How do I make registry changes stick?

  • Thread starter Thread starter ernie
  • Start date Start date
E

ernie

Using XP Home Edition, logged on as administrator in Safe Mode, I make the
change to
HKLM\sware\ms\windowsNT\current version\winlogon\Shell but, after I close
the registry editor and reopen it, the value has returned to its original
data. I checked the permissions for the key but cannot see a reason there
for this behaviour.
How can I change this value as it is causing an annoying popup from AVG and
I have to turn off the AVG Notification Service in msconfig to stop it which
may cause problems if I get another virus?
Thank you,
ern.
 
What are you trying to change the value from\to?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon
Shell
REG_SZ
Explorer.exe

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
Update AVG and run a full system scan. Etnuq.exe is probably a virus.

You might want to start in Safe Mode to run AVG.

Some viruses and other malware like to conceal themselves in areas Windows
protects while using them. Safe mode will prevent those applications
access and therefore unprotect the viruses or other malware.

How to start Windows in Safe Mode Windows XP
http://www.bleepingcomputer.com/forums/index.php?showtutorial=61#winxo

You have to get rid of C:\Windows\System32\Etnuq.exe before the registry
change is going to stick.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
The etnuq.exe file is gone, I assume AVG dealt with it, but the shell call
is still there which is freaking AVG out. It seems unlikely that regedt32
actually checks to see if the edits have logical consistency, the value goes
straight back to the original data as though I had never made the change. I
looked at the restore points but there are none before the 8th when this
problem already existed. Have I missed some thing on the permissions front,
they are a bit hard to get my head round. Thank you for the tip about
scanning in Safe mode.
Regards,
ern.
 
To be more exact the AVG, which was switched off, popup says:

AVG Resident Shield-(a count down from 30s to 0 at which the countdown
restarts)
An ugly bug face picture and text VIRUS DETECTED!
While opening file C:\Windows\System32\Etnuq.exe
Trojan horse Downloader.Generic.UEO
Option Buttons: Ignor, Info, Heal, Move to Vault.
Clicking any of the buttons does not get rid of the popup which is on top of
all windows opened though Heal and Move to Vault give the message:

"Requested action is not available for this object.
Access to the file has been denied.
OK"
Sorry for not being able to give full details in my first reply.
ern.
 
I would like to add that in the same key there is a value "Userinit" whose
value has been altered in the same way viz:
,oouybpw.exe has been aded at the end.
The file does not exist.
ern.
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon
Userinit
REG_SZ
C:\WINDOWS\SYSTEM32\Userinit.exe,

Try this...
Reset the registry permissions

In the Registry Editor, right click..
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon

To update the permissions of the registry subkey, follow these steps:
a. Click Start, click Run, type regedit and then click OK to start
Registry Editor.
b. Locate and right-click the registry subkey:
and then click Permissions.
c. Under Group or user names, click Administrators.
d. Under Permissions for Administrators, make sure that the Allow check box
for the following entries is selected:
* Full Control
* Read
e. Click Apply and then click OK.
f. On the File menu, click Exit to quit Registry Editor.

Open the Registry Editor again and see if you can make the changes now.

If not, try this...
Start | Run | Type: regedit | OK |
Navigate to >>>
the said key
Right click the key in the left hand pane | Permissions... | Advanced
button | Owner tab | click the new owner and then click OK.

[[You can take ownership of a registry key if you are logged on as an
administrator or if you have been specifically assigned the permission to
take ownership of the registry key by the current owner. ]]

See permissions, registry in Registry Editor HELP.

To assign permissions to a registry key
http://www.microsoft.com/resources/...xp/all/proddocs/en-us/regedit_permit_key.mspx

To assign special access to a registry key
http://www.microsoft.com/resources/...ll/proddocs/en-us/regedit_assign_specacc.mspx

To grant Full Control of a registry key
http://www.microsoft.com/resources/.../xp/all/proddocs/en-us/regedit_yield_own.mspx

To add users or groups to the audit list
http://www.microsoft.com/resources/...proddocs/en-us/regedit_audit_key_adduser.mspx

To add users or groups to the Permissions list
http://www.microsoft.com/resources/...roddocs/en-us/regedit_permit_key_adduser.mspx

To remove a user or group from the Permissions list
http://www.microsoft.com/resources/...proddocs/en-us/regedit_permit_key_remove.mspx

To take ownership of a registry key
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/regedit_take_own.mspx

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
Microsoft Outlook Express 5.50.4522.1200???

You have got to be kidding.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
Falling at the first hurdle here, I Start > Run > regedit and get a message
"regedit is not a valid Win32 application."
I was using regedt32 in the run box although I can double click regedit.exe
when viewing the C:\Windows folder and it comes up OK. I have to use the
full path in the run box, then the editor comes up.
Thanks for confirming the Userinit value is also corrupt.
I found that the permissions for the key were <Not inherited> and on the
Advanced section clicked to check the "Inherit from Parent......" box which
caused a duplicate but <Inherited> set of permissions to appear in the box.
Deleted all the <Not inherited> ones and optimistically made the edits. No
joy, no more time on this now.
Thank you for the links. My ancient browser finds it so hard to download a
page these days let alone perform a search {:^).
Regards,
ern.

Wesley Vogel said:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon
Userinit
REG_SZ
C:\WINDOWS\SYSTEM32\Userinit.exe,

Try this...
Reset the registry permissions

In the Registry Editor, right click..
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon

To update the permissions of the registry subkey, follow these steps:
a. Click Start, click Run, type regedit and then click OK to start
Registry Editor.
b. Locate and right-click the registry subkey:
and then click Permissions.
c. Under Group or user names, click Administrators.
d. Under Permissions for Administrators, make sure that the Allow check box
for the following entries is selected:
* Full Control
* Read
e. Click Apply and then click OK.
f. On the File menu, click Exit to quit Registry Editor.

Open the Registry Editor again and see if you can make the changes now.

If not, try this...
Start | Run | Type: regedit | OK |
Navigate to >>>
the said key
Right click the key in the left hand pane | Permissions... | Advanced
button | Owner tab | click the new owner and then click OK.

[[You can take ownership of a registry key if you are logged on as an
administrator or if you have been specifically assigned the permission to
take ownership of the registry key by the current owner. ]]

See permissions, registry in Registry Editor HELP.

To assign permissions to a registry key
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/regedit_permit_key.mspx

To assign special access to a registry key
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/regedit_assign_specacc.mspx

To grant Full Control of a registry key
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/regedit_yield_own.mspx

To add users or groups to the audit list
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/regedit_audit_key_adduser.mspx

To add users or groups to the Permissions list
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/regedit_permit_key_adduser.mspx

To remove a user or group from the Permissions list
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/regedit_permit_key_remove.mspx

To take ownership of a registry key
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/regedit_take_own.mspx

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
ernie said:
I would like to add that in the same key there is a value "Userinit" whose
value has been altered in the same way viz:
,oouybpw.exe has been aded at the end.
The file does not exist.
ern.
Click to expand...
Click to expand...
 
All Regedt32.exe does is launch Regedit.exe.

Chances are that you have another POS, regedit.com.

Also Known As: W32.Alcan.A, Win32.Alcan.A [Computer Associates],
P2P-Worm.Win32.Alcan.a [Kaspersky Lab], W32/Alcan.worm!p2p [McAfee],
W32/Alcra-A [Sophos], WORM_ALCAN.A [Trend Micro]

[[This worm drops the legitimate file compression DLL, BSZIP.DLL in the
Windows system folder. It does this so it can compress itself. It also drops
the following files in the Windows system folder:

CMD.COM
NETSTAT.COM
PING.COM
REGEDIT.COM
TASKKILL.COM
TASKLIST.COM
TRACERT.COM

These files contain the string MZ so that this worm can disable the
following Windows tool applications:

CMD.EXE
NETSTAT.EXE
PING.EXE
REGEDIT.EXE
TASKKILL.EXE
TASKLIST.EXE
TRACERT.EXE ]]
From...
WORM_ALCAN.A - Technical details
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ALCAN.A&VSect=T

Symantec Security Response - W32.Alcra.A
http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
ernie said:
Falling at the first hurdle here, I Start > Run > regedit and get a
message "regedit is not a valid Win32 application."
I was using regedt32 in the run box although I can double click
regedit.exe when viewing the C:\Windows folder and it comes up OK. I have
to use the full path in the run box, then the editor comes up.
Thanks for confirming the Userinit value is also corrupt.
I found that the permissions for the key were <Not inherited> and on the
Advanced section clicked to check the "Inherit from Parent......" box
which caused a duplicate but <Inherited> set of permissions to appear in
the box. Deleted all the <Not inherited> ones and optimistically made the
edits. No joy, no more time on this now.
Thank you for the links. My ancient browser finds it so hard to download a
page these days let alone perform a search {:^).
Regards,
ern.

Wesley Vogel said:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon
Userinit
REG_SZ
C:\WINDOWS\SYSTEM32\Userinit.exe,

Try this...
Reset the registry permissions

In the Registry Editor, right click..
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon

To update the permissions of the registry subkey, follow these steps:
a. Click Start, click Run, type regedit and then click OK to start
Registry Editor.
b. Locate and right-click the registry subkey:
and then click Permissions.
c. Under Group or user names, click Administrators.
d. Under Permissions for Administrators, make sure that the Allow check
box for the following entries is selected:
* Full Control
* Read
e. Click Apply and then click OK.
f. On the File menu, click Exit to quit Registry Editor.

Open the Registry Editor again and see if you can make the changes now.

If not, try this...
Start | Run | Type: regedit | OK |
Navigate to >>>
the said key
Right click the key in the left hand pane | Permissions... | Advanced
button | Owner tab | click the new owner and then click OK.

[[You can take ownership of a registry key if you are logged on as an
administrator or if you have been specifically assigned the permission to
take ownership of the registry key by the current owner. ]]

See permissions, registry in Registry Editor HELP.

To assign permissions to a registry key
Click to expand...
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/regedit_permit_key.mspx

To assign special access to a registry key
Click to expand...
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/regedit_assign_specacc.mspx

To grant Full Control of a registry key
Click to expand...
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/regedit_yield_own.mspx

To add users or groups to the audit list
Click to expand...
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/regedit_audit_key_adduser.mspx

To add users or groups to the Permissions list
Click to expand...
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/regedit_permit_key_adduser.mspx

To remove a user or group from the Permissions list
Click to expand...
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/regedit_permit_key_remove.mspx

To take ownership of a registry key
Click to expand...
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/regedit_take_own.mspx

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
Click to expand...
Click to expand...
 
Thank you, Wesley. I found and deleted the .com files (and followed the rest
of the Symantec cleanup procedure) but the "execution" of the regedit.com
left a regedit.pif which also must be deleted to get the Run box to work
properly. A little quibble with the cleanup from Symantec, they say that the
file taskmgr.exe is also dropped by the worm but it appears legitimate? I
have left it anyhow.

This did not resolve the failure of regedit to edit the winlogon so, back to
msconfig and stopping a bunch of processes called Project1 and gogo115
finally caused the edit to stick. These files don't offend AVG but are dated
all at the same time so this other (etnuq.exe) virus comes as a package. I
will just list these files found in C:\Windows\ for any other unfortunates:
ms0420353-548.exe 136kB
ms0420353-5482006.exe 136kB
keyboard8.exe 44kB
mousepad8.exe 72kB
newname8.exe 24kB
wnu_??.exe 77kB which claims to be an uninstaller but just
renames itself.

Thanks again,
ern.

Wesley Vogel said:
All Regedt32.exe does is launch Regedit.exe.

Chances are that you have another POS, regedit.com.

Also Known As: W32.Alcan.A, Win32.Alcan.A [Computer Associates],
P2P-Worm.Win32.Alcan.a [Kaspersky Lab], W32/Alcan.worm!p2p [McAfee],
W32/Alcra-A [Sophos], WORM_ALCAN.A [Trend Micro]

[[This worm drops the legitimate file compression DLL, BSZIP.DLL in the
Windows system folder. It does this so it can compress itself. It also drops
the following files in the Windows system folder:

CMD.COM
NETSTAT.COM
PING.COM
REGEDIT.COM
TASKKILL.COM
TASKLIST.COM
TRACERT.COM

These files contain the string MZ so that this worm can disable the
following Windows tool applications:

CMD.EXE
NETSTAT.EXE
PING.EXE
REGEDIT.EXE
TASKKILL.EXE
TASKLIST.EXE
TRACERT.EXE ]]
From...
WORM_ALCAN.A - Technical details
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ALCAN.A
&VSect=T

Symantec Security Response - W32.Alcra.A
http://securityresponse.symantec.com/avcenter/venc/data/w32.alcra.a.html

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
ernie said:
Falling at the first hurdle here, I Start > Run > regedit and get a
message "regedit is not a valid Win32 application."
I was using regedt32 in the run box although I can double click
regedit.exe when viewing the C:\Windows folder and it comes up OK. I have
to use the full path in the run box, then the editor comes up.
Thanks for confirming the Userinit value is also corrupt.
I found that the permissions for the key were <Not inherited> and on the
Advanced section clicked to check the "Inherit from Parent......" box
which caused a duplicate but <Inherited> set of permissions to appear in
the box. Deleted all the <Not inherited> ones and optimistically made the
edits. No joy, no more time on this now.
Thank you for the links. My ancient browser finds it so hard to download a
page these days let alone perform a search {:^).
Regards,
ern.

Wesley Vogel said:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon
Userinit
REG_SZ
C:\WINDOWS\SYSTEM32\Userinit.exe,

Try this...
Reset the registry permissions

In the Registry Editor, right click..
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon

To update the permissions of the registry subkey, follow these steps:
a. Click Start, click Run, type regedit and then click OK to start
Registry Editor.
b. Locate and right-click the registry subkey:
and then click Permissions.
c. Under Group or user names, click Administrators.
d. Under Permissions for Administrators, make sure that the Allow check
box for the following entries is selected:
* Full Control
* Read
e. Click Apply and then click OK.
f. On the File menu, click Exit to quit Registry Editor.

Open the Registry Editor again and see if you can make the changes now.

If not, try this...
Start | Run | Type: regedit | OK |
Navigate to >>>
the said key
Right click the key in the left hand pane | Permissions... | Advanced
button | Owner tab | click the new owner and then click OK.

[[You can take ownership of a registry key if you are logged on as an
administrator or if you have been specifically assigned the permission to
take ownership of the registry key by the current owner. ]]

See permissions, registry in Registry Editor HELP.

To assign permissions to a registry key
Click to expand...
Click to expand...
http://www.microsoft.com/resources/...ces/documentation/windows/xp/all/proddocs/en-
Click to expand...
 
Back
Top