PDA

View Full Version : Registry changes not sticking


COB
05-28-2011, 08:21 AM
Hi Guys,

I would appreciate a bit of help on this one. i got a computer in recently and removed in excess of hundreds of instances of malware, trojans etc. The only problem is it is still bluescreening when rebott in normal mode.

When I reboot in safe mode it is fine but I cannot implement startup
changes etc. I do se edit the registry etc but when I reboot all my changes have been reversed. I have just fininshed a scan with the Kaspersky rescue disk so I'm pretty sure I got everything. It did have Mcafee and Norton and I think I have removed the lions share of these manually but can't be certain as the uninstallers won't run in safe mode.

Is it possible the registry is being sandboxed somehow? Does anyone know if this can be checked or what programs might do such a thing?

All help appreciated.

Cathal

TLE
05-28-2011, 08:59 AM
Hi Guys,

I would appreciate a bit of help on this one. i got a computer in recently and removed in excess of hundreds of instances of malware, trojans etc. The only problem is it is still bluescreening when rebott in normal mode.

When I reboot in safe mode it is fine but I cannot implement startup
changes etc. I do se edit the registry etc but when I reboot all my changes have been reversed. I have just fininshed a scan with the Kaspersky rescue disk so I'm pretty sure I got everything. It did have Mcafee and Norton and I think I have removed the lions share of these manually but can't be certain as the uninstallers won't run in safe mode.

Is it possible the registry is being sandboxed somehow? Does anyone know if this can be checked or what programs might do such a thing?

All help appreciated.

Cathal

What message does the Blue Screen give? You can disable the restart on a stop message so that you have time to read the error. You can do this in the start up options when you press F8.

Sounds to me as though a driver has been deleted. I doubt the sanbox would be running in Safe mode.

Xander
05-28-2011, 05:45 PM
It does nobody any good to mention a bluescreen error and provide no details about it. Nobody can help if you don't provide the right information.

Vicenarian
05-28-2011, 08:32 PM
Hi Guys,

I would appreciate a bit of help on this one. i got a computer in recently and removed in excess of hundreds of instances of malware, trojans etc. The only problem is it is still bluescreening when rebott in normal mode.

When I reboot in safe mode it is fine but I cannot implement startup
changes etc. I do se edit the registry etc but when I reboot all my changes have been reversed. I have just fininshed a scan with the Kaspersky rescue disk so I'm pretty sure I got everything. It did have Mcafee and Norton and I think I have removed the lions share of these manually but can't be certain as the uninstallers won't run in safe mode.

Is it possible the registry is being sandboxed somehow? Does anyone know if this can be checked or what programs might do such a thing?

All help appreciated.

Cathal

Random guess: Are you running regedit as Administrator?

COB
05-30-2011, 06:40 AM
Hi guys,

The bluescreen error doesn't stay on the screen long enough for me to get any details. Using the microsoft debugging tool doesn't give me any relevant information either. I'm not really interested in the blue screen at the moment though.

For now I just want to figure out why my registry changes aren't sticking. I've edited it both directly and indirectly as admin using regedit, autoruns and msconfig. None of the changes I applied stuck. For example I disabled a string of autoruns and also tried to disable all drivers using msconfig. I closed the program and when I reopened my changes were present. When I reboot the machine the changes have disappeared. Thus, I cannot isolate the root cause any further.

Cathal

Xander
05-30-2011, 02:43 PM
The bluescreen error doesn't stay on the screen long enough for me to get any details. :eek::confused::eek::confused::eek:

You do know that you can change that setting from the F8 screen, right? That's a basic tech skill.

SmithFamilyDesigns
05-30-2011, 02:50 PM
With the symptoms, I would say there a rootkit. Have you tried editing the registry offline? Have you done offline scans?

Hi guys,

The bluescreen error doesn't stay on the screen long enough for me to get any details. Using the microsoft debugging tool doesn't give me any relevant information either. I'm not really interested in the blue screen at the moment though.

For now I just want to figure out why my registry changes aren't sticking. I've edited it both directly and indirectly as admin using regedit, autoruns and msconfig. None of the changes I applied stuck. For example I disabled a string of autoruns and also tried to disable all drivers using msconfig. I closed the program and when I reopened my changes were present. When I reboot the machine the changes have disappeared. Thus, I cannot isolate the root cause any further.

Cathal

TLE
05-30-2011, 03:14 PM
:eek::confused::eek::confused::eek:

You do know that you can change that setting from the F8 screen, right? That's a basic tech skill.

+1

Personally, the BSOD would be my first priority. No point making Registry changes if you still can't get into windows.

What are you trying to change in the registry? May be you could provide a little more background information!

If you also have ERD commander, boot into that and run SFC tool.

joydivision
05-30-2011, 03:24 PM
Sounds like a rootkit to me, no matter what changing you make when you rooboot it will edit the registry.

The blue screen is probably due to a deleted or corrupt driver which was infected.

I take it you've replaced the MBR?

In these situations I would not spend too much longer on it, of course if you have time on your hands then it will be a great education, but don't let other jobs get delayed because you're spending too much time on this.

ZenTree
05-30-2011, 03:53 PM
+1

Personally, the BSOD would be my first priority. No point making Registry changes if you still can't get into windows.

What are you trying to change in the registry? May be you could provide a little more background information!

If you also have ERD commander, boot into that and run SFC tool.

+1 You've got it backwards, fix the bsod first. Gives you more info on what was/is wrong with the system and might be the missing piece for your registry issue.

COB
05-30-2011, 09:22 PM
:eek::confused::eek::confused::eek:

You do know that you can change that setting from the F8 screen, right? That's a basic tech skill.

Yes, I know that. It still doesn't hold the blue screen.

COB
05-30-2011, 09:31 PM
Ok,

This is how it works. I can edit the registry whether through DaRT or Safe mode. However, doing so does not result in changes that stick. As I had written the changes get reversed on rebooting.

Regarding the bluescreen. I would repair it if:
a) I could get some useful info from the debugger or,
b) I could perform a selective startup to isolate the root cause.

As I mentioned previously, the debugger does not render any useful diagnostic information. Also, the selective startup does not run because the registry changes do not stick. Hence, the registry editing is my priority.

I have run an offline scan repaired the MBR (which was infected) and deleted a great deal of Malware which is specified to run from the registry. The remaining programs look legit but it's hard to know. Either way I can't remove any of them from autorunning as my registry changes do not stick.

Cheers,
Cathal

gazza
05-30-2011, 10:24 PM
Take the drive out of the problem computer and place it in a toaster and retrieve the dump files with bluescreen view or whocrashed to see what is causing the blue screen. Then go from there.

phaZed
05-31-2011, 01:43 AM
+1 for BlueScreenView. You are probably missing/have corrupt drivers and/or system files.

Have you tried System Repair? Have you done a SFC /SCANNOW and CHKDSK C: /F?

COB
05-31-2011, 05:45 PM
Hi Guys,

Thanks for all the helpful replies. Unfortunately we might have gone slightly off my area of interest with the bluescreen discussion but it is a worthwhile discussion nontheless.

Yes, I have gone through all the obvious solutions. I used SFC and scanned the disk and ran a Kaspersky offline scan and it's all clean. I used the MS debugging tools rather than bluescreen view but the app that was causing the problem couldn't be identified by the debugger. The message it gave was that it wasn't able to find any information about the program, programmers should add information to their programs for troubleshooting, this one didn't (I'm paraphrasing of course). It also gave me a (long) list of drivers which were loaded when the error occurred. My assumption is that it must be non microsoft software, malware or a damaged driver but without the ability to do a selective boot I was up the creek.

I ended up having to Nuke-and-Pave which I consider to be a fail. But I have an image of the HDD which I am determined to figure out. If anyone knows how I might check the registry sticky problem I'd appreciate the input.

Thanks again for the advice on the other stuff though.

Cathal