Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Registry Errors On A Fresh Install Of Xp?


  • Please log in to reply
9 replies to this topic

#1 Pete07

Pete07

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:Australia
  • Local time:11:47 AM

Posted 21 October 2007 - 10:44 PM

Hi,

I've had several system error messages pop up in the last day saying I have critical errors in the System Registry.

I re-formatted my computer just 2 days ago & spent hours re-installing programs. This computer is my children's game computer, so most of the program on here are kids games. Noe of them have been used yet, all I have done is install.

The messages that pop up have told me the errors are critical & to go to either

http://fix64.com or http://www.registrycleanerxp.com

I was wary as I didn't know if these were legitimate sites.

I went into the Event Viewer & there are 7 entries of this message:

Application popup: Messenger Service : Message from Local System to User on 10/22/2007 1:14:55 PM

CRITICAL ERROR MESSAGE! - REGISTRY DAMAGED AND CORRUPTED.

To FIX this problem:
Open Internet Explorer and type: www.registrycleanerxp.com
Once you load the web page, close this message window

After you install the cleaner program you will not receive any more reminders or pop-ups like this.

VISIT www.registrycleanerxp.com IMMEDIATELY!


I did end up going to www.registrycleanerxp.com (I figured if it screwed up the system, worst case scenario I'd just re-format again) and it said there are the following errors: 21 in application paths, 14 in COM objects, 6 in help files & 2 in uninstall objects.

What does all that mean? It won't allow me to repair the problems (of course... you can never let you fix anything without paying $$) so I have no idea what to do next.

If anyone can help I'd be extremely grateful.

Thanks!

BC AdBot (Login to Remove)

 


#2 ThorXP

ThorXP

  • Banned
  • 880 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 21 October 2007 - 11:05 PM

Welcome to Bleeping Computer....

Your computer is more than likely infected if you are getting these type popups. Face it if the regitry were corrupted your computer would not boot very well or not at all.

To download HJTsetup.exe from TrendSecure To Download HijackThis go to the following at the File Repository
Click on the link below to Download HijackThis Self Installer:

http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exe

Save the file to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\HijackThis.
Continue to click Next in the setup dialog boxes until you get to the Select Additional Tasks dialog.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialog box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
At the top of the Notepad HJT log screen, hit Edit then Select All then click Edit and then click Copy doing that copies the text to the clipboard, you won't see it yet....
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
A security expert should take a look at your log - please be patient.

Edited by ThorXP, 21 October 2007 - 11:06 PM.


#3 Pete07

Pete07
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:Australia
  • Local time:11:47 AM

Posted 21 October 2007 - 11:09 PM

Hi,

Thanks for your reply. So can a PC be infected even if it is not usually connected to the internet? I connected this one purely to try to find out what is wrong, it's not usually online at all. It just seems really weird for it to be infected so quickly. (Not doubting what you've said, I just don't understand all this stuff completely.) I'm guessing an infection would have to have come from one of the games I re-installed for my kids. Would that be correct? (Poor kids, they're going nuts wondering why I don't have their system working yet!)

I'll D/L HJT & run it. Should the log be posted here or in the HTJ forum?

Thanks so much.

#4 Pete07

Pete07
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:Australia
  • Local time:11:47 AM

Posted 21 October 2007 - 11:12 PM

Just incase you need it here... here's the log file. If it needs to go in the HJT forum, I'll post there instead.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:06 PM, on 22/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\mmc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 2279 bytes

#5 ThorXP

ThorXP

  • Banned
  • 880 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 21 October 2007 - 11:15 PM

Yes a PC can be infected even though it is not connected to the internet infections can arrive on the software that is installed on the computer very easily, I knoiw you just installed Windows and even though it has not been connected you might want to install service pack 1 minimum as someone might think you are running illegal.

#6 Pete07

Pete07
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:Australia
  • Local time:11:47 AM

Posted 21 October 2007 - 11:23 PM

I'm updating with the service pack & any other updates right now. Just realised they were missing!

#7 Pete07

Pete07
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:Australia
  • Local time:11:47 AM

Posted 22 October 2007 - 12:31 AM

I've completed the XP updates. Here's a new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:52 PM, on 22/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HP.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EPSON Stylus Photo RX630 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HP.EXE /P31 "EPSON Stylus Photo RX630 Series" /O6 "USB001" /M "Stylus Photo RX630"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193027040799
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 2920 bytes

#8 Pete07

Pete07
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:Australia
  • Local time:11:47 AM

Posted 22 October 2007 - 10:27 PM

Just bumping this to try to get some help.

If I shoudn't have posted the HJT log here, let me know. Thanks. :thumbsup:

#9 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:02:47 PM

Posted 23 October 2007 - 03:44 PM

HJT logs are normally posted on this forum after reading the pinned topics: http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
If you've got an open HJT logfile, most regulars here won't touch your problem until the HJT Team gives it an all-clear.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#10 Pete07

Pete07
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:Australia
  • Local time:11:47 AM

Posted 25 October 2007 - 07:16 AM

No problem, shall post over there. Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users