Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot delete persistent registry key, please help!


  • Please log in to reply
13 replies to this topic

#1 aamfs94

aamfs94

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 04 March 2016 - 08:08 AM

There is a registry key that Symantec created. After I uninstalled it it didn't go away. It is in the HKLM/SOFTWARE/WOWNODE folder. There are some other numbers in the name of the wownode folder but I can't remember them now.

 

Here's what I've tried so far.

 

Basic deletion - "cannot delete"

Giving myself full administrative permissions - "cannot delete"

Running in safe mode - "cannot delete"

Using the regdelnull utility in case it was a null key - did not find any null keys

 

The most powerful thing I've tried so far was to turn off my computer and boot from a windows repair disk, which allowed me to access the BIOS command line, and load the registry hive from my main windows partition. Even editing the registry offline in this way still produces the same error. I don't even understand how this is possible?

 

What could possibly allow the key to avoid deletion and how can I fix it? I'm so frustrated by this, so any help would be immensely appreciated!

 

Thanks.



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,610 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 PM

Posted 04 March 2016 - 08:24 AM

Hi aamfs94 :)

Are you able to give me the exact name of that Registry key?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 aamfs94

aamfs94
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 04 March 2016 - 09:31 AM

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\

#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,610 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 PM

Posted 04 March 2016 - 09:36 AM

What Symantec product did you uninstall? If possible, I would like the full name of it.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 aamfs94

aamfs94
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 04 March 2016 - 09:56 AM

It's Symantec Endpoint Protection. Not sure what version, probably the latest. Thank you so much!!!

#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,610 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 PM

Posted 04 March 2016 - 10:00 AM

Your best option here would be to download the CleanWipe utility for Symantec Endpoint Protection.

https://support.symantec.com/en_US/article.TECH184988.html#WhenConventionalMethodsFail
https://support.symantec.com/en_US/article.HOWTO74877.html

This will remove everything related to SEP on your system.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 aamfs94

aamfs94
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 04 March 2016 - 10:03 AM

I think I did try that and it didn't remove the keys. Why can't I do it manually though? It's my computer, not symantecs, why can't I gain full control of it?

#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,610 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 PM

Posted 04 March 2016 - 10:15 AM

What method did you try so far? Did you try to delete it via command prompt launched with Admin Rights, or a .reg file?

Also, I understand your point, however, if security software could be deleted that easily, malware and virus would have way too much freedom once they infect a system, and nothing would be able to contain them.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 aamfs94

aamfs94
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 04 March 2016 - 10:24 AM

I launched command prompt with admin rights. I haven't tried deleting it with a .reg file, what does that entail? Would that be more powerful than trying to delete it from a bootable repair utility? I didn't think there could be a more powerful method than that considering the registry is offline then.

#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,610 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 PM

Posted 04 March 2016 - 10:49 AM

I don't think it's more powerful, but it's worth a try. Create a new text file on your desktop, but change the extension to .reg (instead of .txt). Right-click on that new file, and copy/paste the following inside.
Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec]
Save the file, then double-click on it and accept to merge the changes in the Registry. You'll get either a success or failure message. If you get a success message, go check in the Registry if the key is indeed gone.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 aamfs94

aamfs94
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 06 March 2016 - 01:13 PM

I still get the exact same error. Here is the full name for the key:
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion]
 
Here's another clue. When I click on "CurrentVersion" I get a special error message that I've attached below. Does this help in any way figure out what's going on?

Attached Files



#12 JohnC_21

JohnC_21

  • Members
  • 23,286 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 PM

Posted 06 March 2016 - 01:19 PM

I don't think deleting the key would improve your performance but that being said you can probably delete it offline using a bootable disk.

 

Kaspersky's Rescue Disk has a registry editor. Burn the iso to disk and use the Registry Editor to delete the key.



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,610 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:23 PM

Posted 06 March 2016 - 01:19 PM

It looks more like a corrupt Registry key than a permission issue if you ask me. Any reason as to why you want to delete the Symantec key? If you uninstalled SEP, a single key won't cause you any issues.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 aamfs94

aamfs94
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 06 March 2016 - 01:25 PM

I don't think deleting the key would improve your performance but that being said you can probably delete it offline using a bootable disk.

 

Kaspersky's Rescue Disk has a registry editor. Burn the iso to disk and use the Registry Editor to delete the key.

 

I already used a bootable disk and the file wouldn't delete.


I FOUND A SOLUTION! For anyone with a similar problem this seems to be the only thing that could work:

 

http://answers.microsoft.com/en-us/windows/forum/all/unable-to-delete-registry-key-that-is-causing/a81adda2-8e17-4cb1-94ee-56ab095ab2a6?auth=1






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users