TechSpot

Regedit won't run (but runs if I rename it?)

By Mugsy
Feb 3, 2010
Topic Status:
Not open for further replies.
  1. Archean

    Archean TechSpot Paladin Posts: 6,053   +76

    I'll beg to differ; I usually reinstall everything in about 6 months cycle (well mostly because things i try on my machine) hence over time it do get bit slower. Unless there is something up with hardware; you will not have any issue IMHO. However, its royal pain in the ......... you know what i mean ;)

    There seems to be nothing suspicious in this; however, I just noticed you are using an older version of hijackthis; the more recent one is 2.0.2 i think.

    Edit:
    However, you can give me a very detailed list of running processes by using this simple command line utility (comes with windows) :
    i. Press Start, Run and enter cmd;
    ii. in the Dos window type: tasklist /m /fi "memusage gt 10" /fi "cputime gt 00:00:01" /fo table >Process.txt

    This will create a file named Process.txt, simply attached it with your next log please.
     
  2. Mugsy

    Mugsy TS Maniac Topic Starter Posts: 426

    Found another app

    Yes, the author says that the newer version doesn't catch some infections, and in those instances, to go back to 1.99.
    This post is too long with the log included, so I uploaded it here:

    I discovered another program that refuses to run, giving me the exact same "0xc0000005" error: The WinXP CD! I decided to try a System File Compare again (third times' the charm?) and when I inserted the XP CD, I got the same error, but for "Setup.exe" (sfc didn't find anything). I don't remember it giving me an error before. I hope the problem isn't spreading.

    But the fact the problem happened with an unmodifiable app written to CD tells me the programs themselves haven't been modified in some way. Something else is prohibiting them from running.

    But not "every" exe does this, so the question is, what do "regedit.exe", the "Autorun.exe" of the new HDTV software I tried to install last night, and now "setup.exe" on the WinXP cd, all have in common?
     
  3. Archean

    Archean TechSpot Paladin Posts: 6,053   +76

    stlport_vc7145.dll <== don't know what the heck is this; probably something to do with open office according to bing; if you have it on your system leave it.

    The posting doesn't seems to be complete; it would be appropriate if you zip the text file and attach it with your posting here.
     
  4. Mugsy

    Mugsy TS Maniac Topic Starter Posts: 426

    Complete

    Yes, I have OpenOffice on my PC.

    The log as posted is all it created. Is there a particular process you're expecting?
     
  5. Archean

    Archean TechSpot Paladin Posts: 6,053   +76

    While i was looking for regedit & related issues etc I found this url; it restores regedit's registry settings to default. I guess if you feel brave enough you can try these.
     
  6. Mugsy

    Mugsy TS Maniac Topic Starter Posts: 426

    Interesting

    Looks interesting, but the solution seems to apply to those whom can't run... not only regedit, but msconfig or any other repair tool.

    I think I'll hold off on something like that for now. Something that drastic could be worse than even a full reinstall (worse, because it could prevent Reinstall from working correctly if it screws things up.)

    Thanks for looking though. The help is appreciated. I'm a tech of 25 years and this one has me stumped. Never seen anything like it.
     
  7. Archean

    Archean TechSpot Paladin Posts: 6,053   +76

    I haven't known anything like this either; and for that reason I hoped it can be fixed, just for the heck of it !

    Also, if you create a restore point; and than try that solution you will have the option of restoring to this state again. Or .... you may compare the settings given on that page by searching the same keys through your registry?
     
  8. Mugsy

    Mugsy TS Maniac Topic Starter Posts: 426

    Restore

    My concern is that reinitializing the Registry could wipe out all program installation information, including settings. If it does that, I could conceivably have to reinstall all my software.

    I've found that System Restore doesn't "overwrite" the old registry with an old one, it attempts to rebuild it by merging old & new information.

    I'm thinking about attempting an ASR backup, performing a Repair-install, and if that fails, restore using ASR. Problem is, I don't have a floppy drive and don't know if I can do that without one.

    (I have nearly 1TB of data to backup, and a spare external 1TB drive just for backups. But it takes 9 hours to backup that much data and 9 more hours to copy it all back.) :(
     
  9. Archean

    Archean TechSpot Paladin Posts: 6,053   +76

    It is indeed very unpleasant thing to wait for so long ..... oh well you can backup when you go to bed ..... and restore it again the next night.
     
  10. pjamme

    pjamme TS Enthusiast Posts: 285

    I did this yesterday on a users Dell Optiplex GX520, with my Dell OEM Slipstreamed XP Pro SP3 on a computer that Internet Explorer 7 no longer worked, took 45 minutes.
    I still say it beats formatting and re-installing unless you still have a problem with Virus/Adware and then of course clean install is best.
     
  11. Mugsy

    Mugsy TS Maniac Topic Starter Posts: 426

    Non-destructive?

    So this was a non-destructive fix? You didn't have to reinstall/reconfigure any software or Service patches?
     
     
  12. Archean

    Archean TechSpot Paladin Posts: 6,053   +76

    Repairing OS like this usually doesn't involve any destruction .... except I am not sure about service patches, reason being you may have older XP setup CD (without SP2/SP3 etc.); however, if yo use Xp SP3 slip streamed CD you will need lot less fixes to be reinstalled.
     
  13. Mugsy

    Mugsy TS Maniac Topic Starter Posts: 426

    The question is Why is it happening?

    I'm getting to the point where I'm probably going to end up doing a Repair-install. I was less willing to bother when it was just RegEdit giving me an error that I could circumvent simply by renaming.

    But now that I've discovered other programs giving me the same error, this is suddenly a more serious problem. The big question is: "Why is it happening in the first place?"

    I don't like unanswered questions because then you don't know how to stop it from happening again. Programs shouldn't return errors simply because Windows doesn't like the (perfectly acceptable) filename.
     
  14. Archean

    Archean TechSpot Paladin Posts: 6,053   +76

    Before you do that .... just another probably not so bright idea ... do you have CleanSweep installed ?
     
  15. Mugsy

    Mugsy TS Maniac Topic Starter Posts: 426

    Funny

    Funny you should ask.

    Actually, after this happened, I installed a VERY old copy of CleanSweep (v3.0 for 95/98/NT). It doesn't work with XP, but it has a tray app that logs every change a program makes to your computer during installation. I can still use it if I run it in "Compatibility Mode" and then examine the logs using Notepad to undo all the changes by hand.

    The feature was removed/crippled as of XP because you can install time-limited demos over and over again and never have them expire so long as you undo all the changes (normal uninstall leaves behind Registry keys and data files that track the first installation specifically to prevent you from doing this.)

    But, sadly, I didn't have it installed prior to the malware infection to know what it changed. :(
     
  16. Archean

    Archean TechSpot Paladin Posts: 6,053   +76

    Oh well, good luck with the repair if you choose to do so; however, i am still digging through MSDN to find something which can explain this.
     
  17. Mugsy

    Mugsy TS Maniac Topic Starter Posts: 426

    Lemme know

    Lemme know if you find something.

    If there was just some sort of way to "trace" the execution to see what is triggering the error.
     
  18. Archean

    Archean TechSpot Paladin Posts: 6,053   +76

    This problem may occur if the computer is infected with a variant of the HaxDoor virus.

    The HaxDoor virus creates a hidden process. Additionally, the virus hides files and registry keys. The executable file name of the HaxDoor virus may vary, but the file name is frequently Mszx23.exe. Many variants of this virus put a driver that is named Vdmt16.sys or Vdnt32.sys on the computer. This driver is used to hide the virus process. The HaxDoor virus variants can restore these files if you delete them.


    Source: MSDN (about error 0x00000050 among many others)

    I dont remember i saw vdmt or vdnt sys files in your logs though.

    Edit:
    Here is a list of suspicious files related to it and its other variants:-

    1.a3d
    cm.dll
    cz.dll
    draw32.dll
    drct16.dll
    dt163.dt
    fltr.a3d
    hm.sys
    hz.dll
    hz.sys
    i.a3d
    in.a3d
    klo5.sys
    klogini.dll
    memlow.sys
    mszx23.exe
    p2.ini
    ps.a3d
    redir.a3d
    tnfl.a3d
    vdmt16.sys
    vdnt32.sys
    w32tm.exe
    WD.SYS
    winlow.sys
    wmx.a3d
    wz.dll
    wz.sys
     
  19. Archean

    Archean TechSpot Paladin Posts: 6,053   +76

    Have a look at the following from MSDN as well:

    1. Click Start, click Run, type regedit, and then click OK.
    2. Locate the following registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    3. Locate and delete any entries in the registry subkey that reference "drct16" or "draw32".

    For example, you may see entries that are similar to the following:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\drct16
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\draw32

    Do not do anything from above info; just check the registry entries it says and see whether they contain anything suspicious
     
  20. Mugsy

    Mugsy TS Maniac Topic Starter Posts: 426

    I'll check

    Interesting. I'll check into it tonight.

    I've started the backup process and can't make any changes ATM. I verified that the Windows setup DOES detect my USB floppy drive, so I'm doing an ASR backup of my 1TB c: drive. This is going to take some time. :)
     
  21. Archean

    Archean TechSpot Paladin Posts: 6,053   +76

    Alright, keep things updated and i hope it will be fixed.
     
  22. Mugsy

    Mugsy TS Maniac Topic Starter Posts: 426

    Status report

    Okay, here is a quick status report.

    I'm responding via my copy of Linux. :)
    (I keep a copy of Ubuntu 9.10 on a USB stick for just such emergencies.)

    29 1/2 hours for XP to create an ASR backup of my C: drive with 619GB worth of data.

    I then unchecked "Hide hidden files" from Explorer and searched for the HexDoor virus. Nothing found.

    I searched the registry for those two keys. Nada.

    So I then booted the XP cd and started a Repair Install. It copied the cd files and rebooted (as it should). The XP logo came up, a low rez pointer, then black screen and reboot. I tried again and it did the same thing.

    So I rebooted the CD and tried a Repair Install again. Exact same result. Fortunately, I made the ASR backup, while I will now go through the agony of restoring (hopefully, a restore won't take as long).

    No idea why a Repair would not work, but it does suggest there is an "active" problem (like a virus) and not just the remnants of malware damage.

    Let's pray the ASR Recovery works. It can do a full reformat, so I'm cautiously optimistic... though I will be right back where I started when it is done. :(
     
  23. Archean

    Archean TechSpot Paladin Posts: 6,053   +76

    Having treaded so many routes to fix this issue so far, that is something no one would look forward to, at any given time. So, square one it is.
     
  24. Mugsy

    Mugsy TS Maniac Topic Starter Posts: 426

    Another piece to the puzzle

    Well, ASR worked and I'm back exactly where I left off (whew!)

    I did screw up one small (?) detail in the recovery process... the MBR of another drive that I should of disabled before attempting recovery was overwritten with the XP Booter.. Hopefully, it's just a matter of fixing the MBR to get that drive (Win7 rc7100) to boot again (the Win7 Repair Tools on the disc are next to worthless. Good job MS!)

    Anyway, once back in XP, I went to install my old copy of Partition Magic 8 to try and fix the offending drive, and got that same error 0xc000005. I renamed the setup.exe to "xsetup.exe" and it installed just fine. But that it the second "setup.exe" to give me that error (the other was that updated HDTV driver).

    This is looking more and more like a phantom virus. But even when checking the drive from another OS so that no XP drivers are running, it finds nothing.

    The mystery grows.
     
  25. Archean

    Archean TechSpot Paladin Posts: 6,053   +76

    While looking around I think I found an interesting tool GetSystemInfo it creates lot more detailed system report (and zips it for you !) ... however, reading such a detailed report about every process running on your system is very difficult.

    However, key thing is; it has an on line parser, to go through your log file :); It will also give you a detailed tabbed format online report to you.

    I dont know about its exact quality but there is no harm trying it. I am attaching a sample picture so you know what you will get as well.

    Edit:
    Also try Secunia's Personal Software Inspector (PSI); I have used it in the past; and I think it will give you a report about vulnerabilities on your PC.
     

    Attached Files:

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.