Regedit won't run (but runs if I rename it?)

[Mugsy]

Delay

I'll try them this weekend.

I forgot when I mentioned the "Partition Magic" setup error above, that the XP cd, when inserted, also tries to launch "setup.exe", so that's THREE "setup.exe" programs that give me the same error as when I try to run "regedit.exe". That CAN'T be a coincidence.

I tried renaming a random app "setup.exe", and it did NOT give me an error, so all *four* programs ("regedit" and the 3 "setup.exe" apps) are doing something to cause the error (accessing the registry is not enough, since renaming them works.)

I found an OLD backup of my MBR from 4/2008 and tried restoring it thinking maybe my MBR was infected ("fixmbr" didn't fix it), but apparently it was TOO old and I wiped out my C: drive, so now I must restore my ASR backup again, which takes ten hours (2 to format the 1TB C: drive and 8 to restore the backup). I'll do that overnight when I don't need the computer.

One possible outcome... wiping out the old MBR that way and writing a new one... IF there was a virus there... might be fixed following the Restore (assuming there isn't a hidden process that writes it back.)

Oh, and if I hadn't said so recently, thanks again for helping me out here.

 

[Archean]

Ack, bad luck.

No problem, its been a learning journey for me as well

 

[Mugsy]

This post.

Before you do that .... just another probably not so bright idea ... do you have CleanSweep installed ?

Out of curiosity, when you asked me this, did you have this post in mind? I just ran across it Goggling "setup.exe 0xc000005 virus".

Once I get everything restored, I'll try uninstalling that ancient copy of CleanSweep and see if that resolves the issue. (if that turns out to be the cause, I'll freak.)

 

[Archean]

Not exactly this one, I saw something similar on MSDN somewhere, but in just one post. Anyway, the error code and problem is same though.

 

[Mugsy]

Yep, that was it. Argh!

As soon as my computer finished this morning restoring my system for the second time in 24 hours, I went in and uninstalled that ancient copy of CleanSweep. Viola'. Problem solved. :suspiciou

Here's the explanation for anyone that comes across this thread in the future:

I had inadvertently installed a bit of malware last week... a free Mahjhong game from alawar.com that came with this browser-toolbar ("Softek" iirc) that had installed itself on my PC (even though I said "No" when it asked). Neither AVG Antivirus (latest free edition) nor AdAware (also latest free edition) detected the game as any danger. The game turned out to be crap (big surprise), so I uninstalled it (fortunately before ever rebooting). I then tried to uninstall the toolbar, but it wouldn't let me. So I decided to try and uninstall it by hand by deleting every trace of it from the registry, only to discover RegEdit had been deleted from my machine.

Annoyed that neither AVG nor AdAware caught the malware, I dug out my ancient copy of Quarterdeck CleanSweep 3.0... which I knew had an app that tracked every change a program made to your system during installation. The program is so old (Win95/98/NT only), I had to run it in "Win98 compatibility mode". My hope was that it would PREVENT such a disaster in the future (groan!) by showing me everything a bit of malware changed so I could then fix it.

After copying RegEdit.exe back off the XP installation CD, I then tried to launch RegEdit to "uninstall" the toolbar and remnants of the game by hand, which is when I got the 0xc0000005 error.

Turns out CleanSweep had replaced about a half dozen crucial system files with its own variations that (I assume) intercept any/all calls to run anything called "setup.exe", "autorun.exe", etc... as well as "regedit.exe"... that would suggest a program was being installed. Thankfully (it appears), CleanSweep backed up all the system files it replaced, so uninstalling it put them all back.

The biggest stumbling block in diagnosing this problem was the fact it persisted even in Safe Mode. But it was because key system files had been replaced instead of hijacked by a running process, so there was no hidden process for HiJack to detect or Safe Mode to disable. (The hardest to solve issues are always problems that are compounded by other problems.)

What a nightmare. But everything seems to be back to normal now. Big thanks for the help.

 

[Archean]

Well at least at the end of it it all turned out alright, have fun

 

[Mugsy]

One lingering question.

This does still leave one lingering question:

Why didn't "System File Checker" ("sfc") catch it? I ran it twice (once in Safe Mode).

 

[Archean]

Probably depend on the way sfc works; or checks the file(s)/their versions etc.

Probably CleanSweep kept files in the windows backup cache (through Windows File Protection service); hence when SFC checked for the files in question; compared them and found them to be ok.