Registerty Editor problem

[Bob S]

I have WinXP SP2, patched up to date.

I haven't installed any new programs lately, but for the
last few days whenever I boot up a dos sort up box pops up
(like the one for the command prompt (which, by the way, I
don't know how to us, but that's not my issue). The top line
of the box says "C:\Windows\system32\cmd.exe." After
everything else has fully loaded, it sits on the screen for
about 30 or 40 more seconds, and then a message box pops up
which says that Registry editor has encountered a problem
and needs to shut down. I can then click on a button to
either send a feed-back message to MS or not, and then the
two windows/boxes disappear and I can use the computer as I
normally do. I can even use the registry editor, so I have
no idea what the message is supposed to mean in the first
place.

Any idea what the problem is and how to fix it?

Thanks.

 

[Wesley Vogel]

Regedit.exe is the Registry Editor. You probably have a trojan/virus/worm
that created a REGEDIT.COM file. REGEDIT.COM is not a Windows file,
regedit.exe is a Windows file.

UPDATE your antivirus software and run a full system scan.

UPDATE whatever anti-spyware applications that you have and run a full
system scan with each one.

You might want to start in Safe Mode to run your antivirus and anti-spyware
software.

Running a full system antivirus scan or anti-spyware scan in Safe Mode can
be a good idea. Some viruses and other malware like to conceal themselves
in areas Windows protects while using them. Safe mode can prevent those
applications access and therefore unprotect the viruses or other malware
allowing for easier removal.

''In safe mode, you have access to only basic files and drivers
(mouse, monitor, keyboard, mass storage, base video, default system
services), just the minimum device drivers required to start Windows.''

Because of that some malware does not load in Safe Mode and is easier to get
rid of.

How to start Windows in Safe Mode Windows XP
http://www.bleepingcomputer.com/forums/index.php?showtutorial=61#winxo

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Shenan Stanley]

I have WinXP SP2, patched up to date.

I haven't installed any new programs lately, but for the
last few days whenever I boot up a dos sort up box pops up
(like the one for the command prompt (which, by the way, I
don't know how to us, but that's not my issue). The top line
of the box says "C:\Windows\system32\cmd.exe." After
everything else has fully loaded, it sits on the screen for
about 30 or 40 more seconds, and then a message box pops up
which says that Registry editor has encountered a problem
and needs to shut down. I can then click on a button to
either send a feed-back message to MS or not, and then the
two windows/boxes disappear and I can use the computer as I
normally do. I can even use the registry editor, so I have
no idea what the message is supposed to mean in the first
place.

Any idea what the problem is and how to fix it?

Sounds like something is trying to apply settings to your registry.
What do you have in your startup tab of msconfig?

 

[Bob S]

UPDATE your antivirus software and run a full system scan.

UPDATE whatever anti-spyware applications that you have and run a full
system scan with each one.

Sounds like a good idea. I last ran a full virus scan two
weeks ago, so who knows what's happened in the interim. I'll
set the scan to run in safe mode while I'm out doning
"chores" this afternoon, and I report back when I get the
results, good or bad.

Thanks for the help.

 

[Bob S]

Sounds like something is trying to apply settings to your registry.
What do you have in your startup tab of msconfig?

To the exent the item names are listed, I don't see anything
that I haven't seen before (as least I *think* so).

But there are three things in there where neither the item
name nor the command is listed, and the locations are shown
as follows:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows:Run
HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows:Load

Do they suggest anything?

In the meanwhile, I'll scan for viruses and other bad stuff
as Wesley suggested.

Thanks much.

 

[Wesley Vogel]

My bet is that the creatures that create malware have not taken very many
days off in those two weeks. ;-)

Grisoft\AVG has new virus definitions almost every single day of the week,
if that gives you any idea.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Wesley Vogel]

Good point, Shenan.

There may be a batch file or .reg file running at boot. It seems to me that
HP and Compaq computers have .bat files that run at boot. I remember now.
I found some things on my cousin's machine.

From my notes...

**cloaker.exe is required to run on startup in order to benefit from its
functionality or so that the program will work.
Used by HP and Compaq computers to hide the windows of programs passed as
arguments to it.
The "c:\hp\bin\cloaker.exe" application which, by its name, is intended to
hide its true purpose from the PC owner.
http://www.wirelessforums.org/security/how-can-i-disable-hp-preloaded-datamining-13658.html
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Pin c:\hp\bin\cloaker.exe c:\hp\bin\pintostart.bat
Pin c:\hp\bin\cloaker.exe c:\hp\bin\pintostart.bat

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Bob S]

But there are three things in there where neither the item
name nor the command is listed, and the locations are shown
as follows:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows:Run
HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows:Load

Haven't run the scans yet, but in the meanwhile I unchecked
all three of the above in msconfig and rebooted. Didn't get
the message, and no apparent problems.

I'll still do the scans, of course, but I'm guessing I
already learned something so far.

 

[Rock]

I have WinXP SP2, patched up to date.

I haven't installed any new programs lately, but for the
last few days whenever I boot up a dos sort up box pops up
(like the one for the command prompt (which, by the way, I
don't know how to us, but that's not my issue). The top line
of the box says "C:\Windows\system32\cmd.exe." After
everything else has fully loaded, it sits on the screen for
about 30 or 40 more seconds, and then a message box pops up
which says that Registry editor has encountered a problem
and needs to shut down. I can then click on a button to
either send a feed-back message to MS or not, and then the
two windows/boxes disappear and I can use the computer as I
normally do. I can even use the registry editor, so I have
no idea what the message is supposed to mean in the first
place.

Any idea what the problem is and how to fix it?

In addition to the other replies from Start | Run, try running these
different utilities. Click ok after typing the entry
Regedit
Msconfig

Do they run? If there is a virus problem they might not.

 

[Wesley Vogel]

HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows:Run

HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows:Load

Do they suggest anything?

Yes.

Load and Run are legacy start settings. Read legacy as old. Not many legit
applications use these. Not to say that they cannot use them. Malware
likes to hide start stuff here.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\WindowsNT\
CurrentVersion\Windows:Run
From the run= line in the Win.ini file.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\WindowsNT\
CurrentVersion\Windows:Load
From the load= line in the Win.ini file.

Load and Run...
Programs Automatically Start When User Logs on to Windows
http://support.microsoft.com/kb/147369

Examples of malware using load and run:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
"load"="C:\WINNT\system32\zerg.vbe"
http://www.symantec.com/security_response/writeup.jsp?docid=2004-032315-2342-99

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run =
"%Windows%\dllreg.exe"
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=36374

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Bob S]

My bet is that the creatures that create malware have not
taken very many days off in those two weeks. ;-)

I realize that. I should have said I hadn't run a *full*
in-depth scan for two weeks (I usually do them once a week).
But in any case, see below: three scans haven't turned up
anything.

Grisoft\AVG has new virus definitions almost every single
day of the week, if that gives you any idea.

Well, today I ran a full virus scan with AVG, and then
spyware/adware scans with both SpySweeper and Ad-Aware. And
the results: nada.

I reboot several time to see if the problem would come back
with those three things unchecked in msconfig, and it's all
fine. As long as they're unchecked, the message doesn't
appear.

So I'm now in the position of sort-of having nothing broke,
but I'd still like to fix it. Any idea where to go from
here? I.e., should I do anything about those three items I
unchecked in msconfig? To re-cap what they are, they're:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows:Run
HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows:Load

Thanks.

 

[Bob S]

I read those links you posted, but unfortunately I'm not
entirely sure what I'm reading.

For example, looking in the registry editor under two of the
three items I saw in msconfig, I went to
HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows:Run
and
HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows:Load

and that was all I saw there. In the right pane, on the line
for "Run," and also on the line for "Load," the Type in both
cases is indicated as "REG_SZ," and there's nothing in the
data column.

I also went to:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

There were 15 items in the right pane, 13 of which I'm
familiar with. The two others were "IMJPMIG8.1," and
"SunJavaUpdateSched." ProcessLibrary.com says "MJPMIG.EXE
belongs to the Microsoft Input Method Editor. It is used to
simplify the input of Asian characters in the Microsoft
Office suite" and that IMJPMIG8.1 shouldn't be disable. The
other item, for SunJava -- well, I know what that is, but it
reminded me that I did update Java lately, so maybe the
problem resulted from that? I dunno.

Any idea what I should do from here, or whether I should do
anything at all, given the fact that unchecking the three
items in msconfig made the message stop popping up?

Thanks.

 

[Bob S]

In addition to the other replies from Start | Run, try
running these different utilities. Click ok after typing
the entry
Regedit
Msconfig

Do they run? If there is a virus problem they might not.

They both run fine. Also, today I ran both a full virus scan
(AVG) and two malware scans (SpySweeper and Ad-Aware), and
the system came up clean.

Any other thoughts?

Thanks very much.

 

[Newbie Coder]

Wesley,

Symantec have defs out each day too via Intelligent Updater:

http://www.symantec.com/avcenter/defs.download.html

If you have the 2006/2007 home products then LiveUpdate should work each day
like it does with my Symantec Corporate 10.1.5.5010 Edition, but the
Intelligent Updater if not

--
Newbie Coder
(It's just a name)

My bet is that the creatures that create malware have not taken very many
days off in those two weeks. ;-)

Grisoft\AVG has new virus definitions almost every single day of the week,
if that gives you any idea.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Rock]

They both run fine. Also, today I ran both a full virus scan
(AVG) and two malware scans (SpySweeper and Ad-Aware), and
the system came up clean.

Any other thoughts?

Thanks very much.

If those didn't run, that would be in indication of a malware infection.
That both did, doesn't prove there isn't one but it's a good sign. I
haven't been following this thread in detail, but it could be there was no
infection and the changes you made already have addressed the issue. For
your future reference.

Malware Removal
http://www.elephantboycomputers.com/page2.html#Removing_Malware

THE PARASITE FIGHT
Finding, Removing & Protecting Yourself From Scumware
http://aumha.org/a/parasite.htm

Richard Harper's Guide to Cleaning Pests
http://rgharper.mvps.org/cleanit.htm

 

[Wesley Vogel]

I would not use Symantec even if they paid me.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Wesley Vogel]

Bob,

I have just been rereading all of your posts in this thread. I always seem
to miss something.

I reboot several time to see if the problem would come back
with those three things unchecked in msconfig, and it's all
fine. As long as they're unchecked, the message doesn't
appear.

Recheck each item one at a time and reboot to see which one may have been
causing the problem.

MJPMIG.EXE looks suspicious. Searching MS sites brings back nothing.
http://www.google.com/search?as_q=&...as_dt=i&as_sitesearch=&as_rights=&safe=images

IMJPMIG.EXE, however, is a legit file.
http://support.microsoft.com/dllhelp/?dlltype=file&l=55&alpha=IMJPMIG.EXE&S=1&x=9&y=12

I have a copy of Imjpmig.exe in C:\WINDOWS\system32\dllcache. The language
is Japanese. Imjpmig.exe is in my dllcache folder because I have no need
for any language other than English and have not installed any.

There is a shortcut to Microsoft Office XP Language Settings on the Start
menu.
Start Menu\Programs\Microsoft Office Tools\Microsoft Office XP Language
Settings.

Is MJPMIG.EXE a typo? Is it really IMJPMIG.EXE?

Do you need Japanese in your MS Office apps?

I would disable SunJavaUpdateSched. First, even if there is a new version
of Sun Java, it is my understanding that it's a screwed up mess because
earlier versions do not get uninstalled automatically. I do not have Sun
Java myself. Nor do I have Microsoft Java Virtual Machine for that matter.

"This program is not required to start automatically as you can run it when
you need to. SunJavaUpdateSched = C:\Program
Files\Java\jre1.5.0_11\bin\jusched.exe Checks with Sun's Java updates site
to see if newer Java versions are available. Visit Sun's Java page or just
run the Java Plug-In Control Panel. The version number in the path will
change depending on the version of the software installed."
http://www.bleepingcomputer.com/startups/SunJavaUpdateSched-5259.html

When all is said and done and you want to clean out the startup items that
you have disabled using msconfig, see this.

Cleanup the MSCONFIG startup tab listings in Windows XP
http://windowsxp.mvps.org/MSCONFIG.htm

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Bob S]

[snip

Is MJPMIG.EXE a typo? Is it really IMJPMIG.EXE?

Do you need Japanese in your MS Office apps?

Doing a search on my computer just now doesn't turn up
anything called MJPMIG.EXE.

The name cropped up earlier only becuase when I did a search
online for "IMJPMIG8.1" (the entry I saw in the registry), I
found a comment concerning it at ProcessLibrary.com.
MJPMIG.EXE simply appeared in the section I quoted from
ProcessLibrary.com. I included the entire quote because I
didn't know whether the context was important. But again:
bottem line is that I don't have it.

I do have IMJPMIG.EXE. It's located in C:\Windows\ime\
imp8_1. Whatever that is.

I certainly have no need of Japanese on my computer, and, as
mentioned, I've already unchecked it in msconfig. Is there
any reason to actually delete the .exe file, or should I
just let it go at this point?

I would disable SunJavaUpdateSched.

Done.

Thanks.

 

[Wesley Vogel]

Hi Bob,

Imjpmig8.1 was probably the Value Name and the path pointed to IMJPMIG.EXE
in the the Value Data.

From a web post...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: IMJPMIG8.1
Value Data:
C\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

I have a C:\Windows\ime\imjp8_1 folder, but it's empty except for an empty
applets folder.

I would delete IMJPMIG.EXE from C:\Windows\ime\imjp8_1 if you have need for
Japanese.

Out of curiosity...
Navigate to C:\Windows\ime\imjp8_1, right click IMJPMIG.EXE, click
Properties.
On the General tab:
File version: 8.1.4202.0
description: Microsoft IME
Copyright: Copyright (C) 1995-2001 Microsoft Corporation. All rights
reserved.

Also click on the following items under Item name to see the Value...
Company: Microsoft Corporation
File Version: 8.1.4202.0
Internal Name: MS-IME
Language: Japanese
Legal Trademarks: MicrosoftR is a registered trademark of Microsoft
Corporation. Windows(TM) is a trademark of Microsoft Corporation
Original File Name: IMJPMIG.EXE
Product Name: Microsoft IME 2002
Product Version: 8.1.4202.0

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

[snip

Is MJPMIG.EXE a typo? Is it really IMJPMIG.EXE?

Do you need Japanese in your MS Office apps?

Doing a search on my computer just now doesn't turn up
anything called MJPMIG.EXE.

The name cropped up earlier only becuase when I did a search
online for "IMJPMIG8.1" (the entry I saw in the registry), I
found a comment concerning it at ProcessLibrary.com.
MJPMIG.EXE simply appeared in the section I quoted from
ProcessLibrary.com. I included the entire quote because I
didn't know whether the context was important. But again:
bottem line is that I don't have it.

I do have IMJPMIG.EXE. It's located in C:\Windows\ime\
imp8_1. Whatever that is.

I certainly have no need of Japanese on my computer, and, as
mentioned, I've already unchecked it in msconfig. Is there
any reason to actually delete the .exe file, or should I
just let it go at this point?

I would disable SunJavaUpdateSched.

Done.

Thanks.

 

[Kelly]

They "don't" pay people to use their products?