Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot Access Registry


  • Please log in to reply
13 replies to this topic

#1 Jesse Bassett

Jesse Bassett

  • Members
  • 418 posts
  • OFFLINE
  •  
  • Location:Rosemount, MINN.
  • Local time:09:28 PM

Posted 22 April 2006 - 03:06 PM

Hello,
I have a big problem with my Windows XP. Every time I try to access the registry, it comes up in a Command prompt then has this error message:



C:/WINDOWS/System32/Regedit.com
The NTVDM CPU has encountered an illegal instruction.
CS:0156 IP: 04df OP: 0f a7 00 22 00 Choose 'close' to terminate the application.


I have a saved Hijack This log if requested.

What do I do?
Windows XP Media Center Edition 2005 l McAfee Total Protection l Super AntiSpyware Free Edition l AdAware SE Personal l Spyware Blaster l Spyware Guard l Safe Eyes 2007

BC AdBot (Login to Remove)

 


m

#2 ThorXP

ThorXP

  • Banned
  • 880 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 22 April 2006 - 03:17 PM

I searched the Microsoft Knowledge Base and got the following they seem to be for Windows NT but seeing as Windows XP is based on Windows NT they might help.

NTVDM CPU Has Encountered an Illegal Instruction
http://support.microsoft.com/kb/245184/en-us

Entries in Config.nt or Autoexec.nt May Cause NTVDM Errors
http://support.microsoft.com/kb/156687/en-us

Were you installing any 16-bit games or programs? If so this might be the cause of this

Also your system might be infected with spyware or some sort of virus or malware. I would suggest HJT

Since you have already run HJT please do the following:

Go to the following to post your log file and it will be analyzed by a qualified tech

HijackThis Logs and Analysis
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

#3 Scarlett

Scarlett

    Bleeping Diva


  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:09:28 PM

Posted 22 April 2006 - 03:23 PM

Have you ran any security scans yet? It is best to run your antivirus/antispyware/antiadware programs first. :thumbsup:


Preparation Guide for use before posting a HijackThis Log
Posted Image

#4 Jesse Bassett

Jesse Bassett
  • Topic Starter

  • Members
  • 418 posts
  • OFFLINE
  •  
  • Location:Rosemount, MINN.
  • Local time:09:28 PM

Posted 22 April 2006 - 03:31 PM

I am doing the antispyware scans now using Webroot SpySweeper, Lavasoft Ad-Aware SE Personal, & ZoneLabs AntiSpyware.
Windows XP Media Center Edition 2005 l McAfee Total Protection l Super AntiSpyware Free Edition l AdAware SE Personal l Spyware Blaster l Spyware Guard l Safe Eyes 2007

#5 Scarlett

Scarlett

    Bleeping Diva


  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:09:28 PM

Posted 22 April 2006 - 03:33 PM

Be sure to edit your HJT log post alerting the HJT team what all you have done and of anything the scans may find.
The more info. you give them the better. :thumbsup:
Posted Image

#6 Albert Frankenstein

Albert Frankenstein

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:10:28 PM

Posted 22 April 2006 - 03:54 PM

C:/WINDOWS/System32/Regedit.com

Really? I don't know what regedit.com is. Is that exactly what it said, or perhaps did it say regedit.exe?
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#7 Jesse Bassett

Jesse Bassett
  • Topic Starter

  • Members
  • 418 posts
  • OFFLINE
  •  
  • Location:Rosemount, MINN.
  • Local time:09:28 PM

Posted 22 April 2006 - 04:12 PM

C:/WINDOWS/System32/Regedit.com

Really? I don't know what regedit.com is. Is that exactly what it said, or perhaps did it say regedit.exe?


It said regedit.com
Windows XP Media Center Edition 2005 l McAfee Total Protection l Super AntiSpyware Free Edition l AdAware SE Personal l Spyware Blaster l Spyware Guard l Safe Eyes 2007

#8 Herk

Herk

  • Members
  • 1,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S.E. Idaho, USA
  • Local time:10:28 PM

Posted 22 April 2006 - 06:06 PM

When you try to access the registry, how are you doing it? Normally, you would go to start -> run and type

regedit

. . . but you could also type

regedit.exe

. . . that's the original filename. This makes me wonder if your regedit command has been purloined by malware - like Albert, I know of no regedit.com in the system.

#9 Jesse Bassett

Jesse Bassett
  • Topic Starter

  • Members
  • 418 posts
  • OFFLINE
  •  
  • Location:Rosemount, MINN.
  • Local time:09:28 PM

Posted 22 April 2006 - 06:51 PM

Wow...it somehow fixed itself. I type in regedit or regedit.exe and there's the registry....weird
Windows XP Media Center Edition 2005 l McAfee Total Protection l Super AntiSpyware Free Edition l AdAware SE Personal l Spyware Blaster l Spyware Guard l Safe Eyes 2007

#10 ThorXP

ThorXP

  • Banned
  • 880 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 22 April 2006 - 07:51 PM

No not wierd but actually correct. If there is no regedit.com it will not run and depending on the computer you can get various error messages. It just taught me to learn how to read all over again.

Thanks Albert you are a good one.

#11 Albert Frankenstein

Albert Frankenstein

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:10:28 PM

Posted 24 April 2006 - 07:57 AM

I am in training for work in the HighJack This! forum here at BC. And oddly enough, this morning in my studies I came across what might be the answer here.

In a clean computer: When you open the run box and type regedit , Windows will automatically add the extension to regedit and see if there is a match on your computer. It searches for matches using .com as well as .exe and other extensions looking for a match. (there is no such thing as regedit.com in Windows). It finds regedit.exe and runs the program.

There is a worm with many variants called Alcra that exploits this feature in Windows. It adds things like regedit.com and control.com so that when someone types regedit in the run box regedit.com will be found and will start.

This worm is most commonly spread through Peer to Peer sites like Limewire, Kazaa, etc.

Does this make sense to you, Jesse? Do you use these P2P sites? P2P sites are close to the number one reason why the average computer user gets infected. A lot of sites will not help someone who has Limewire or Kazaa software installed. But BC will.

At any rate, I would suggest posting a HJT log to get rid of this little bugger.

First: Read the Preparation Guide found HERE. It is very important that you follow ALL of the instructions found within. (There are many important steps in this guide that may clean your computer.)

Second: Post your system information along with a brief description of the problems you are having, and your HJT log in the HJT forum found HERE.

NOTE: Please, after you post your HJT log DO NOT make another post in the HJT forum until it has been responded to by a member of the HJT Team. The first thing they look for, when looking for logs to reply to, is 0 replies. If you make another post there will be 1 reply. The team member glancing over the replies might think someone is already helping you out and will not respond. So, just make your post and let it sit there until a team member responds. The volunteers who work that forum are very busy, so please be patient and wait. It can sometimes take a few days for a response. If after 5 days you still have gotten no response, then post a link to your HJT log HERE.

Third: If, after finishing your work with the folks at the HJT forum you have issues with Windows related to the removal of the infection, then come to the other forums and let us help you get your computer back to normal.

You are in good hands! Good luck!

Edited by Albert Frankenstein, 24 April 2006 - 08:09 AM.

ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#12 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:09:28 PM

Posted 24 April 2006 - 08:23 AM

A lot of sites will not help someone who has Limewire or Kazaa software installed.


That's because of the fact that P2Ps that network users for the purpose of sharing pirated copywrited materials - songs - programs - etc.- are a constant source of malware infection. If the user continues the use of P2Ps after the volunteers on other sites similar to this (who spend their time and energies helping a user clean their computers of malware infestation), it will all be for naught, as they will reinfect their computers again in short order anyway. So one way to look at it is to allow those users to eliminate or diminish their ability to infect others with their infected computers complicit in spreading malware by letting the infection eventually eliminate their ability to communicate on the internet completely.

#13 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:09:28 PM

Posted 24 April 2006 - 08:30 AM

I've seen many more virus/spyware problems on systems with P2P applications running than on systems that doen't use them.

As such, I recommend that you don't use them (at least until you know ALL of the steps to prevent them from getting on your system). And no, I don't know them myself - so I stay away from P2P! :thumbsup:

What I have recommended to others is having 2 separate systems connected with a KVM switch for this purpose. Keep the P2P system isolated from the other one and you should still be able to surf even if the P2P gets hosed.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#14 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 PM

Posted 24 April 2006 - 08:49 AM

A little more comment on the regedit.com deal...

As AF says, when you type in regedit in the Run box, Windows looks thru a list of extensions and runs the file with the first extension it comes across. Since com comes before exe alphabetically, regedit.com gets run first. This can actually be useful to defeat some malware infections. If the legitimate regedit.exe has been blocked from running, you can rename regedit.exe to regedit.com to get it to open.

What some of the alcan and other malware does is create a dummy file, usually 0 bytes, named regedit.com. That zero byte file will run instead of the legit registry editor. Which is what it sounds like happened here. Jesse, when you got it to work was it because you type in .exe after regedit?

Do a file search for regedit and post back here what was found and what folder each file was found in.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users