Regedit won't run (but runs if I rename it?)

[Archean]

Mugsy said......
I REALLY don't want to do a reinstall because the result is almost always a less stable system.

I'll beg to differ; I usually reinstall everything in about 6 months cycle (well mostly because things i try on my machine) hence over time it do get bit slower. Unless there is something up with hardware; you will not have any issue IMHO. However, its royal pain in the ......... you know what i mean

There seems to be nothing suspicious in this; however, I just noticed you are using an older version of hijackthis; the more recent one is 2.0.2 i think.

Edit:
However, you can give me a very detailed list of running processes by using this simple command line utility (comes with windows) :
i. Press Start, Run and enter cmd;
ii. in the Dos window type: tasklist /m /fi "memusage gt 10" /fi "cputime gt 00:00:01" /fo table >Process.txt

This will create a file named Process.txt, simply attached it with your next log please.

 

[Mugsy]

Found another app

I'll bet to differ;I just noticed you are using an older version of hijackthis; the more recent one is 2.0.2 i think.

Yes, the author says that the newer version doesn't catch some infections, and in those instances, to go back to 1.99.

However, you can give me a very detailed list of running processes

This post is too long with the log included, so I uploaded it here:

I discovered another program that refuses to run, giving me the exact same "0xc0000005" error: The WinXP CD! I decided to try a System File Compare again (third times' the charm?) and when I inserted the XP CD, I got the same error, but for "Setup.exe" (sfc didn't find anything). I don't remember it giving me an error before. I hope the problem isn't spreading.

But the fact the problem happened with an unmodifiable app written to CD tells me the programs themselves haven't been modified in some way. Something else is prohibiting them from running.

But not "every" exe does this, so the question is, what do "regedit.exe", the "Autorun.exe" of the new HDTV software I tried to install last night, and now "setup.exe" on the WinXP cd, all have in common?

 

[Archean]

stlport_vc7145.dll <== don't know what the heck is this; probably something to do with open office according to bing; if you have it on your system leave it.

The posting doesn't seems to be complete; it would be appropriate if you zip the text file and attach it with your posting here.

 

[Mugsy]

Complete

stlport_vc7145.dll <== don't know what the heck is this; probably something to do with open office according to bing; if you have it on your system leave it.

The posting doesn't seems to be complete; it would be appropriate if you zip the text file and attach it with your posting here.

Yes, I have OpenOffice on my PC.

The log as posted is all it created. Is there a particular process you're expecting?

 

[Archean]

While i was looking for regedit & related issues etc I found this url; it restores regedit's registry settings to default. I guess if you feel brave enough you can try these.

 

[Mugsy]

Interesting

Looks interesting, but the solution seems to apply to those whom can't run... not only regedit, but msconfig or any other repair tool.

I think I'll hold off on something like that for now. Something that drastic could be worse than even a full reinstall (worse, because it could prevent Reinstall from working correctly if it screws things up.)

Thanks for looking though. The help is appreciated. I'm a tech of 25 years and this one has me stumped. Never seen anything like it.

 

[Archean]

I haven't known anything like this either; and for that reason I hoped it can be fixed, just for the heck of it !

Also, if you create a restore point; and than try that solution you will have the option of restoring to this state again. Or .... you may compare the settings given on that page by searching the same keys through your registry?

 

[Mugsy]

Restore

if you create a restore point; and than try that solution you will have the option of restoring to this state again. Or .... you may compare the settings given on that page by searching the same keys through your registry?

My concern is that reinitializing the Registry could wipe out all program installation information, including settings. If it does that, I could conceivably have to reinstall all my software.

I've found that System Restore doesn't "overwrite" the old registry with an old one, it attempts to rebuild it by merging old & new information.

I'm thinking about attempting an ASR backup, performing a Repair-install, and if that fails, restore using ASR. Problem is, I don't have a floppy drive and don't know if I can do that without one.

(I have nearly 1TB of data to backup, and a spare external 1TB drive just for backups. But it takes 9 hours to backup that much data and 9 more hours to copy it all back.)

 

[Archean]

It is indeed very unpleasant thing to wait for so long ..... oh well you can backup when you go to bed ..... and restore it again the next night.

 

[pjamme]

Mugsy,
If you do not want to format, Fred Langa had a Windows Secret that I have used successfuly many times. check it out at:
http://www.informationweek.com/news...9400897&queryText=fred langa do not format xp

I did this yesterday on a users Dell Optiplex GX520, with my Dell OEM Slipstreamed XP Pro SP3 on a computer that Internet Explorer 7 no longer worked, took 45 minutes.
I still say it beats formatting and re-installing unless you still have a problem with Virus/Adware and then of course clean install is best.

 

[Mugsy]

Non-destructive?

I did this yesterday on a users Dell Optiplex GX520, with my Dell OEM Slipstreamed XP Pro SP3 on a computer that Internet Explorer 7 no longer worked, took 45 minutes.
I still say it beats formatting and re-installing unless you still have a problem with Virus/Adware and then of course clean install is best.

So this was a non-destructive fix? You didn't have to reinstall/reconfigure any software or Service patches?

 

[Archean]

Repairing OS like this usually doesn't involve any destruction .... except I am not sure about service patches, reason being you may have older XP setup CD (without SP2/SP3 etc.); however, if yo use Xp SP3 slip streamed CD you will need lot less fixes to be reinstalled.

 

[Mugsy]

The question is Why is it happening?

Repairing OS like this usually doesn't involve any destruction .... except I am not sure about service patches, reason being you may have older XP setup CD (without SP2/SP3 etc.); however, if yo use Xp SP3 slip streamed CD you will need lot less fixes to be reinstalled.

I'm getting to the point where I'm probably going to end up doing a Repair-install. I was less willing to bother when it was just RegEdit giving me an error that I could circumvent simply by renaming.

But now that I've discovered other programs giving me the same error, this is suddenly a more serious problem. The big question is: "Why is it happening in the first place?"

I don't like unanswered questions because then you don't know how to stop it from happening again. Programs shouldn't return errors simply because Windows doesn't like the (perfectly acceptable) filename.

 

[Archean]

Before you do that .... just another probably not so bright idea ... do you have CleanSweep installed ?

 

[Mugsy]

Funny

do you have CleanSweep installed ?

Funny you should ask.

Actually, after this happened, I installed a VERY old copy of CleanSweep (v3.0 for 95/98/NT). It doesn't work with XP, but it has a tray app that logs every change a program makes to your computer during installation. I can still use it if I run it in "Compatibility Mode" and then examine the logs using Notepad to undo all the changes by hand.

The feature was removed/crippled as of XP because you can install time-limited demos over and over again and never have them expire so long as you undo all the changes (normal uninstall leaves behind Registry keys and data files that track the first installation specifically to prevent you from doing this.)

But, sadly, I didn't have it installed prior to the malware infection to know what it changed.

 

[Archean]

Oh well, good luck with the repair if you choose to do so; however, i am still digging through MSDN to find something which can explain this.

 

[Mugsy]

Lemme know

Oh well, good luck with the repair if you choose to do so; however, i am still digging through MSDN to find something which can explain this.

Lemme know if you find something.

If there was just some sort of way to "trace" the execution to see what is triggering the error.

 

[Archean]

This problem may occur if the computer is infected with a variant of the HaxDoor virus.

The HaxDoor virus creates a hidden process. Additionally, the virus hides files and registry keys. The executable file name of the HaxDoor virus may vary, but the file name is frequently Mszx23.exe. Many variants of this virus put a driver that is named Vdmt16.sys or Vdnt32.sys on the computer. This driver is used to hide the virus process. The HaxDoor virus variants can restore these files if you delete them.

Source: MSDN (about error 0x00000050 among many others)

I dont remember i saw vdmt or vdnt sys files in your logs though.

Edit:
Here is a list of suspicious files related to it and its other variants:-

1.a3d
cm.dll
cz.dll
draw32.dll
drct16.dll
dt163.dt
fltr.a3d
hm.sys
hz.dll
hz.sys
i.a3d
in.a3d
klo5.sys
klogini.dll
memlow.sys
mszx23.exe
p2.ini
ps.a3d
redir.a3d
tnfl.a3d
vdmt16.sys
vdnt32.sys
w32tm.exe
WD.SYS
winlow.sys
wmx.a3d
wz.dll
wz.sys

 

[Archean]

Have a look at the following from MSDN as well:

1. Click Start, click Run, type regedit, and then click OK.
2. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
3. Locate and delete any entries in the registry subkey that reference "drct16" or "draw32".

For example, you may see entries that are similar to the following:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\drct16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\draw32

Do not do anything from above info; just check the registry entries it says and see whether they contain anything suspicious

 

[Mugsy]

I'll check

Interesting. I'll check into it tonight.

I've started the backup process and can't make any changes ATM. I verified that the Windows setup DOES detect my USB floppy drive, so I'm doing an ASR backup of my 1TB c: drive. This is going to take some time.

 

[Archean]

Alright, keep things updated and i hope it will be fixed.

 

[Mugsy]

Status report

Okay, here is a quick status report.

I'm responding via my copy of Linux.
(I keep a copy of Ubuntu 9.10 on a USB stick for just such emergencies.)

29 1/2 hours for XP to create an ASR backup of my C: drive with 619GB worth of data.

I then unchecked "Hide hidden files" from Explorer and searched for the HexDoor virus. Nothing found.

I searched the registry for those two keys. Nada.

So I then booted the XP cd and started a Repair Install. It copied the cd files and rebooted (as it should). The XP logo came up, a low rez pointer, then black screen and reboot. I tried again and it did the same thing.

So I rebooted the CD and tried a Repair Install again. Exact same result. Fortunately, I made the ASR backup, while I will now go through the agony of restoring (hopefully, a restore won't take as long).

No idea why a Repair would not work, but it does suggest there is an "active" problem (like a virus) and not just the remnants of malware damage.

Let's pray the ASR Recovery works. It can do a full reformat, so I'm cautiously optimistic... though I will be right back where I started when it is done.

 

[Archean]

Having treaded so many routes to fix this issue so far, that is something no one would look forward to, at any given time. So, square one it is.

 

[Mugsy]

Another piece to the puzzle

Well, ASR worked and I'm back exactly where I left off (whew!)

I did screw up one small (?) detail in the recovery process... the MBR of another drive that I should of disabled before attempting recovery was overwritten with the XP Booter.. Hopefully, it's just a matter of fixing the MBR to get that drive (Win7 rc7100) to boot again (the Win7 Repair Tools on the disc are next to worthless. Good job MS!)

Anyway, once back in XP, I went to install my old copy of Partition Magic 8 to try and fix the offending drive, and got that same error 0xc000005. I renamed the setup.exe to "xsetup.exe" and it installed just fine. But that it the second "setup.exe" to give me that error (the other was that updated HDTV driver).

This is looking more and more like a phantom virus. But even when checking the drive from another OS so that no XP drivers are running, it finds nothing.

The mystery grows.

 

[Archean]

While looking around I think I found an interesting tool GetSystemInfo it creates lot more detailed system report (and zips it for you !) ... however, reading such a detailed report about every process running on your system is very difficult.

However, key thing is; it has an on line parser, to go through your log file ; It will also give you a detailed tabbed format online report to you.

I dont know about its exact quality but there is no harm trying it. I am attaching a sample picture so you know what you will get as well.

Edit:
Also try Secunia's Personal Software Inspector (PSI; I have used it in the past; and I think it will give you a report about vulnerabilities on your PC.