Registry is messed up

By JesseM
Jan 1, 2008
Topic Status:
Not open for further replies.
  1. I ran spybot s&d for the first time on my computer (running Vista) and it messed up my registry (I am very sure I have no viruses atm) because I guess it assumed that I had Windows XP. Whenever I logon to any of the user accounts, explorer.exe does NOT automatically start, but instead two folders are opened and I get two errors. First the folder C:\Windows\system32 is opened, and then when I manually start explorer.exe through the task manager I get two identical errors saying that the Windows registry could not load "C:\Windows\system32\svchost.exe" and then the Windows explorer opens showing My Documents, My Computer, etc.

    If anybody knows of a program that could sort out my registry please tell me about it. Otherwise, I'd appreciate any other help!
  2. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    System Restore

    Sorry brief must go and come back later !
  3. JesseM

    JesseM TechSpot Enthusiast Topic Starter Posts: 258

    Thank you for your response! However, System Restore will not work as the earliest available restore point is after my computer started doing this. I tried it anyway without success. Please help!
  4. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Startup Control Panel should remove those annoying startup entries
    Deselect (untick) any non needed (or obsolete) startup shortcuts (this reversable so don't worry)
    You will need to restart after de-selecting any (or all) entries
  5. JesseM

    JesseM TechSpot Enthusiast Topic Starter Posts: 258

    Thank you for your response! However, Startup Control Panel shows no startup programs except AVG and Google Talk, which I want.

    This is not a startup program which I am having difficulties with, but the lack of one. Explorer.exe is not a startup program, so all I get is a black screen when I logon (with some random folders opening and the two errors).
  6. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Boot from your Windows Vista DVD, select the System Repair Option > on the
    setup screen, select 'Repair Computer > Select your installation of Windows
    > select Startup Repair option and follow instructions.

    Snippit taken from Microsoft
  7. Po`Girl

    Po`Girl Newcomer, in training Posts: 668

    While a repair might well be the only solution,

    all those errors do have XP counterparts and solutions.

    All of them caused by cause by leftover damage from spyware removal.

    I throw these out to you,for your consideration -


    See HERE for system 32 error, and HERE for svchost error.

    and the post by Wilson Chu for the explorer isssue.


    You may only have to delete the following registry key,and not everything Wilson suggested -

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows ???\CurrentVersion\Image File Execution Options\explorer.exe
  8. Myzz617

    Myzz617 Newcomer, in training Posts: 382

    Must you have Windos Vista?

    I would suggest Wiping that HDD clean with Kill disk then installing XP if you have a copy. I have seen silly things while working with vista.
  9. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Disregard Myzz617 comment
    You need Vista repaired not replaced
  10. Myzz617

    Myzz617 Newcomer, in training Posts: 382

    In your "opinion" it needs to be replaced. You can put XP on it W/O a problem. Its a more stable OS than Vista is now.

    The choice is up 2 you apparently.
  11. fenderguy2112

    fenderguy2112 Newcomer, in training Posts: 32

    Make sure you back up your files first, then download either CCleaner, or Eusing Free Registry cleaner. These two apps. are a nice alternative to having to use a Windows application for your registry problems.

    FenderGuy2112
     
  12. JesseM

    JesseM TechSpot Enthusiast Topic Starter Posts: 258

    Thank you all for your responses. I will try repairing using the Vista CD and if that is unsuccsessful I will try a program such as CCleaner. Happy new year!

    EDIT

    System repair through the Windows Vista DVD was unable to find any problems with the system startup. Time to try CCleaner!

    EDIT #2

    CCleaner was also unable to detect the issue. I will now try Po`Girl's recommendations.

    EDIT #3

    None of the things that Po`Girl suggested applied to or fixed my problem. I am beginning to think about comparing my Registry startup values with those of a healthy Vista computer and adding/deleting entries manually.
  13. JesseM

    JesseM TechSpot Enthusiast Topic Starter Posts: 258

    It has been about two months and this is still an annoying problem. Does anyone else have any ideas?
  14. monton

    monton TechSpot Enthusiast Posts: 146

    When you stall SpyBot Search&Destroy you are asked to create a restore point. Did you do that?
    Also, did you use the safer-networking SpyBot S&D or the other Spybot.com version?

    I have used SpyBot S&D for years from windows98 to XP Pro 64bit without any problems. SpyBot at spybot.com I don't know anything about. Anyone have experience with those folks?
    Monton
  15. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,357   +167

    i can suggest a couple things you might want to try
    1. Search for explorer.exe (be sure Vista is also searching through hidden files and folders). It should appear under Windows/System32. The fact that your logon opens to folder Windows/System32 rather then execute explorer makes me wonder if explorer.exe isn't there or the Winlogon shell command is wrong
    2. Check the Shell value for Winlogon in your registry. Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon should show
      Code:
      [B]Shell     REG_SZ    explorer.exe[/B]
      It may be worthwhile to delete and re-enter explorer.exe yourself
    3. Run System File Checker just to verify all the Vista system files. Open a cmd window as Administrator and type sfc /scannow. See this Microsoft Article for how to view the logfile and analyze results.

    /* Edit */
    I should say, make sure the Winlogon Shell value is simply explorer.exe. This makes sure it's not an issue of incorrect parameters after the command causing problems
  16. JesseM

    JesseM TechSpot Enthusiast Topic Starter Posts: 258

    "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

    Besides the fact that I do not use Windows NT, this directory does not exist. I get as far as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion but there is no directory named 'Winlogon'.
  17. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,357   +167

    1. Welcome to the non-obvious nor intuitive world of Windows
    2. Read my post again. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon refers to the registry, not a disk directory.
    3. I guessed from the references to it in your first post you were familiar with the Windows registry?
    4. And, yes, even though you are running Windows Vista you have a registry subkey WindowsNT

    The registry is sort-of the "Master database" of information for your system. I found this link to explain the Windows Registry a little more.

    You need be careful anytime you go into the registry. Back it up and create a system restore point before making any changes. Click here instructions for Vista.

    Are you familiar with the Windows regedit tool to view/modify the registry? Here's a guide to the native Windows Vista tool.

    /* Edit */
    Just re-read your post and your use of the word "directory" rather then key or subkey threw me off. Yes, you are familiar w/the registry. But you should have both a Windows and Windows NT subkey.
  18. JesseM

    JesseM TechSpot Enthusiast Topic Starter Posts: 258

    Sorry for the confusion, LookinAround, but yeah I had just been completely overlooking that 'Windows NT' key. It's fixed! Thank you so much!

    However, I still get the same two errors when I log onto the user accounts telling me that 'svchost.exe' cannot be loaded.
  19. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    That's great news :)

    You can run Startup Control Panel to remove any unwanted (of faulty startups)

    HEREs an excellent information page on checking all system startups.

    Let us know how you go.
  20. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,357   +167

    No problem about any confusion JesseM. Glad it got you past the one problem.

    But given the Winlogon/Shell value was in fact the source of one problem, I also suspect your registry value for Winlogon/Userinit.

    However
    I suspect the reason they've changed in the first place is because of spyware or virus infection (changing your registry user logon settings is a common form of infection)

    Rather then having you look further at individual registry settings, you should look for infections. Follow the instructions in this link on Spyware removal which will also tell you how to create and post Hijackthis logs. (fyi.. one of the things HJT inspects are the specific registry values i've been talking about)

    kimsland: This type of infection wouldn't likely be found among startup programs. It's "starting itself" by hooking its changes into the user logon settings rather then hooking itself the startup programs.

    /* Edit */
    btw.. it sounds like it's not starting itself successfully and that's what you are seeing. Could be that Spybot saw the infection and removed some but couldn't remove all of its parts.
  21. JesseM

    JesseM TechSpot Enthusiast Topic Starter Posts: 258

    I have already followed those instructions once because of this problem, and I believe that I successfully wiped my computer of malware. I think these messed up registry values are the aftermath of the viruses that were on my computer. I'll have to check Userinit when I am home, I will also try the startup control panel. Thanks guys.
  22. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,357   +167

    yea, don't know if you saw the /* Edit */ i added just after posting coupla days back but almost certainly it was some form of malware that modified your logon process to allow it to auto-start each time you logged in.

    What you were seeing were the remnants of its startup mechanism after Spybot only partially disabled it.

    There's a couple other important registry values in addition to userinit to look at. I can look them up but no time just now. Why don't you go ahead and just run hijackthis and post it here. Can save me (and you) some time if i start with a hijackthis log. (Tho if you DID post one before..... just what value did you see for Winlogon/Shell when i had you first look? If you had posted a log before AND that value was incorrect, i'd be surprised eveyone who reviewed it missed that fact)
  23. JesseM

    JesseM TechSpot Enthusiast Topic Starter Posts: 258

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:29:46 PM, on 2/17/2008
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16609)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Grisoft\AVG7\avgcc.exe
    C:\Windows\RtHDVCpl.exe
    C:\Users\Jesse\AppData\Roaming\Google\Google Talk\googletalk.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Users\Jesse\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2DL9XD5Y\HiJackThis[1].exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F3 - REG:win.ini: load=C:\Windows\system32\scvhost.exe
    F3 - REG:win.ini: run=C:\Windows\system32\scvhost.exe
    O1 - Hosts: 75.164.230.87 jessemerz.dynalias.com
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\RunServices: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKCU\..\Run: [googletalk] C:\Users\Jesse\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKLM\..\Policies\Explorer\Run: [Generic Host Process] C:\Windows\system32\scvhost.exe
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-21-3138149437-1689907971-922131132-1002\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Kate')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - S-1-5-21-3138149437-1689907971-922131132-1002 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Kate')
    O4 - S-1-5-21-3138149437-1689907971-922131132-1002 User Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Kate')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O13 - Gopher Prefix:
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
    O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/24.9/uploader2.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: SndRecB.1.3 (SndRecA.1.3) - Unknown owner - C:\Program Files\Sound Card Recorder\service.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

    --
    End of file - 7150 bytes
  24. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,357   +167

    Those malware people are always sneaky.

    From your very first post, you mention an error message about "the Windows registry could not load "C:\Windows\system32\svchost.exe"

    • Are you sure the errors are about svchost.exe? Or are they about scvhost.exe? Note the spelling.
    • After the confusion we had about "Windows NT" at first, i went back to re-read your answers. You didn't indicate if you searched through your hard drive(s) for explorer.exe (being sure to include hidden files and folders in search options)
    • While you're at it, why don't you also search through your drives for scvhost.exe with the inverted character spelling. I'm guessing spybot already deleted it (though spybot didn't or was unable to remove the hack in your win.ini file which tries to load and then run it!)

    Is late and will look at it some more tomorrow.

    */ Edit */
    But i will add one more thing now. Why don't you also search your drives looking for the misspelled scvhost as "a word or phrase" as the search option. This search will take awhile to run.
  25. JesseM

    JesseM TechSpot Enthusiast Topic Starter Posts: 258

    You are correct, it was scvhost.exe that was being called up at logon.

    I have searched for scvhost.exe and turned up with one result. It was located in the recovery archive for Spybot S&D under some kind of trojan.

    I searched for explorer.exe and turned up with at least 13 results. Four of them were C:/windows/explorer.exe (identical to eachother), and the rest were random files in the Spybot S&D archives.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.