A contrary registry subkey- Unable to enumerate

Discussion in 'Software' started by bib, Jan 21, 2011.

  1. bib

    bib Private E-2

    Hi skilled geeks
    The father of a friend brought me his computer to repear. It had a MBR malware I reached to remove with the help of info I found here (GMER and others).
    I would like to thank you for all that help.
    Now I'd like to do a little clean in his registry, just a little clean, because I found in it about 8 subkeys ControlSet00x including the Current one.
    The PC is running XP pro SP3. At some point, after the virus was removed, I had to reinstall SP3 because I found the PC was downgraded to SP2: WindowsUpdate went back to life, because before removal any url containing the string "windowsupdate" experienced a connection reset.
    Avast, MalwareBytes and GMER now show a clean and safe computer.
    The computer doesn't hang no more and has no more unwanted network traffic.

    Here is the issue remaining:
    I want to keep CurrentControlSet :-D , ControlSet001 and ControlSet002
    The HKLM\SYSTEM\Select\ is (OK):
    Current=1
    Default=1
    Failed=0
    LastKnownGood=2

    I reached to delete all the other ControlSet00x subkeys (3,4,6) but for one I can't. ControlSet005 won't delete.
    I tryied to reset the authorisations with regedit and SubInAcl but there is an error and always some remaing subkeys that reports an error when opening:
    Code:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\[B]{4D36E96E-E325-11CE-BFC1-08002BE10318}[/B]\[B]0001[/B]\MODES\[B]1600,1200[/B]
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\[B]{4D36E96E-E325-11CE-BFC1-08002BE10318}[/B]\[B]0002[/B]\MODES\[B]1600,1200[/B]
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\[B]{4D36E96E-E325-11CE-BFC1-08002BE10318}[/B]\[B]0003[/B]\MODES\[B]1600,1200[/B]
    these all 3 are the only remaining in ControlSet005 and all three report "Error opening the key" - "Unable to open 1600,1200 : error while openning the key" when I click the key. Once one is highlighted (the right pane is blank, none data/values), when I right-click and choose "Autorisations" to display security settings the security dialog opens with a blank "Security" tab stating that "Unable to display the security informations"-[OK/Cancel]
    I don't get this error with same keys endind with anything else than 1600,1200 : I could remove them

    I tryied also SubInAcl
    Code:
    Prompt> subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\[B]ControlSet005[/B]\Control\Class\[B]{4D36E96E-E325-11CE-BFC1-08002BE10318}[/B]\[B]0001[/B]\MODES /grant=Administrateurs=f > c:\subinacl.log
    I get this on screen (hope the translation in italics is OK, XP is french and google didn't help)
    Code:
    Elapsed Time: 00 00:00:00
Done:        2, Modified        1, [B]Failed        1[/B], Syntax errors        0
Last Done  : HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\[B]0001[/B]\MODES\[B]1600,1200[/B]
Last Failed: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\[B]0001[/B]\MODES\[B]1600,1200[/B] : 2 [I]The file specified was not found[/I]
    The log is:
    Code:
    SYSTEM\[B]ControlSet005[/B]\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\[B]0001[/B]\MODES : delete Perm. ACE 4 builtin\administrateurs
SYSTEM\[B]ControlSet005[/B]\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\[B]0001[/B]\MODES : new ace for builtin\administrateurs
HKEY_LOCAL_MACHINE\SYSTEM\[B]ControlSet005[/B]\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\[B]0001[/B]\MODES : 2 change(s)
HKEY_LOCAL_MACHINE\SYSTEM\[B]ControlSet005[/B]\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\[B]0001[/B]\MODES\[B]1600,1200[/B] : 2 [I]The file specified was not found.[/I]


HKEY_LOCAL_MACHINE\SYSTEM\[B]ControlSet005[/B]\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\[B]0001[/B]\MODES\[B]1600,1200 : 6 : Unable to enumerate subkeys[/B]
    When I try from a higher level
    Code:
    subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\[B]ControlSet005[/B]\Control\Class\[B]{4D36E96E-E325-11CE-BFC1-08002BE10318}[/B] /grant=Administrateurs=f > c:\SubInAcl.log
    I get
    Screen
    Code:
    Elapsed Time: 00 00:00:00
Done:       10, Modified        7, [B]Failed        3[/B], Syntax errors        0
Last Done  : HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\[B]0003[/B]\MODES\[B]1600,1200[/B]
Last Failed: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\[B]0003[/B]\MODES\[B]1600,1200[/B] : 2 [I]The file specified was not found.[/I]
    Log
    Code:
    SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318} : delete Perm. ACE 0 builtin\administrateurs
SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318} : new ace for builtin\administrateurs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318} : 2 change(s)
SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\0001 : delete Perm. ACE 0 builtin\administrateurs
SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\0001 : new ace for builtin\administrateurs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\0001 : 2 change(s)
SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\0001\MODES : delete Perm. ACE 4 builtin\administrateurs
SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\0001\MODES : new ace for builtin\administrateurs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\0001\MODES : 2 change(s)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\[B]0001[/B]\MODES\[B]1600,1200[/B] : 2 [I]The file specified was not found.[/I]
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\[B]0001[/B]\MODES\[B]1600,1200[/B]: [B]6 : Unable to enumerate subkeys[/B]

SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\0002 : delete Perm. ACE 0 builtin\administrateurs
SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\0002 : new ace for builtin\administrateurs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\0002 : 2 change(s)
SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\0002\MODES : delete Perm. ACE 0 builtin\administrateurs
SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\0002\MODES : new ace for builtin\administrateurs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\0002\MODES : 2 change(s)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\[B]0002[/B]\MODES\[B]1600,1200[/B] : 2 [I]The file specified was not found.[/I]
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\[B]0002[/B]\MODES\[B]1600,1200: 6 : Unable to enumerate subkeys[/B]

SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\0003 : delete Perm. ACE 0 builtin\administrateurs
SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\0003 : new ace for builtin\administrateurs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\0003 : 2 change(s)
SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\0003\MODES : delete Perm. ACE 0 builtin\administrateurs
SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\0003\MODES : new ace for builtin\administrateurs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\0003\MODES : 2 change(s)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\[B]0003[/B]\MODES\[B]1600,1200[/B] : 2 [I]The file specified was not found.[/I]
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\[B]0003[/B]\MODES\[B]1600,1200: 6 : Unable to enumerate subkeys[/B]
    For info I found the same behavior in the same keys that are in CurrentControlSet, ControlSet001 and ControlSet002
    I checked the coma is alowed in key names.
    This makes me think to a too long chain maybe.
    I don't think it's policies related as at least ControlSet005 is a dead branch.
    Please can you help me to get rid of that?
    Thank you at advance
     
    bib, Jan 21, 2011
    #1
  2. bib

    bib Private E-2

    bib, Jan 21, 2011
    #2
  3. bib

    bib Private E-2

    bib, Jan 23, 2011
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds