for Internet Explorer'. Both entries (which also demand an internet connection to work) must be removed to get rid of these variants, but it will leave the files intact and still won't remove the MSIn or BTIn installer, which can reinstall the software automatically in the future.

HuntBar/SToolbar puts an entry called 'Search Toolbar' in Add/Remove Programs, which should work (though it requires an internet connection).

HuntBar/WinTools has an entry for 'Web Search Toolbar' along with at least one entry called 'Win-Tools Easy Installer', all of which need to be used to remove the software. An internet connection is needed to complete the uninstallation; you must also ignore the software's pleas to be allowed to continue (pay attention to the potentially confusing action buttons). During testing, the 'Easy Installer's did not always work, necessitating manual removal in this case.

Manual removal
WinTools variant
The WinTools variant cannot be removed in the normal desktop because each of the three processes, plus a BHO, keep each other alive when you try to stop them. So you will need to use Safe Mode.

To get to Safe Mode, press the F8 key just as Windows is about to boot. If you use a multiboot system, this is the point where the boot menu appears; if not, just keep tapping F8 as the machine boots until the menu appears.

Open the registry (click 'Start', choose 'Run', enter 'regedit') and find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion. Select the subkey 'Run' and delete the 'WinTools' entry on the right. If there is still a 'TB_setup' or 'TBPS' entry here, delete that too.

Next, select the subkey 'Explorer\Browser Helper Objects', delete the whole subkey with the name '{87766247-311C-43B4-8499-3D5FEC94A183}'. Finally, find the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and delete the WinToolsSvc subkey. Reboot normally.

All variants
Open a DOS command prompt window (from Start->Programs->Accessories), and enter the following commands. For HuntBar/TS:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Common Files\MSIETS\msiets.dll"
For HuntBar/Side and HuntBar/MSLink, enter:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Common Files\MSIETS\msielink.dll"
For HuntBar/BTLink, enter:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Common Files\BTLINK\btlink.dll"
For HuntBar/MSIn, enter:

cd "%WinDir%\System"
regsvr32 /u msiein.dll
For HuntBar/BTIn, enter:

cd "%WinDir%\System"
regsvr32 /u btiein.dll
For HuntBar/SToolbar, enter:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Search Toolbar\SToolbar.dll"
For HuntBar/WinTools, enter:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Common Files\WinTools\WToolsB.dll"
regsvr32 /u "\Program Files\Common Files\WinTools\btiein.dll"
regsvr32 /u "\Program Files\Toolbar\toolbar.dll"
(Users of non-English verions of Windows will need to change 'Program Files' and 'Common Files' in the above commands to the name of the these folders in the language Windows was installed in.)

File deletion
Having done this you can reboot the machine and delete the HuntBar files. Open the 'Common Files' folder inside Program Files. For the TS, Side, MSLink variants, delete 'MSIETS'; for the BTLink variant delete 'BTLINK'; for the WinTools variant delete 'WinTools'.

Go back to the Program Files folder and delete 'Search Toolbar' (SToolbar variant) or 'Toolbar' (WinTools variant). Finally, open the System folder (inside the Windows folder, called 'System32' under Windows NT/2000/XP/2003) and delete 'msiein.dll' (MSIn variant) or 'btiein.dll' (BTIn variant).

Other traces
You can also open 'Downloaded Program Files' in the Windows folder and delete the entry '{8A05273A-2EA5-42DE-AA75-59EA7D9D50D7}', '{59450DB0-341D-4436-B380-B8377D8B6796}', '{D6E66235-7AA6-44ED-A06C-6F2033B1D993}' or '{26E8361F-BCE7-4F75-A347-98C88B418322}', if you received HuntBar through a drive-by download.

To clean up, you can also open the registry (click 'Start', choose 'Run', enter 'regedit') and delete any of the subkeys 'MSIETS', 'MSIEIN', 'MSLINK', 'BTIEIN', 'BTLINK', 'Search Toolbar' and 'WinTools' in the Software subkey of both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER.

For WinTools, you can also delete the keys inside HKEY_CLASSES_ROOT\CLSID with numbers {26E8361F-BCE7-4F75-A347-98C88B418322} and {87067F04-DE4C-4688-BC3C-4FCF39D609E7}. Inside HKEY_CLASSES_ROOT\PROTOCOLS, the Name-Space Handler\res\WToolsB.ResProtocol key can also go. Next, open Microsoft\Windows\CurrentVersion\Installer\UserData in HKEY_LOCAL_MACHINE\Software, and delete the 'AUI' and 'STO' subkeys, and the 'TUID' entry.

Finally (phew!) you may want to delete the shortcuts the HuntBar/Side and TS variants add to the desktop, start menu and favourites menu, and reset your search and home pages back to normal (Tools->Internet Options->Programs->Reset Web Settings).

Thank U
SystmProg

 

by: spiderfixPosted on 2005-01-09 at 01:33:03ID: 12996001

Create another administrator user and log in to that. Try the reg delete.

 

by: SystmProgPosted on 2005-01-09 at 01:54:10ID: 12996097

sipderfix
>>>Create another administrator user and log in to that. Try the reg delete.

8 Comments already posted :-)


 

by: spiderfixPosted on 2005-01-09 at 09:30:05ID: 12997456

SystmProg,

Yes, I know.

 

by: huntersvcsPosted on 2005-01-10 at 07:23:58ID: 13003558

Your comment:  huntersvc : i set the at command for 1 min later, no error, nothing happened; but does that stay active or how can i take that command out again?

First, my first comment had a slight error - it should have read:

at 12:00 /interactive regedit.exe

At the requested time, the regedit will open and remain open with system rights until it is closed.  After that, if you reopen, you are back to standard permissions.

Second, to erase the command, just type in:

at /delete

This will delete all scheduled AT commands.

Hope this helps.
Rick

 

by: nobusPosted on 2005-01-10 at 07:37:44ID: 13003713

will try it and post back tomorrow.

 

by: huntersvcsPosted on 2005-01-10 at 08:09:48ID: 13004130

Hi nobus,

I also use the "at" command to delete legacy keys!

 

by: SystmProgPosted on 2005-01-12 at 01:45:43ID: 13022167

Nobus

Deleting only registry entry is not the solution because this is a spyware and it could spread some other day if don't delete all files listed in my post.

:-)

 

by: tnknightsPosted on 2005-02-18 at 06:00:46ID: 13345498

Dude, I'm feeling your pain. I've installed no telling how many programs to clean wintools. I discovered my problem because MS / Giant Antispyware hung when checking this registry key. Safe Mode and other other mode didn't help. Even ran Registry Compact, Registry Healer, Registry ... None fixed it.

Here's what I did.
1. Run Regedt32 (not regedit)
2. Goto the key HKLM/software\microsoft\windows\CurrentVersion\uninstall\wintools
3. highlight it
4. click security
5. click permissions
6. click add
7. if you get the security box, enter a domain\username and password for a domain admin
8. add the user you are logged in as (assuming that the account is admin or domain admin)
9. Check the full control box
10. Click OK
11. Press the delete key and kiss that sucker goodbye.

Oh, and don't forget to thank Win-Tools for your happiness that it caused.

Robert Haviland
Hickman County Tennessee Schools

 

by: tpiresPosted on 2009-11-19 at 11:19:41ID: 25863854

Of course this accepted solution from Huntersvcs only works for XP and fails with Vista or Windows 7.

It is likely that you might be able to use SCHTASKS to start a REGEDIT interactively, but the best way to do this is to use the Sysinternals utility PSEXEC.

Goto: http://technet.microsoft.com/en-us/sysinternals/default.aspx
or more directly here: http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx

and download PSEXE.  No installing is required except for some unzipping to you favorite utilities directory. Be sure to do a CD to the directory containing psexec, ortherwise change the command path below to suit.

The following command will open REGEDIT running as user SYSTEM:

psexec -s -i regedit

tp

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...