• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

cant access regedit, popups! why?

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.
L

Lord_Zoltan

Member
Joined
Apr 23, 2002
Location
Canada, EH?
Hey guys, its been a while since I have been on.
Anyways, i got a mega problem.

I have these annoying casino popups. I presume spyware/adware.

I ran spybot, and adaware 6. Cleaned everything out.
Yet somehow i still have these annoying popups.
I wanted to sift thru the regestry. So i went start->run->regedit *enter*
Bam i get "REGEDIT IS NOT A VALID WIN32 APPLICATION"

Please, help, my shutdown is taking log i wanna fix that too via regestry but i cant get in...anyone know why its doing that...

~Z
 
Here i also posted my hijackthis log file.


Code: 
Logfile of HijackThis v1.99.1
Scan saved at 4:05:27 PM, on 3/11/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Wm9sdGFu\command.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Network Monitor\netmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\szfpllv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
D:\[Appz]\Glass2k.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\szfpllvA.exe
C:\WINDOWS\okbqnx.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\System32\ctfmon.exe
D:\[Appz]\Rainlendar-0.22.1\Rainlendar.exe
C:\WINDOWS\System32\LVComsX.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp\winamp.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Z\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [Glass2k] D:\[Appz]\Glass2k.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [szfpllvA] C:\WINDOWS\szfpllvA.exe
O4 - HKLM\..\Run: [AUeiC] C:\WINDOWS\okbqnx.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Rainlendar.lnk = D:\[Appz]\Rainlendar-0.22.1\Rainlendar.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - [url]http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab[/url]
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab[/url]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url]http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab[/url]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - [url]http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab[/url]
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Wm9sdGFu\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\szfpllv.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
 
The processes "C:\WINDOWS\szfpllv.exe", "C:\WINDOWS\szfpllvA.exe", and "C:\WINDOWS\okbqnx.exe" look suspicious. I'd boot into safe mode, enable the viewing of hidden files and folders, and run the scans again. You can also run a virus scan afterwards as well, as that may be part of the problem as well.
 
Also, what you should do is go to C:\windows, and find the actual regedit.exe. I've seen viruses/spyware put in a regedit.com, which I believe is what is being executed. Or you could type in regedit.exe in the run command.
 
enable beta updates on spybot and update all your spyware tools. run microsoft antispyware, avg virus scan. numerous others you can use too but id start there.

you can also google your hijack log entries to see what it comes back with .. right down all supsect and post them up ..
 
use process explorer. it will tell you the location in your system where the executable is. use unlocker to kill exe if you cannot delete it. both are free progs. doesn't really sound like a virus
 
CrystalMethod said:
The processes "C:\WINDOWS\szfpllv.exe", "C:\WINDOWS\szfpllvA.exe", and "C:\WINDOWS\okbqnx.exe" look suspicious. I'd boot into safe mode, enable the viewing of hidden files and folders, and run the scans again. You can also run a virus scan afterwards as well, as that may be part of the problem as well.
Click to expand...


Totally agree with you on these. I noticed these right away.
I like the safe mode idea. I was going to do that if no one else knew any instant fixes. Thanks.

Know Nuttin said:
Also, what you should do is go to C:\windows, and find the actual regedit.exe. I've seen viruses/spyware put in a regedit.com, which I believe is what is being executed. Or you could type in regedit.exe in the run command.
Click to expand...

For some reason i never thought of this.
BRILLIANT i typed regedit.exe. PWN!
Thanks man.
Ill do more tinkering and get back to you.
many thanks.
 
Know Nuttin said:
No problem. Keep us updated. Post more HijackThis logs if you want. Until you're clean.
Click to expand...
I havent had a popup in a while.
The only problem is i still have to type regedit.exe to get into reg. Not sure how to fix that.
otherwise i havent had a popup, im going to give it more time.

Till then, CHEERS.

Z
 
You can try running a repair install of windows once you're sure everything is gone. That will restore all the base windows files to their original versions. The only problem is that you'll have to re-update windows afterwards.
 
Lord_Zoltan said:
Here i also posted my hijackthis log file.


Code: 
C:\WINDOWS\Wm9sdGFu\command.exe
C:\WINDOWS\szfpllv.exe
D:\[Appz]\Glass2k.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\szfpllvA.exe
C:\WINDOWS\okbqnx.exe

O4 - HKLM\..\Run: [Glass2k] D:\[Appz]\Glass2k.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [szfpllvA] C:\WINDOWS\szfpllvA.exe
O4 - HKLM\..\Run: [AUeiC] C:\WINDOWS\okbqnx.exe
O4 - Startup: Rainlendar.lnk = D:\[Appz]\Rainlendar-0.22.1\Rainlendar.exe

O20 - AppInit_DLLs: MsgPlusLoader.dll

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Wm9sdGFu\command.exe

O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\szfpllv.exe
Click to expand...

I removed everything I knew and left the rest. I do this for a living, so I tend to know my stuff. Hijackthis is only one tool though, these things need to be manually removed from their respective folders first while in safe mode, then removed from hijackthis. Also be sure to run msconfig as well to ensure something else isn't sneaking around. if the file doesn't delete in safe find and download "killbox", it's a neat little app that al;lows you to temporarily suspend windows/explorer to delete unwanted applications. If it's real stubborn and killbox doesn't work there's yet more tools that will literally hose windows for a second to delete the file, but you'll then have to reboot. if there's a lot of files to delete this could be time consuming.

Another trick is to check the windows and windows\system32 folders and sort the items by their modified date. Most of the adware comes after installation, so they tend to be listed as 'newer' apps and are grouped as such. Hovering over unknown/unfamilair items (and most will be unless you really know your stuff) with the mouse will reveal who the publisher of that file is. if it lists none and just a file size it may be malicious. Write it down, run it in a google search or on a trusted site that lists the various processes. Be sure to verify it isn't needed first, deleting needed windows files can be a PITA to fix. :p
 
Last edited:
You must log in or register to reply here.

Similar threads

Alaric
"Cortana, you're fired!"
36 37 38 39 40
Replies
786
Views
44K
petteyg359
petteyg359
c627627
How (not) to mess w/ Galaxy S5 - last model with a removable battery & SD Card
Replies
0
Views
6K
c627627
c627627
Luciel
PROJECT LOG Mod in a Week // "Fallout Cause SP" (Completed)
Replies
15
Views
2K
Luciel
Luciel
Wipeout
Sleeping Dog Tips
Replies
2
Views
7K
Wipeout
Wipeout
Foxie3a
Do I have a virus? Well, I have something...
Replies
3
Views
2K
Foxie3a
Foxie3a
Back