Registry is messed up

Status
Not open for further replies.

JesseM

Posts: 237   +10
I ran spybot s&d for the first time on my computer (running Vista) and it messed up my registry (I am very sure I have no viruses atm) because I guess it assumed that I had Windows XP. Whenever I logon to any of the user accounts, explorer.exe does NOT automatically start, but instead two folders are opened and I get two errors. First the folder C:\Windows\system32 is opened, and then when I manually start explorer.exe through the task manager I get two identical errors saying that the Windows registry could not load "C:\Windows\system32\svchost.exe" and then the Windows explorer opens showing My Documents, My Computer, etc.

If anybody knows of a program that could sort out my registry please tell me about it. Otherwise, I'd appreciate any other help!
 
Thank you for your response! However, System Restore will not work as the earliest available restore point is after my computer started doing this. I tried it anyway without success. Please help!
 
Startup Control Panel should remove those annoying startup entries
Deselect (untick) any non needed (or obsolete) startup shortcuts (this reversable so don't worry)
You will need to restart after de-selecting any (or all) entries
 
Thank you for your response! However, Startup Control Panel shows no startup programs except AVG and Google Talk, which I want.

This is not a startup program which I am having difficulties with, but the lack of one. Explorer.exe is not a startup program, so all I get is a black screen when I logon (with some random folders opening and the two errors).
 
Boot from your Windows Vista DVD, select the System Repair Option > on the
setup screen, select 'Repair Computer > Select your installation of Windows
> select Startup Repair option and follow instructions.

Snippit taken from Microsoft
 
While a repair might well be the only solution,

all those errors do have XP counterparts and solutions.

All of them caused by cause by leftover damage from spyware removal.

I throw these out to you,for your consideration -


See HERE for system 32 error, and HERE for svchost error.

and the post by Wilson Chu for the explorer isssue.


You may only have to delete the following registry key,and not everything Wilson suggested -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows ???\CurrentVersion\Image File Execution Options\explorer.exe
 
Must you have Windos Vista?

I would suggest Wiping that HDD clean with Kill disk then installing XP if you have a copy. I have seen silly things while working with vista.
 
In your "opinion" it needs to be replaced. You can put XP on it W/O a problem. Its a more stable OS than Vista is now.

The choice is up 2 you apparently.
 
Make sure you back up your files first, then download either CCleaner, or Eusing Free Registry cleaner. These two apps. are a nice alternative to having to use a Windows application for your registry problems.

FenderGuy2112
 
Thank you all for your responses. I will try repairing using the Vista CD and if that is unsuccsessful I will try a program such as CCleaner. Happy new year!

EDIT

System repair through the Windows Vista DVD was unable to find any problems with the system startup. Time to try CCleaner!

EDIT #2

CCleaner was also unable to detect the issue. I will now try Po`Girl's recommendations.

EDIT #3

None of the things that Po`Girl suggested applied to or fixed my problem. I am beginning to think about comparing my Registry startup values with those of a healthy Vista computer and adding/deleting entries manually.
 
It has been about two months and this is still an annoying problem. Does anyone else have any ideas?
 
When you stall SpyBot Search&Destroy you are asked to create a restore point. Did you do that?
Also, did you use the safer-networking SpyBot S&D or the other Spybot.com version?

I have used SpyBot S&D for years from windows98 to XP Pro 64bit without any problems. SpyBot at spybot.com I don't know anything about. Anyone have experience with those folks?
Monton
 
i can suggest a couple things you might want to try
  1. Search for explorer.exe (be sure Vista is also searching through hidden files and folders). It should appear under Windows/System32. The fact that your logon opens to folder Windows/System32 rather then execute explorer makes me wonder if explorer.exe isn't there or the Winlogon shell command is wrong
  2. Check the Shell value for Winlogon in your registry. Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon should show
    Code:
    [B]Shell     REG_SZ    explorer.exe[/B]
    It may be worthwhile to delete and re-enter explorer.exe yourself
  3. Run System File Checker just to verify all the Vista system files. Open a cmd window as Administrator and type sfc /scannow. See this Microsoft Article for how to view the logfile and analyze results.

/* Edit */
I should say, make sure the Winlogon Shell value is simply explorer.exe. This makes sure it's not an issue of incorrect parameters after the command causing problems
 
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Besides the fact that I do not use Windows NT, this directory does not exist. I get as far as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion but there is no directory named 'Winlogon'.
 
  1. Welcome to the non-obvious nor intuitive world of Windows
  2. Read my post again. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon refers to the registry, not a disk directory.
  3. I guessed from the references to it in your first post you were familiar with the Windows registry?
  4. And, yes, even though you are running Windows Vista you have a registry subkey WindowsNT

The registry is sort-of the "Master database" of information for your system. I found this link to explain the Windows Registry a little more.

You need be careful anytime you go into the registry. Back it up and create a system restore point before making any changes. Click here instructions for Vista.

Are you familiar with the Windows regedit tool to view/modify the registry? Here's a guide to the native Windows Vista tool.

/* Edit */
Just re-read your post and your use of the word "directory" rather then key or subkey threw me off. Yes, you are familiar w/the registry. But you should have both a Windows and Windows NT subkey.
 
Sorry for the confusion, LookinAround, but yeah I had just been completely overlooking that 'Windows NT' key. It's fixed! Thank you so much!

However, I still get the same two errors when I log onto the user accounts telling me that 'svchost.exe' cannot be loaded.
 
No problem about any confusion JesseM. Glad it got you past the one problem.

But given the Winlogon/Shell value was in fact the source of one problem, I also suspect your registry value for Winlogon/Userinit.

However
I suspect the reason they've changed in the first place is because of spyware or virus infection (changing your registry user logon settings is a common form of infection)

Rather then having you look further at individual registry settings, you should look for infections. Follow the instructions in this link on Spyware removal which will also tell you how to create and post Hijackthis logs. (fyi.. one of the things HJT inspects are the specific registry values i've been talking about)

kimsland: This type of infection wouldn't likely be found among startup programs. It's "starting itself" by hooking its changes into the user logon settings rather then hooking itself the startup programs.

/* Edit */
btw.. it sounds like it's not starting itself successfully and that's what you are seeing. Could be that Spybot saw the infection and removed some but couldn't remove all of its parts.
 
I have already followed those instructions once because of this problem, and I believe that I successfully wiped my computer of malware. I think these messed up registry values are the aftermath of the viruses that were on my computer. I'll have to check Userinit when I am home, I will also try the startup control panel. Thanks guys.
 
yea, don't know if you saw the /* Edit */ i added just after posting coupla days back but almost certainly it was some form of malware that modified your logon process to allow it to auto-start each time you logged in.

What you were seeing were the remnants of its startup mechanism after Spybot only partially disabled it.

There's a couple other important registry values in addition to userinit to look at. I can look them up but no time just now. Why don't you go ahead and just run hijackthis and post it here. Can save me (and you) some time if i start with a hijackthis log. (Tho if you DID post one before..... just what value did you see for Winlogon/Shell when i had you first look? If you had posted a log before AND that value was incorrect, i'd be surprised eveyone who reviewed it missed that fact)
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:46 PM, on 2/17/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\RtHDVCpl.exe
C:\Users\Jesse\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Users\Jesse\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2DL9XD5Y\HiJackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\Windows\system32\scvhost.exe
F3 - REG:win.ini: run=C:\Windows\system32\scvhost.exe
O1 - Hosts: 75.164.230.87 jessemerz.dynalias.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKCU\..\Run: [googletalk] C:\Users\Jesse\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKLM\..\Policies\Explorer\Run: [Generic Host Process] C:\Windows\system32\scvhost.exe
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3138149437-1689907971-922131132-1002\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Kate')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-21-3138149437-1689907971-922131132-1002 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Kate')
O4 - S-1-5-21-3138149437-1689907971-922131132-1002 User Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Kate')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/24.9/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SndRecB.1.3 (SndRecA.1.3) - Unknown owner - C:\Program Files\Sound Card Recorder\service.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7150 bytes
 
Those malware people are always sneaky.

From your very first post, you mention an error message about "the Windows registry could not load "C:\Windows\system32\svchost.exe"

  • Are you sure the errors are about svchost.exe? Or are they about scvhost.exe? Note the spelling.
  • After the confusion we had about "Windows NT" at first, i went back to re-read your answers. You didn't indicate if you searched through your hard drive(s) for explorer.exe (being sure to include hidden files and folders in search options)
  • While you're at it, why don't you also search through your drives for scvhost.exe with the inverted character spelling. I'm guessing spybot already deleted it (though spybot didn't or was unable to remove the hack in your win.ini file which tries to load and then run it!)

Is late and will look at it some more tomorrow.

*/ Edit */
But i will add one more thing now. Why don't you also search your drives looking for the misspelled scvhost as "a word or phrase" as the search option. This search will take awhile to run.
 
You are correct, it was scvhost.exe that was being called up at logon.

I have searched for scvhost.exe and turned up with one result. It was located in the recovery archive for Spybot S&D under some kind of trojan.

I searched for explorer.exe and turned up with at least 13 results. Four of them were C:/windows/explorer.exe (identical to eachother), and the rest were random files in the Spybot S&D archives.
 
Status
Not open for further replies.
Back