Registry Locked

[flatbush71]

Windows Object Recognized!
    Type               : RegData
    Data               :
    Category           : Vulnerability
    Comment            : Possible unintended lockout from Registry Editor (Regedit access disabled)
    Rootkey            : HKEY_USERS
    Object             : S-1-5-21-3207847200-1532886375-2419647484-1003\software\microsoft\windows\currentversion\policies\system
    Value              : DisableRegistryTools
    Data               :

 Windows Object Recognized!
    Type               : RegData
    Data               : explorer.exe,winload16.exe -shell
    Category           : Vulnerability
    Comment            : Shell Possibly Compromised
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : software\microsoft\windows nt\currentversion\winlogon
    Value              : Shell
    Data               : explorer.exe,winload16.exe -shell


flatbush71

[guestolo]

Is that from an Ad-Aware log?

Can you post a hijackthis log, I don't recognize winload16.exe
Create a permanent folder hijackthis
EG---- Open MyDocuments----Right click an empty spot and select NEW---Folder----Name the new folder HJT
OR create a folder as C:\HJT---this is where you will want to save Hijackthis too, also, backups will be stored there.
download from
HERE

Do a SCAN----Scan will change to SAVE LOG----copy and paste the WHOLE contents of the log
here... Don't try and fix anything yet----It is all important

[flatbush71]

Can,t install it. Won't let me run the ".exe". Like to never got it downloaded, took 7 or 8 tries.

flatbush71

[guestolo]

Can you download Zip files?
Something is trying to block it

Try this link for the zip file, you will have to unzip it to run it
http://www.majorgeeks.com/download3155.html

or try one of these direct download links for hijackthis.exe
HERE

or HERE

[flatbush71]

got that one too. but still can't run the exe to install it.


flatbush71

[guestolo]

What operating system are you running?
If your on a NT system are you logged in with Administative privileges?
Can you access your Task Manager?

Can your Restart into safe  mode and run Hijackthis?

[guestolo]

Have you tried running an Online Virus scan
Housecall's---Set to Autoclean
http://housecall.trendmicro.com/
or do this one too
Panda's
http://www.pandasoftware.com/activescan/co...n_principal.htm

[flatbush71]

Ran house call no virus. Still can't run in safe mode. What ever I got, did something to the administrator settings. On startup no longer have to log-in, it just starts. Have XP.

flatbush71

[flatbush71]

task manager, defrag,services,properties of files(at bottom on right click) denied also.

flatbush71

[guestolo]

Housecall's found nothing, when did this problem start happening?

Can you download this utility called Process Explorer
Unzip it to a folder

Open It>>>This should show you the processes running
Click File>>Save as
Save the log and post it here

Can you use System Restore to a time before this problem started?
START>>>ALL PROGRAMS>>>ACCESSORIES>>>SYSTSEM TOOLS>>>SYSTEM RESTORE
Restore your computer to a time before this started happening

I still think it's viral related

You may also want to download and Install Registrar lite

http://www.resplendence.com/reglite

Navigate to these keys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Highlight the Run and Runonce keys, do you recognize all the entries on the right hand side?

Do you recognize

[guestolo]

One other thing to try
sometimes viruses change the exe file association in the registry

Can you download this zip file and unzip it to your desktop

Double click on it and allow it to merge to the registry----you may have to do this in safe mode
Restart your computer and let me know if things improve
http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip

[flatbush71]

I can find with Registrar lite, but can not delete.

flatbush71

[flatbush71]

Can not run xp_exe_fix.reg, denied.

flatbush71

[guestolo]

Not sure what your saying
you found this entry with Registrar lite
winload16.exe

In Reg Lite click on Security at the top and take ownership
Give yourself full control

[guestolo]

What about Process Viewer, what happened to that log?
Make sure you try running that reg fix in safe mode

[flatbush71]

DriveConfig    
 winload16.exe -services
In run

This is new and also showing in Ad-Aware

I found the other line but still unable to delete even in safe mode

flatbush71

[guestolo]

What happened to the log from Process viewer?

[flatbush71]

Got full control ,delete returns after, and also resets to 1 after being changed to 0. Process viewer will not run. Yes, found "winload16.exe"
with Registrar lite.

flatbush71

[guestolo]

Set Windows to Show Hidden Files and Folders

Do a search for this file
winload16.exe or winload16
It may possibly be in your C:\Windows\System32 folder
Try and delete it if found
If you have trouble deleting it, Try right clicking on the file
Security tab>>advanced>>>Take full control of the file
check the box Allow inheritable permissions
from parent' to propagate... '

If your running XP pro you will have to Disable Simple file sharing

Make sure you also use the search function of XP
When searching click on the Advanced Options
Ensure there is a check in Hidden Files and folders

Stay in safe mode
Open Reg lite
Click Search at the top>>>Search Registry>>Text to Search for--Enter winload16.exe or just winload16

In the Search in box Enter Registry
Click the Spyglass at the bottom to begin the search
the entries on the right you can Right click on and jump to the location and Export the key to a folder on your hard drive and then delete the key if it looks malicious

I would also try to download the Stinger from Mcafee and try running it in safe mode
See if it picks up anything
http://vil.nai.com/vil/stinger/

[flatbush71]

Finally got it!! Let me rename it and reboot, got all back. This one was a real challenge. The file is dated 5/03. With out ability to stop explorer in
processes sends you running in circles. I always try to figure out how all these chokes work so I can understand the nature of it. Blocking the processes window put me at a stand still for a few hours. Thank you for all your help, that is some really great utilitiy programs. I can use them in other areas. Thank you again!!!

flatbush71