D
DHampton
I keep getting a reg.exe app error (0x0000022) upon booting. When I click OK
it continues seemingly ok, but what's the prob?
it continues seemingly ok, but what's the prob?
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
R
Ron Badour
It is probably an infection of some sort. Run scans with up to date
antivirus and malware programs. Malwarebyte's Anti-Malware which is a
very good free program, that can be downloaded from here:
http://www.download.com/Malwarebyte...l-10804572&subj=dl&tag=button&cdlPid=10997763
--
Regards
Ron Badour
MS MVP
Windows Desktop Experience
antivirus and malware programs. Malwarebyte's Anti-Malware which is a
very good free program, that can be downloaded from here:
http://www.download.com/Malwarebyte...l-10804572&subj=dl&tag=button&cdlPid=10997763
--
Regards
Ron Badour
MS MVP
Windows Desktop Experience
D
DHampton
Thank, Ron. I use Trend Micro & run scans & anti-virus updates nearly
everyday, but of course that doesn't mean you're wrong. Sigh. I will try the
link you suggest at Malwarebyte.
everyday, but of course that doesn't mean you're wrong. Sigh. I will try the
link you suggest at Malwarebyte.
D
DHampton
Malwarebyte did not find any infection either. Any other suggestions?
D
Daave
DHampton said:I keep getting a reg.exe app error (0x0000022) upon booting. When I
click OK it continues seemingly ok, but what's the prob?
Please quote the *entire* message.
D
DHampton
That is the entire message. Ron suggested an infection but 2 scans by 2
different security software didn't find anything.
different security software didn't find anything.
J
Jose
I keep getting a reg.exe app error (0x0000022) upon booting. When I clickOK
it continues seemingly ok, but what's the prob?
Part of the problem is the reg.exe program is not something that would
normally run, so why is it trying to run? There is a Windows program
called reg.exe, but it should not be launching at startup (or ever by
itself).
The alcarys.g worm may manifest itself as reg.exe. If you get an
infection, your scans may remove most of these worms but leave parts
of it behind. Since you only see it on reboot, that makes finding it
a little easier.
Perhaps there is a reg.exe (or something else) in a startup place it
should not be.
Click Start, Run, enter cmd in the box and click OK.
At the prompt, enter reg.exe and see if the Windows Registry Tool help
screen by. If not, report back and the rest here won't make sense.
If yes, export the 2 startup registry keys of immediate interest to
separate text files thusly:
reg query hklm\software\microsoft\windows\currentversion\run >
hklm.txt
reg query hkcu\software\microsoft\windows\currentversion\run >
hkcu.txt
Open each .txt file with your text editor and copy/paste them back
here for analysis.
D
DHampton
I wasn't completely sure what you meant by "if the Windows Registry Tool help
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\DEBBIE>reg.exe
Console Registry Tool for Windows - version 3.0
Copyright (C) Microsoft Corp. 1981-2001. All rights reserved
REG Operation [Parameter List]
Operation [ QUERY | ADD | DELETE | COPY |
SAVE | LOAD | UNLOAD | RESTORE |
COMPARE | EXPORT | IMPORT ]
Return Code: (Except of REG COMPARE)
0 - Succussful
1 - Failed
For help on a specific operation type:
REG Operation /?
Examples:
REG QUERY /?
REG ADD /?
REG DELETE /?
REG COPY /?
REG SAVE /?
REG RESTORE /?
REG LOAD /?
REG UNLOAD /?
REG COMPARE /?
REG EXPORT /?
REG IMPORT /?
C:\Documents and Settings\DEBBIE>reg query
hkcu\software\microsoft\windows\curre
ntversion\run>hkcu.txt
C:\Documents and Settings\DEBBIE>reg query
hklm\software\microsoft\windows\curre
ntversion\run>hklm.txt
C:\Documents and Settings\DEBBIE>
And that was it. It didn't do anything else. I was getting invalid key name,
syntax error, etc. when I mis-typed, but no text files or any other message
appeared when it seemed to take the query as correct.
Would it help at all to check the logs to see if the worm you mentioned had
been found & deleted?
Thanks.
screen by." It did list options for queries, but no text files appeared.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\DEBBIE>reg.exe
Console Registry Tool for Windows - version 3.0
Copyright (C) Microsoft Corp. 1981-2001. All rights reserved
REG Operation [Parameter List]
Operation [ QUERY | ADD | DELETE | COPY |
SAVE | LOAD | UNLOAD | RESTORE |
COMPARE | EXPORT | IMPORT ]
Return Code: (Except of REG COMPARE)
0 - Succussful
1 - Failed
For help on a specific operation type:
REG Operation /?
Examples:
REG QUERY /?
REG ADD /?
REG DELETE /?
REG COPY /?
REG SAVE /?
REG RESTORE /?
REG LOAD /?
REG UNLOAD /?
REG COMPARE /?
REG EXPORT /?
REG IMPORT /?
C:\Documents and Settings\DEBBIE>reg query
hkcu\software\microsoft\windows\curre
ntversion\run>hkcu.txt
C:\Documents and Settings\DEBBIE>reg query
hklm\software\microsoft\windows\curre
ntversion\run>hklm.txt
C:\Documents and Settings\DEBBIE>
And that was it. It didn't do anything else. I was getting invalid key name,
syntax error, etc. when I mis-typed, but no text files or any other message
appeared when it seemed to take the query as correct.
Would it help at all to check the logs to see if the worm you mentioned had
been found & deleted?
Thanks.
J
Jose
I wasn't completely sure what you meant by "if the Windows Registry Tool help
screen by." It did list options for queries, but no text files appeared..
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\DEBBIE>reg.exe
Console Registry Tool for Windows - version 3.0
Copyright (C) Microsoft Corp. 1981-2001. All rights reserved
REG Operation [Parameter List]
Operation [ QUERY | ADD | DELETE | COPY |
SAVE | LOAD | UNLOAD | RESTORE |
COMPARE | EXPORT | IMPORT ]
Return Code: (Except of REG COMPARE)
0 - Succussful
1 - Failed
For help on a specific operation type:
REG Operation /?
Examples:
REG QUERY /?
REG ADD /?
REG DELETE /?
REG COPY /?
REG SAVE /?
REG RESTORE /?
REG LOAD /?
REG UNLOAD /?
REG COMPARE /?
REG EXPORT /?
REG IMPORT /?
C:\Documents and Settings\DEBBIE>reg query
hkcu\software\microsoft\windows\curre
ntversion\run>hkcu.txt
C:\Documents and Settings\DEBBIE>reg query
hklm\software\microsoft\windows\curre
ntversion\run>hklm.txt
C:\Documents and Settings\DEBBIE>
And that was it. It didn't do anything else. I was getting invalid key name,
syntax error, etc. when I mis-typed, but no text files or any other message
appeared when it seemed to take the query as correct.
Would it help at all to check the logs to see if the worm you mentioned had
been found & deleted?
Thanks.
--
DHampton
Part of the problem is the reg.exe program is not something that would
normally run, so why is it trying to run? There is a Windows program
called reg.exe, but it should not be launching at startup (or ever by
itself).The alcarys.g worm may manifest itself as reg.exe. If you get an
infection, your scans may remove most of these worms but leave parts
of it behind. Since you only see it on reboot, that makes finding it
a little easier.Perhaps there is a reg.exe (or something else) in a startup place it
should not be.Click Start, Run, enter cmd in the box and click OK.At the prompt, enter reg.exe and see if the Windows Registry Tool help
screen by. If not, report back and the rest here won't make sense.If yes, export the 2 startup registry keys of immediate interest to
separate text files thusly:reg query hklm\software\microsoft\windows\currentversion\run >
hklm.txt
reg query hkcu\software\microsoft\windows\currentversion\run >
hkcu.txtOpen each .txt file with your text editor and copy/paste them back
here for analysis.
Since you got the help screen, it appears the reg.exe itself is
functional which is good.
If you run these commands:
reg query hklm\software\microsoft\windows\currentversion\run
reg query hkcu\software\microsoft\windows\currentversion\run
You should see some stuff dumped out to your screen, so we just need
to redirect the output to a text file with the > syntax:
reg query hklm\software\microsoft\windows\currentversion\run >
hklm.txt
reg query hkcu\software\microsoft\windows\currentversion\run >
hkcu.txt
Look in the c:\documents and settings\DEBBIE folder for hklm.txt and
hkcu.txt, open them with you text editor, select all, copy and paste
here. If it didn't complain when you typed it properly, that is
good. Just need to see the contents of the .txt files.
You almost got it!
R
Ron Badour
Debbie
Go to run on the start menu and type: msconfig and OK. Click on the
start up tab and look for the reg.exe entry. Assuming you find it, remove
the mark from in front on the entry, OK and reboot. On the resulting
screen, mark the box to not show the screen and hopefully this will end the
problem.
What may have happened is an infection was partially cleaned up but left the
registry entry. The reason is kind of moot at this point as you just want to
shut off the message at boot.
--
Regards
Ron Badour
MS MVP
Windows Desktop Experience
Go to run on the start menu and type: msconfig and OK. Click on the
start up tab and look for the reg.exe entry. Assuming you find it, remove
the mark from in front on the entry, OK and reboot. On the resulting
screen, mark the box to not show the screen and hopefully this will end the
problem.
What may have happened is an infection was partially cleaned up but left the
registry entry. The reason is kind of moot at this point as you just want to
shut off the message at boot.
--
Regards
Ron Badour
MS MVP
Windows Desktop Experience
DHampton said:I wasn't completely sure what you meant by "if the Windows Registry Tool
helpscreen by." It did list options for queries, but no text files appeared.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\DEBBIE>reg.exe
Console Registry Tool for Windows - version 3.0
Copyright (C) Microsoft Corp. 1981-2001. All rights reserved
REG Operation [Parameter List]
Operation [ QUERY | ADD | DELETE | COPY |
SAVE | LOAD | UNLOAD | RESTORE |
COMPARE | EXPORT | IMPORT ]
Return Code: (Except of REG COMPARE)
0 - Succussful
1 - Failed
For help on a specific operation type:
REG Operation /?
Examples:
REG QUERY /?
REG ADD /?
REG DELETE /?
REG COPY /?
REG SAVE /?
REG RESTORE /?
REG LOAD /?
REG UNLOAD /?
REG COMPARE /?
REG EXPORT /?
REG IMPORT /?
C:\Documents and Settings\DEBBIE>reg query
hkcu\software\microsoft\windows\curre
ntversion\run>hkcu.txt
C:\Documents and Settings\DEBBIE>reg query
hklm\software\microsoft\windows\curre
ntversion\run>hklm.txt
C:\Documents and Settings\DEBBIE>
And that was it. It didn't do anything else. I was getting invalid key
name,
syntax error, etc. when I mis-typed, but no text files or any other
message
appeared when it seemed to take the query as correct.
Would it help at all to check the logs to see if the worm you mentioned
had
been found & deleted?
Thanks.
--
DHampton
Jose said:Part of the problem is the reg.exe program is not something that would
normally run, so why is it trying to run? There is a Windows program
called reg.exe, but it should not be launching at startup (or ever by
itself).
The alcarys.g worm may manifest itself as reg.exe. If you get an
infection, your scans may remove most of these worms but leave parts
of it behind. Since you only see it on reboot, that makes finding it
a little easier.
Perhaps there is a reg.exe (or something else) in a startup place it
should not be.
Click Start, Run, enter cmd in the box and click OK.
At the prompt, enter reg.exe and see if the Windows Registry Tool help
screen by. If not, report back and the rest here won't make sense.
If yes, export the 2 startup registry keys of immediate interest to
separate text files thusly:
reg query hklm\software\microsoft\windows\currentversion\run >
hklm.txt
reg query hkcu\software\microsoft\windows\currentversion\run >
hkcu.txt
Open each .txt file with your text editor and copy/paste them back
here for analysis.
D
DHampton
Ron--
I did this several months ago when the prob started and couldn't find it and
just did it again & it wasn't there anywhere. I looked twice. So, I will
pursue Jose's suggestion.
Thanks.
--
DHampton
I did this several months ago when the prob started and couldn't find it and
just did it again & it wasn't there anywhere. I looked twice. So, I will
pursue Jose's suggestion.
Thanks.
--
DHampton
Ron Badour said:Debbie
Go to run on the start menu and type: msconfig and OK. Click on the
start up tab and look for the reg.exe entry. Assuming you find it, remove
the mark from in front on the entry, OK and reboot. On the resulting
screen, mark the box to not show the screen and hopefully this will end the
problem.
What may have happened is an infection was partially cleaned up but left the
registry entry. The reason is kind of moot at this point as you just want to
shut off the message at boot.
--
Regards
Ron Badour
MS MVP
Windows Desktop Experience
DHampton said:I wasn't completely sure what you meant by "if the Windows Registry Tool
helpscreen by." It did list options for queries, but no text files appeared.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\DEBBIE>reg.exe
Console Registry Tool for Windows - version 3.0
Copyright (C) Microsoft Corp. 1981-2001. All rights reserved
REG Operation [Parameter List]
Operation [ QUERY | ADD | DELETE | COPY |
SAVE | LOAD | UNLOAD | RESTORE |
COMPARE | EXPORT | IMPORT ]
Return Code: (Except of REG COMPARE)
0 - Succussful
1 - Failed
For help on a specific operation type:
REG Operation /?
Examples:
REG QUERY /?
REG ADD /?
REG DELETE /?
REG COPY /?
REG SAVE /?
REG RESTORE /?
REG LOAD /?
REG UNLOAD /?
REG COMPARE /?
REG EXPORT /?
REG IMPORT /?
C:\Documents and Settings\DEBBIE>reg query
hkcu\software\microsoft\windows\curre
ntversion\run>hkcu.txt
C:\Documents and Settings\DEBBIE>reg query
hklm\software\microsoft\windows\curre
ntversion\run>hklm.txt
C:\Documents and Settings\DEBBIE>
And that was it. It didn't do anything else. I was getting invalid key
name,
syntax error, etc. when I mis-typed, but no text files or any other
message
appeared when it seemed to take the query as correct.
Would it help at all to check the logs to see if the worm you mentioned
had
been found & deleted?
Thanks.
--
DHampton
Jose said:I keep getting a reg.exe app error (0x0000022) upon booting. When I
click OK
it continues seemingly ok, but what's the prob?
--
DHampton
Part of the problem is the reg.exe program is not something that would
normally run, so why is it trying to run? There is a Windows program
called reg.exe, but it should not be launching at startup (or ever by
itself).
The alcarys.g worm may manifest itself as reg.exe. If you get an
infection, your scans may remove most of these worms but leave parts
of it behind. Since you only see it on reboot, that makes finding it
a little easier.
Perhaps there is a reg.exe (or something else) in a startup place it
should not be.
Click Start, Run, enter cmd in the box and click OK.
At the prompt, enter reg.exe and see if the Windows Registry Tool help
screen by. If not, report back and the rest here won't make sense.
If yes, export the 2 startup registry keys of immediate interest to
separate text files thusly:
reg query hklm\software\microsoft\windows\currentversion\run >
hklm.txt
reg query hkcu\software\microsoft\windows\currentversion\run >
hkcu.txt
Open each .txt file with your text editor and copy/paste them back
here for analysis.
D
DHampton
Jose--Here are the files:
! REG.EXE VERSION 3.0
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run
ctfmon.exe REG_SZ C:\WINDOWS\system32\ctfmon.exe
MSMSGS REG_SZ "C:\Program Files\Messenger\msmsgs.exe" /background
ISUSScheduler REG_SZ "C:\Program Files\Common
Files\InstallShield\UpdateService\issch.exe" -start
swg REG_SZ C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
WMPNSCFG REG_SZ C:\Program Files\Windows Media Player\WMPNSCFG.exe
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
WordPerfect Office 1215 REG_SZ C:\Program Files\WordPerfect Office
12\Programs\Registration.exe /title="WordPerfect Office 12" /date=081809
serial=WP12WUX-0222674-QEQ lang=EN
TkBellExe REG_SZ "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
SynTPEnh REG_SZ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
SigmatelSysTrayApp REG_SZ stsystra.exe
Persistence REG_SZ C:\WINDOWS\system32\igfxpers.exe
PCMService REG_SZ "C:\Program Files\Dell\MediaDirect\PCMService.exe"
OEM02Mon.exe REG_SZ C:\WINDOWS\OEM02Mon.exe
KADxMain REG_SZ C:\WINDOWS\system32\KADxMain.exe
ISUSPM Startup REG_SZ C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
-startup
IgfxTray REG_SZ C:\WINDOWS\system32\igfxtray.exe
dscactivate REG_SZ "C:\Program Files\Dell Support
Center\gs_agent\custom\dsca.exe"
Broadcom Wireless Manager UI REG_SZ C:\WINDOWS\system32\WLTRAY.exe
IJNetworkScanUtility REG_SZ C:\Program Files\Canon\Canon IJ Network Scan
Utility\CNMNSUT.EXE
nmctxth REG_SZ "C:\Program Files\Common Files\Pure Networks
Shared\Platform\nmctxth.exe"
nmapp REG_SZ "C:\Program Files\Pure Networks\Network Magic\nmapp.exe"
-autorun -nosplash
UfSeAgnt.exe REG_SZ "C:\Program Files\Trend Micro\Internet
Security\UfSeAgnt.exe"
StartupDelayer REG_SZ "C:\Program Files\r2 Studios\Startup
Delayer\Startup Launcher.exe"
Dell QuickSet REG_SZ C:\Program Files\Dell\QuickSet\quickset.exe
dellsupportcenter REG_SZ "C:\Program Files\Dell Support
Center\bin\sprtcmd.exe" /P dellsupportcenter
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents
--
DHampton
! REG.EXE VERSION 3.0
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run
ctfmon.exe REG_SZ C:\WINDOWS\system32\ctfmon.exe
MSMSGS REG_SZ "C:\Program Files\Messenger\msmsgs.exe" /background
ISUSScheduler REG_SZ "C:\Program Files\Common
Files\InstallShield\UpdateService\issch.exe" -start
swg REG_SZ C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
WMPNSCFG REG_SZ C:\Program Files\Windows Media Player\WMPNSCFG.exe
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
WordPerfect Office 1215 REG_SZ C:\Program Files\WordPerfect Office
12\Programs\Registration.exe /title="WordPerfect Office 12" /date=081809
serial=WP12WUX-0222674-QEQ lang=EN
TkBellExe REG_SZ "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
SynTPEnh REG_SZ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
SigmatelSysTrayApp REG_SZ stsystra.exe
Persistence REG_SZ C:\WINDOWS\system32\igfxpers.exe
PCMService REG_SZ "C:\Program Files\Dell\MediaDirect\PCMService.exe"
OEM02Mon.exe REG_SZ C:\WINDOWS\OEM02Mon.exe
KADxMain REG_SZ C:\WINDOWS\system32\KADxMain.exe
ISUSPM Startup REG_SZ C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
-startup
IgfxTray REG_SZ C:\WINDOWS\system32\igfxtray.exe
dscactivate REG_SZ "C:\Program Files\Dell Support
Center\gs_agent\custom\dsca.exe"
Broadcom Wireless Manager UI REG_SZ C:\WINDOWS\system32\WLTRAY.exe
IJNetworkScanUtility REG_SZ C:\Program Files\Canon\Canon IJ Network Scan
Utility\CNMNSUT.EXE
nmctxth REG_SZ "C:\Program Files\Common Files\Pure Networks
Shared\Platform\nmctxth.exe"
nmapp REG_SZ "C:\Program Files\Pure Networks\Network Magic\nmapp.exe"
-autorun -nosplash
UfSeAgnt.exe REG_SZ "C:\Program Files\Trend Micro\Internet
Security\UfSeAgnt.exe"
StartupDelayer REG_SZ "C:\Program Files\r2 Studios\Startup
Delayer\Startup Launcher.exe"
Dell QuickSet REG_SZ C:\Program Files\Dell\QuickSet\quickset.exe
dellsupportcenter REG_SZ "C:\Program Files\Dell Support
Center\bin\sprtcmd.exe" /P dellsupportcenter
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents
--
DHampton
Jose said:I wasn't completely sure what you meant by "if the Windows Registry Tool help
screen by." It did list options for queries, but no text files appeared..
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\DEBBIE>reg.exe
Console Registry Tool for Windows - version 3.0
Copyright (C) Microsoft Corp. 1981-2001. All rights reserved
REG Operation [Parameter List]
Operation [ QUERY | ADD | DELETE | COPY |
SAVE | LOAD | UNLOAD | RESTORE |
COMPARE | EXPORT | IMPORT ]
Return Code: (Except of REG COMPARE)
0 - Succussful
1 - Failed
For help on a specific operation type:
REG Operation /?
Examples:
REG QUERY /?
REG ADD /?
REG DELETE /?
REG COPY /?
REG SAVE /?
REG RESTORE /?
REG LOAD /?
REG UNLOAD /?
REG COMPARE /?
REG EXPORT /?
REG IMPORT /?
C:\Documents and Settings\DEBBIE>reg query
hkcu\software\microsoft\windows\curre
ntversion\run>hkcu.txt
C:\Documents and Settings\DEBBIE>reg query
hklm\software\microsoft\windows\curre
ntversion\run>hklm.txt
C:\Documents and Settings\DEBBIE>
And that was it. It didn't do anything else. I was getting invalid key name,
syntax error, etc. when I mis-typed, but no text files or any other message
appeared when it seemed to take the query as correct.
Would it help at all to check the logs to see if the worm you mentioned had
been found & deleted?
Thanks.
--
DHampton
Jose said:I keep getting a reg.exe app error (0x0000022) upon booting. When I click OK
it continues seemingly ok, but what's the prob?Part of the problem is the reg.exe program is not something that would
normally run, so why is it trying to run? There is a Windows program
called reg.exe, but it should not be launching at startup (or ever by
itself).The alcarys.g worm may manifest itself as reg.exe. If you get an
infection, your scans may remove most of these worms but leave parts
of it behind. Since you only see it on reboot, that makes finding it
a little easier.Perhaps there is a reg.exe (or something else) in a startup place it
should not be.Click Start, Run, enter cmd in the box and click OK.At the prompt, enter reg.exe and see if the Windows Registry Tool help
screen by. If not, report back and the rest here won't make sense.If yes, export the 2 startup registry keys of immediate interest to
separate text files thusly:reg query hklm\software\microsoft\windows\currentversion\run >
hklm.txt
reg query hkcu\software\microsoft\windows\currentversion\run >
hkcu.txtOpen each .txt file with your text editor and copy/paste them back
here for analysis.
Since you got the help screen, it appears the reg.exe itself is
functional which is good.
If you run these commands:
reg query hklm\software\microsoft\windows\currentversion\run
reg query hkcu\software\microsoft\windows\currentversion\run
You should see some stuff dumped out to your screen, so we just need
to redirect the output to a text file with the > syntax:
reg query hklm\software\microsoft\windows\currentversion\run >
hklm.txt
reg query hkcu\software\microsoft\windows\currentversion\run >
hkcu.txt
Look in the c:\documents and settings\DEBBIE folder for hklm.txt and
hkcu.txt, open them with you text editor, select all, copy and paste
here. If it didn't complain when you typed it properly, that is
good. Just need to see the contents of the .txt files.
You almost got it!
E
Elmo
DHampton said:I keep getting a reg.exe app error (0x0000022) upon booting. When I click OK
it continues seemingly ok, but what's the prob?
Click Start, Run, type REGEDIT, click OK. Press the Home key, press F3,
type:
reg.exe
into the search pane. Click "Find Next", and when located, delete the
reference to the file. Press F3 to continue the search.
You can click File, Export, and save the entry to the Desktop. If you
remove it and there's a problem, double-click the .reg file you exported
to the Desktop and it'll be added to the registry again. You can create
a restore point before editing the registry too.
J
Jose
Jose--Here are the files:
! REG.EXE VERSION 3.0
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run
ctfmon.exe REG_SZ C:\WINDOWS\system32\ctfmon.exe
MSMSGS REG_SZ "C:\Program Files\Messenger\msmsgs.exe" /background
ISUSScheduler REG_SZ "C:\Program Files\Common
Files\InstallShield\UpdateService\issch.exe" -start
swg REG_SZ C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
WMPNSCFG REG_SZ C:\Program Files\Windows Media Player\WMPNSCFG.exe
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
WordPerfect Office 1215 REG_SZ C:\Program Files\WordPerfect Office
12\Programs\Registration.exe /title="WordPerfect Office 12" /date=081809
serial=WP12WUX-0222674-QEQ lang=EN
TkBellExe REG_SZ "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
SynTPEnh REG_SZ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
SigmatelSysTrayApp REG_SZ stsystra.exe
Persistence REG_SZ C:\WINDOWS\system32\igfxpers.exe
PCMService REG_SZ "C:\Program Files\Dell\MediaDirect\PCMService.exe"
OEM02Mon.exe REG_SZ C:\WINDOWS\OEM02Mon.exe
KADxMain REG_SZ C:\WINDOWS\system32\KADxMain.exe
ISUSPM Startup REG_SZ C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
-startup
IgfxTray REG_SZ C:\WINDOWS\system32\igfxtray.exe
dscactivate REG_SZ "C:\Program Files\Dell Support
Center\gs_agent\custom\dsca.exe"
Broadcom Wireless Manager UI REG_SZ C:\WINDOWS\system32\WLTRAY.exe
IJNetworkScanUtility REG_SZ C:\Program Files\Canon\Canon IJ Network Scan
Utility\CNMNSUT.EXE
nmctxth REG_SZ "C:\Program Files\Common Files\Pure Networks
Shared\Platform\nmctxth.exe"
nmapp REG_SZ "C:\Program Files\Pure Networks\Network Magic\nmapp.exe"
-autorun -nosplash
UfSeAgnt.exe REG_SZ "C:\Program Files\Trend Micro\Internet
Security\UfSeAgnt.exe"
StartupDelayer REG_SZ "C:\Program Files\r2 Studios\Startup
Delayer\Startup Launcher.exe"
Dell QuickSet REG_SZ C:\Program Files\Dell\QuickSet\quickset.exe
dellsupportcenter REG_SZ "C:\Program Files\Dell Support
Center\bin\sprtcmd.exe" /P dellsupportcenter
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCo mponents
--
DHampton
Jose said:I wasn't completely sure what you meant by "if the Windows Registry Tool help
screen by." It did list options for queries, but no text files appeared..
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\DEBBIE>reg.exe
Console Registry Tool for Windows - version 3.0
Copyright (C) Microsoft Corp. 1981-2001. All rights reserved
REG Operation [Parameter List]
Operation [ QUERY | ADD | DELETE | COPY |
SAVE | LOAD | UNLOAD | RESTORE |
COMPARE | EXPORT | IMPORT ]
Return Code: (Except of REG COMPARE)
0 - Succussful
1 - Failed
For help on a specific operation type:
REG Operation /?
Examples:
REG QUERY /?
REG ADD /?
REG DELETE /?
REG COPY /?
REG SAVE /?
REG RESTORE /?
REG LOAD /?
REG UNLOAD /?
REG COMPARE /?
REG EXPORT /?
REG IMPORT /?
C:\Documents and Settings\DEBBIE>reg query
hkcu\software\microsoft\windows\curre
ntversion\run>hkcu.txt
C:\Documents and Settings\DEBBIE>reg query
hklm\software\microsoft\windows\curre
ntversion\run>hklm.txt
C:\Documents and Settings\DEBBIE>
And that was it. It didn't do anything else. I was getting invalid key name,
syntax error, etc. when I mis-typed, but no text files or any other message
appeared when it seemed to take the query as correct.
Would it help at all to check the logs to see if the worm you mentioned had
been found & deleted?
Thanks.
--
DHampton
:
I keep getting a reg.exe app error (0x0000022) upon booting. WhenI click OK
it continues seemingly ok, but what's the prob?
--
DHampton
Part of the problem is the reg.exe program is not something that would
normally run, so why is it trying to run? There is a Windows program
called reg.exe, but it should not be launching at startup (or ever by
itself).
The alcarys.g worm may manifest itself as reg.exe. If you get an
infection, your scans may remove most of these worms but leave parts
of it behind. Since you only see it on reboot, that makes finding it
a little easier.
Perhaps there is a reg.exe (or something else) in a startup place it
should not be.
Click Start, Run, enter cmd in the box and click OK.
At the prompt, enter reg.exe and see if the Windows Registry Tool help
screen by. If not, report back and the rest here won't make sense.
If yes, export the 2 startup registry keys of immediate interest to
separate text files thusly:
reg query hklm\software\microsoft\windows\currentversion\run >
hklm.txt
reg query hkcu\software\microsoft\windows\currentversion\run >
hkcu.txt
Open each .txt file with your text editor and copy/paste them back
here for analysis.Since you got the help screen, it appears the reg.exe itself is
functional which is good.If you run these commands:reg query hklm\software\microsoft\windows\currentversion\run
reg query hkcu\software\microsoft\windows\currentversion\runYou should see some stuff dumped out to your screen, so we just need
to redirect the output to a text file with the > syntax:reg query hklm\software\microsoft\windows\currentversion\run >
hklm.txt
reg query hkcu\software\microsoft\windows\currentversion\run >
hkcu.txtLook in the c:\documents and settings\DEBBIE folder for hklm.txt and
hkcu.txt, open them with you text editor, select all, copy and paste
here. If it didn't complain when you typed it properly, that is
good. Just need to see the contents of the .txt files.You almost got it!
You can try the suggestion from elmo.
I do not see anything that would make reg.exe run but I don't
recognize everything you have installed.
There are some "shotgun" maybe, type suggestions for this problme but
I would rather figure it out and fix it.
Since you see it on boot, that would indicate it is part of your HKLM
(Local Machine) configuration and you have a lot of stuff in there
which is fine. Now we need to start eliminating them one by one by
turning them off using MSCONFIG. MSCONFIG is a troubleshooting tool
and we are troubleshooting. We can fix the trouble later.
Click Start, Run, msconfig and look at the Startup tab. Under the
Location column, you are interested the the things that start with
HKLM.
Uncheck the box(s) for things you think you have installed yourself.
This disables the item, back but does not uninstall it, so you can
enable it again later. After making a change, you will want to reboot
and when you do, you will get a message that your system configuration
has changed, so just acknowledge the message and continue the boot.
Keep unchecking one item at a time until the problem goes away.
It is up to you how many you want to do at once, but one at a time is
the best so you will know for sure which one is the problem. Start
with things that look familiar and you may have installed around the
time of the problem lately (unless you know what install caused the
problem).
The HKCU (Current User) items start when you login (not quite the same
a s a reboot). It could be one of them, but start with the HKLM ones.
When you uncheck it, the problem goes away. When you check it, the
problem comes back. Put the other items back except for the
suspicious one.
Which one causes the problem when enabled?
D
DHampton
Elmo--I've done this in the past and it doesn't find anything.
D
DHampton
Elmo--I've done this before and it couldn't find reg.exe.
E
Elmo
DHampton said:Elmo--I've done this in the past and it doesn't find anything.
It can be called from another program.. an advanced search of the HD
for any file containing "reg.exe" might show you what's calling it up.
Then there are programs that will help you find the cause, such as gmer
and Process Explorer. I'm not familiar with them and can't really tell
you which would be best in your situation.
If you think it's malicious, like maybe a rootkit infection, you might
do the following:
Burn BitDefender, or another program listed at the link below, to a CD
(using a working machine) and test the infected machine with it:
http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/
Then run this program:
Malwarebytes© Corporation
http://www.malwarebytes.org/mbam/program/mbam-setup.exe