Registry Editor

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I'm unable to delete a registry value:
HKLM\software\microsoft\windows\currentversion\registration\*playmc

This runs the following command:
c:\winnt\registration\playmc.exe rerun

Can't delete this file because of sharing violation. If I terminate the
service in system manager, it respawns. I want to kill this service and
delete the program. Any suggestions would help.

Thanks, Andrew
 
Andrew,

Is it spyware? I've had (spyware) situations like that where i'd log in to
the recovery console, delete the exe and then remove the registry entry once
I was back in the gui. You can install the recovery console from the i386
folder on the Winxp cd by running Winnt32 /cmdcons.

Best Regards,
G. Samuel Hays
 
This is spyware.
In fact, I did go into the recovery console to delete the *.exe file. But
I'm still getting winantivirus.com pop-ups. McAfee identifies these as
Vundo.dr infections. And new random named *.exe files are created. I
couldn't identify anything with the HijackThis logfile.

Any other suggestions.
 
Ok,

First thing: wildcards don't work in the recovery console. You must type in
the names individually. (Not sure if you were just typing it that was for
speed's sake).
However - The problem we had here was that a file would generate random
names and respawn on termination so you couldn't kill it. What I ended up
doing, was going to sysinternals and grabbing the filemon utility. I found
which process was respawning but more importantly *where* the file sat.
After finding that - went into the recovery console, crushed all related
files. Have you run ad-aware and spybot as well? You're probably going to
have to do some serious investigating to get the respawn app killed. Good
luck!

G. Samuel Hays
P.s. Now that I think about it, with sysinternals' PSTOOLs you may be able
to really terminate the process (-KILL, i think) without it respawning.
 
Back
Top