Registry Editor

[Guest]

I'm unable to delete a registry value:
HKLM\software\microsoft\windows\currentversion\registration\*playmc

This runs the following command:
c:\winnt\registration\playmc.exe rerun

Can't delete this file because of sharing violation. If I terminate the
service in system manager, it respawns. I want to kill this service and
delete the program. Any suggestions would help.

Thanks, Andrew

 

[G. Samuel Hays]

Andrew,

Is it spyware? I've had (spyware) situations like that where i'd log in to
the recovery console, delete the exe and then remove the registry entry once
I was back in the gui. You can install the recovery console from the i386
folder on the Winxp cd by running Winnt32 /cmdcons.

Best Regards,
G. Samuel Hays

 

[Guest]

This is spyware.
In fact, I did go into the recovery console to delete the *.exe file. But
I'm still getting winantivirus.com pop-ups. McAfee identifies these as
Vundo.dr infections. And new random named *.exe files are created. I
couldn't identify anything with the HijackThis logfile.

Any other suggestions.

 

[G. Samuel Hays]

Ok,

First thing: wildcards don't work in the recovery console. You must type in
the names individually. (Not sure if you were just typing it that was for
speed's sake).
However - The problem we had here was that a file would generate random
names and respawn on termination so you couldn't kill it. What I ended up
doing, was going to sysinternals and grabbing the filemon utility. I found
which process was respawning but more importantly *where* the file sat.
After finding that - went into the recovery console, crushed all related
files. Have you run ad-aware and spybot as well? You're probably going to
have to do some serious investigating to get the respawn app killed. Good
luck!

G. Samuel Hays
P.s. Now that I think about it, with sysinternals' PSTOOLs you may be able
to really terminate the process (-KILL, i think) without it respawning.