Hi folks,

I'm here after a recommendation from Ken over at the Spybot Malware Removal Forum, who took me through cleaning up a machine that was in pretty bad condition. This machine, from the kid across the street...had max++ Rootkit, and we successfully cleaned it up, but...

There remains a few issues...certain files had attributes put on them that I can't seem to fix, even with good old dos attrib commands...and really strangly, there are parts of the registry that are also blocked.

Let me start with the files that are locked up...SpybotSD.exe has been marked with attributes RHSA and I've tried a number of things, including plain old win98 boot disk access...to remove the attributes...but to no avail. But then, Windows files & folders permissions has always been my downfall...I even am familiar with BartPE...and it was locked up to that as well. There are actually 4 folders where re-installing spybot was attempted, and each one is tight as a drum!

So this morning, I thought...hmmm...time for RegAlyzer to find those...as I had other things to do, I just turned on search and let it go...instead of going right to the key...but 5 hours later...and the search is still hung up at this registry point

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries

I tried just going there...and I can see the entries below this point, but the registry won't open to reveal this. I've never seen this happen before, where I've been locked out of registry points...with admin access.

Sooo...shortening the story a bit....I'm not sure if this blocked registry point has to do with the blocked spyware files...but it somehow seems related to the virus issues...at least, I've never seen any registry or file that acted like these do.

Other than that, the machine starts and runs just fine, and I'll give it back to the kid across the street...as soon as it stops raining...

However...I'd sure like to know what I can do for these locked files & registry sections...Not sure if any other sections are lock in the reg...since this is as far as RegAlyzer got in 5 hours !

If you'd like more info on what all when on with this machine...specifics of fixes applied...you'll find that info at this link: http://forums.spybot.info/showthread.php?t=52398

OS is...WinXP Pro...all fixes applied...was even up to date before it was infected...and I believe the infection has something to do with a video codec, since he's into creating video's....

Thanks for any help you can offer...

Rich

Hello SetiRich.. Welcome to WhatTheTech..

Files, Folders, and registry entries are subject to windows access control lists. They are much more advanced than the archaic attributes like read-only, system, hidden, etc...

Many registry locations are locked out to anyone but the SYSTEM.

Files and folders can be locked in the same way.

In order to access "locked" files and folders you need to take ownership of them and then grant yourself permission:
http://support.microsoft.com/kb/308421

The same thing holds true for registry locations. You can go through the EXACT SAME procedure of taking ownership as you do with files by simply right-clicking the registry entry and clicking "permissions." By navigating through the options which look the same as it does with files/folders, you can take ownership and grant yourself permissions.

Absolutely no file, folder, or registry entry is locked from an "administrative" user. There is a way to access it. The only exception is when another piece of software or malware is "interrupting," your ability to access the file, or if the file/folder is in use.

After a malware infection there can be changes made that cause all kinds of strange issues. So far, I have seen service pack 3 fail to install due to permission issues, and I have seen that a sound card driver would not install due to permission issues, specifically after a malware infection was cleaned. In this case, default permissions can be restored, or blanket permissions can be given.

To restore default permissions to windows files/folders and registry entries (this is only specific to known system files/folders and registry entries), you can read here: http://support.microsoft.com/kb/313222

To give "blanket" permissions where you grant administrative access to EVERY file/folder/registry entry, you can read here: http://support.microsoft.com/kb/949377 under advanced troubleshooting: Reset the registry and the file permissions.

Be careful while messing with the registry and file permissions. If you accidentally lock out a registry key or file your system could become unstable or unuseable.

This post has been edited by appleoddity: Oct 10 2009, 01:21 PM