JoeMSFN Posted May 29, 2008 Share Posted May 29, 2008 (edited) I release this in hopes to have a stop gap solution until Symantec releases their registry cleaning tool.It works for the one computer that had this issue.It plays fast and loose (sort of) with the registry, so...The usual disclaimers apply. Use at your own risk. Review the code before you use it. Modify it (even post your mods here) for your needs and/or peril. It may make things worse, including but not limited to corrupting beyond repair an otherwise working system.Now to (hopefully) save at least 1 other person, a lot (and I mean A LOT) of typing and mousing around.1st some background info on the problem this fixed for me.I had an empty device manager after installing SP3 on a WinXP SP2 computer with a Symantec product installed.Turns out serveral people had this problem. Including one "solution" to delete all those keys manually and voila... devices in device manager were back. (also back were "Safely remove" in the system tray, as well as the network card icons in properties of "My Network Places").That was insane! (well the manually deleting them part).To grasp the situation, I downloaded a most excellent Nirsoft utility to scan the registry and discovered over 5000 occurrences. That's a lot of manual deletions. All of them had some sort of enum and what not associated with them.Well long story short, download regfind from here.Get Autoit.Create a folder C:\regfind (if you want to use the unmodified IExpress .SED file).In that folder create "findit.au3" and paste the following:; msgbox (0,"",$key); FileInstall ( "Regfind.exe", @SystemDir,1)$txtfileN=@DesktopDir&"\foundit.txt"Dim $i[1]$findme='$%&'$findme2='$%%&';$foundfile="found5.txt"$cmdfileN=@DesktopDir&'\madereg.cmd'FindReg($txtfileN)$txtfile = FileOpen ($txtfileN,0)If $txtfile = -1 Then MsgBox(0, "Error", 'Unable to open file. Main txtfileN "'&$txtfileN&'"') ExitEndIf;$cmdfile=FileOpen ($cmdfileN,2);If $cmdfile = -1 Then; MsgBox(0, "Error", 'Unable to open file. Main cmdfileN "'&$cmdfileN&'"'); Exit;EndIf$reges=0While 1 $line = FileReadLine($txtfile) If @error = -1 Then ExitLoop $lineS = StringStripWS($line,1) $lineN = NWS($line) AddToAry($i, $lineS, $lineN) if StringInStr($lineS, $findme) Then; FileWriteLine($fileout,AryToStr($i,$lineN)) $regdelCMD='REG DELETE "'&AryToStr($i,$lineN)&'" /f' RunWait($regdelCMD) $reges+=1; msgbox(0,"if",UBound($i)&' '&$lineN&' '&AryToStr($i,$lineN)) EndIf; msgbox(0,NWS($line),"*"&$line&"*")WEndFileClose($txtfile)MsgBox(0,"Deleted Registries",$reges&' registry entries deleted');FileClose($cmdfile);MsgBox(0,"Finished searching Registry",'Run the command "'&$cmdfileN&'"')ExitFunc AddToAry(ByRef $i, $lineS,$lineN) while UBound($i)<=$lineN AryUp($i) WEnd $i[$lineN]=$lineSEndFuncFunc NWS($str) $striped=StringStripWS($str,1) $ws_count=StringLen($str)-StringLen($striped) Return $ws_countEndFuncFunc NextLine($file)EndFunc Func AryUp(ByRef $i) ReDim $i[UBound($i)+1]EndFuncFunc AryToStr($i, $lineN) $sTmp=$i[0] For $x = 1 to $lineN $sTmp&='\'&$i[$x] Next; MsgBox (0,"arytostr",$sTmp) Return $sTmpEndFuncFunc FindReg($txtfileN) $HKLM="HKEY_LOCAL_MACHINE" $subkey="SYSTEM" $key=$HKLM & "\" & $subkey; $findme="$%&" $cmdtmpN = 'regfind.cmd' $dir2 = @SystemDir; $outfile2=$dir2&'\'&$outfile $outfile2=$txtfileN $cmd2 = '"'&@WorkingDir&'\Regfind.exe" -i 1 -p "'&$key&'" -n "'&$findme2&'" > "'&$outfile2&'"'; $cmd2 = '"'&$dir2&'\Regfind.exe" -i 1 -p "'&$key&'" -n "'&$findme&'" > "'&$outfile2&'"';MsgBox(0,"",$cmd2);$file1n = $dir2&'\regfind.cmd' $cmdtmp = FileOpen($cmdtmpN,2) If $cmdtmp = -1 Then MsgBox(0, "Error", 'Unable to open file. FindReg cmdtmpN "'&$cmdtmpN&'"') Exit EndIf FileWriteLine($cmdtmp,$cmd2) FileClose($cmdtmp); RunWait($cmd2) RunWait($cmdtmpN); msgbox(0,"","")EndFuncCompile it to an exe findit.exeExtract Regfind.exe (Downloaded from link above)Create "NortonXPSP3fixer.SED"[Version]Class=IEXPRESSSEDVersion=3[Options]PackagePurpose=InstallAppShowInstallProgramWindow=0HideExtractAnimation=0UseLongFileName=1InsideCompressed=0CAB_FixedSize=0CAB_ResvCodeSigning=0RebootMode=NInstallPrompt=%InstallPrompt%DisplayLicense=%DisplayLicense%FinishMessage=%FinishMessage%TargetName=%TargetName%FriendlyName=%FriendlyName%AppLaunched=%AppLaunched%PostInstallCmd=%PostInstallCmd%AdminQuietInstCmd=%AdminQuietInstCmd%UserQuietInstCmd=%UserQuietInstCmd%SourceFiles=SourceFiles[Strings]InstallPrompt=DisplayLicense=FinishMessage=TargetName=C:\regfind\NortonXPSP3fixer.exeFriendlyName=Norton XP SP3 FixerAppLaunched=findit.exePostInstallCmd=<None>AdminQuietInstCmd=UserQuietInstCmd=FILE0="Regfind.exe"FILE1="findit.exe"[SourceFiles]SourceFiles0=C:\regfind\[SourceFiles0]%FILE0%=%FILE1%=and IExpress yourself an .exe!!!I am purposely not uploading my .exe for two reasons (well three). One, I haven't ever used one of those megadownloader type sites to upload files (also I don't really want to use up my storage space on my account here ) and two... I have no idea how dangerous this is and don't want a cookie cutter disaster. I figure if you can do the above, you have slightly more skills that "enough to be dangerous". Third, it has no checks/error detection and no attempt to put "polish" into it has been made.Now to cover what my script does. It runs regfind.exe with the "-i 1" parameter. What that does is space out the key names by one. That also makes it handy to count spaces and use that count for an array element number in Autoit B) .It creates a file on the desktop called "foundit.txt". (created with regfind called from the autotit script). Processes that text file, then deletes each registry key found with the offending cartoon swear characters.I originally tried to have the script create a .cmd file with the "REG /DELETEs" to run (as a safety buffer) later, but it was too much of a pain to escape all the % and & and whatever other characters there were, plus some are escaped with % and others ^ and just wanted to get the computer fixed. So boot in safe mode, and sign on as an administrator. Enjoy.PS: Did I mention run it in SAFE MODE. The keys won't be gone if you don't.Note: I've also encountered the $%&'()* keys (without the device loss) after SP3 update on other computers with Symantec products.If you run it more than once, foundit.txt on the desktop will be a zero byte file. So copy it if your curious and want to run it more than once to make sure the "deleted registry key" count is zero.Another Note: Why didn't I just use the Nirsoft util? For one, including ControlSet001, 2 etc it also included CurrentControlSet. Where the regfind.exe only included the numbered control sets (didn't want duplicate deletions). And two, that takes the fun out of learning how to parse the output of regfind.exe into some array structure that's useful. Edited May 29, 2008 by JoeMSFN Link to comment Share on other sites More sharing options...
jaclaz Posted May 29, 2008 Share Posted May 29, 2008 Good info. For the record, the guys at Symantec appear to use their time to blame on MS for the problem:http://news.idg.no/cw/art.cfm?id=1659E132-...19B3023FDD85185http://www.computerworld.com/action/articl...T_AM&nlid=1The culprit should be this fixccs.exe file.Due to the wide usage of Symantec products, expecially on laptops where they often come pre-installed, I find at least preoccupying that neither Symantec nor Microsoft found the bug BEFORE the SP3 release, and that, even after the reports, took so long to fix, and that the fix has to come from a final user, instead of coming from one of the two big companies the software of one of which must be the actual origin of the problem.jaclaz Link to comment Share on other sites More sharing options...
Tarun Posted May 29, 2008 Share Posted May 29, 2008 Hasn't the best fix been out for years now? Link to comment Share on other sites More sharing options...
CharlotteTheHarlot Posted May 30, 2008 Share Posted May 30, 2008 Curiously, I just did a quick search here for $%& and turned up no hits ("Unfortunately your search didn't return any results."), even this very thread. From Google, lots of hits but they are false positives. Is there some special way to delimit these three characters for these stupid search engines? Jeez, if I was into conspiracy theories I'd suggest this string was purposely selected to avoid massive publicity from Google searches ... I am just kidding.At first glance the $%& sure looks a 'safe' flag (one assumes it is not pre-existing in a file you open). With no evidence to back this up I'd theorize that the author of fixccs.exe was flagging 3rd party antivirus/firewall keys, possibly the ones that are 'open', to be counted and weighted for some security decision, perhaps whether to enable the Windows Firewall. You might mark certain keys while elevated to SYSTEM and then lower to ADMIN, mark again, lower, mark etc, gather statistics. Then it is possible that a twisted mess of ACL's for these registry keys allowed RegCreateKeyEx yet blocked RegDeleteKey or RegGetKeySecurity or RegCloseKey. Or they simply forgot to re-elevate to cleanup. Or the A/V itself allowed some and blocked others. Nothing would surprise me. Imagine two Rams headbutting over registry access. Microsoft vs. Symantec/McAfee/Whoever.But oh the sweet irony! They create gazillions of patches to save us from theoretical exploits from unchecked buffer overflows. Roll them up into a Service Pack that includes an unchecked runaway FOR loop. Bwahaha!!! How it got past a couple of iterations is what I'd like to know. There must be a Computer Science professor out there praying it wasn't his student.If you stop and think about it, delivering this kind of security fix (or entire Service Packs for that matter) live over an internet connection is practically doomed to failure in the long run since by definition these computers will have realtime protection running, locking certain registry keys and many files.Anyway, the net result of this error really reminds me of some of the 'animated' ANSI art experiments we did with FOR loops in DOS. For anyone who hasn't yet seen the Microsoft SP3 Registry Artwork, see this image on this page. Hysterical! It looks something like this:LEGACY_SSDPSRV $%&'( $%&'() $%&'()* $%&'()*+ $%&'()*+, $%&'()*+,- $%&'()*+,-. $%&'()*+,-./ $%&'()*+,-./0 $%&'()*+,-./01 $%&'()*+,-./012 $%&'()*+,-./0123 $%&'()*+,-./0123$ $%&'()*+,-./0123$% $%&'()*+,-./0123$%& $%&'()*+,-./0123$%&' $%&'()*+,-./0123$%&'( $%&'()*+,-./0123$%&'() $%&'()*+,-./0123$%&'()* $%&'()*+,-./0123$%&'()*+ $%&'()*+,-./0123$%&'()*+, $%&'()*+,-./0123$%&'()*+,- $%&'()*+,-./0123$%&'()*+,-. $%&'()*+,-./0123$%&'()*+,-./ $%&'()*+,-./0123$%&'()*+,-./0 $%&'()*+,-./0123$%&'()*+,-./01 $%&'()*+,-./0123$%&'()*+,-./012 $%&'()*+,-./0123$%&'()*+,-./0123 $%&'()*+,-./0123$%&'()*+,-./0123$ $%&'()*+,-./0123$%&'()*+,-./0123$% $%&'()*+,-./0123$%&'()*+,-./0123$%& $%&'()*+,-./0123$%&'()*+,-./0123$%&' $%&'()*+,-./0123$%&'()*+,-./0123$%&'( $%&'()*+,-./0123$%&'()*+,-./0123$%&'() $%&'()*+,-./0123$%&'()*+,-./0123$%&'()* $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+ $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+, $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,- $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-. $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./ $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0 $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./01 $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./012 $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123 $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$ $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$% $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%& $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&' $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'( $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'() $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()* $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+ $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+, $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,- $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-. $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./ $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0 $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./01 $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./012 $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123 $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$ $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$% $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%& $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&' $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'( $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'() $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()* $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+ $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+, $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,- $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-. $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./ $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0 $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./01 $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./012 $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123 $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$ $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$% $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%& $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&' $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'( $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'() $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()* $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+ $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+, $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,- $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-. $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./ $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0 $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./01 $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./012 $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123 $%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$NOTE TO MODS: there is no ROTFL image, and we really could use one now! Link to comment Share on other sites More sharing options...
CharlotteTheHarlot Posted May 31, 2008 Share Posted May 31, 2008 Please pardon the ANSI art in the previous post! I've just been laughing my butt off since I saw that image. Anyway I'll be serious. I can add something constructive to this discussion.After doing WinXP SP2 -> SP3 on 33 (and counting) client standalone computers I became really worried about this and madly rounded up registry before/after snapshots from every one. I can state absolutely that the string $%& has not appeared even once. Every single one of them have McAfee or Symantec or worse security suites installed. Here is the important info:(1) Each update was done right after rebooting from MSCONFIG selective startup with basic services (whatever that 2nd radio button says). I am pretty sure that in this mode there aren't any open files or registry keys by 3rd party services. In fact I am pretty much positive after this fiasco.(2) Don't use a CD/DVD or USB HDD/Flashdrive. I use the Network install from the ISO Image copied to the C: HDD. These other devices might work ok, but why introduce a needless variable unless you're beta testing?(3) The EXE was executed through START|RUN, so no apps except the Explorer shell were ever open.I really don't think safe mode is necessary. At least not until these AntiVirus companies figure out a way to masquerade as a core service. I try to reserve that for serious problems. It's way too slow in safe mode to run a gigantic service pack anyway.Important Note: if you are doing that RESET.CMD that uses subinacl and secedit to untangle the ACL mess, you should also do that from (1) above. It is clearly possible for active 3rd party services to interfere (I mean that's the whole point of this). You will probably never even know they failed because that occurs in a fast scrolling CMD window and both programs are too stupid to beep or pause or prompt when it happens.One thing for sure, this SP3 update in its current form should not be delivered and executed through Automatic Updates. My prediction is that there will be a patch from MS very soon. If you read that Technet thread, it *has* to be Microsoft's problem as machines that have never saw Symantec also are affected. This is not to say Symantec and McAfee are angels. I am no fan of the 'Innoculation' method of tying up resources (especially registry keys) to prevent some *potential* threat from doing the exact same thing.When it's hard to distinguish between a Virus and an AntiVirus you know you're screwed. Link to comment Share on other sites More sharing options...
JoeMSFN Posted August 19, 2008 Author Share Posted August 19, 2008 The Symantec cleanup tool for this mess was run on a computer and still didn't fix it! I ran my little (not sure to call it a script or program) and it found 70ish more registry entries!!! Also the computer ran fine after that. So even Symantec can't clean it all up. (then again maybe it wasn't run in safe mode). Link to comment Share on other sites More sharing options...
CharlotteTheHarlot Posted August 19, 2008 Share Posted August 19, 2008 The Symantec cleanup tool for this mess was run on a computer and still didn't fix it! I ran my little (not sure to call it a script or program) and it found 70ish more registry entries!!! Also the computer ran fine after that. So even Symantec can't clean it all up. (then again maybe it wasn't run in safe mode).@JoeMSFN, figured you had that sorted out by now. If you have a computer still affected by this Microsoft problem you might try their official fix http://support.microsoft.com/kb/953979.Take note of my 2nd post (#5 I think). Since locked registry keys are the problem you have to do any fixes in an environment under your own control. That means as ADMIN. Safe Mode will work but it just might be faster and easier after a reboot from MSCONFIG *after* checking the 2nd radio button - Diagnostic. Now, after applying the MSKB patch, reboot from MSCONFIG after clicking 'normal' and see if they in fact fixed their problem.If they fail you again there are still other things to try. Not having actually been confronted by this bugaboo myself I can only offer this advice, 3 quick ideas:{A} - Run that ACL reset batch file which uses subinacl and/or secedit. Definitely run it as above after selecting MSCONFIG Diagnostic Mode. Then try the MSKB fix again as above. See if it worked. Note: if you are in here that means that some 3rd party software has figured out a way to imitate a basic service, or your ACL's are just FUBAR.{B} - If that failed I would probably uninstall the likely registry locking culprit McAfee or Symantec or 'other' full-blown security suite. If Symantec, make sure you run the Symantec specific removers right from their website. Now do {A} again! See if it worked.{C} - Next idea would be to export the entire registry and edit it to make a custom cleanup script that manually deletes all values (and maybe some keys) containing $%&. Needless to say, this registry script would need to be run in Diagnostic mode also. This is what I would do. Nuke it from orbit, its the only to be sure to kill those aliens! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now