system32/regedit.exe

a program called regedit.exe in system32 folder (not where its suppose to be) opens up when i run iexplore.exe. I set in folder settings so i can see hidden files but i still can't find the file so i can delete it. i tried many of the spyware, online scans, so forth. i cannot get rid of it. please help.

 

Lets start with a general cleanup and see what happens.

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an ATTACHMENT.
All instructions are covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting


Now post a Hijack This log as an ATTACHMENT to your message (Do NOT copy/paste the log into your post). Please close unnecessary running programs before you run HijackThis. You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc.

DO NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

after doing the general clean up the system32\regedit is still there. my "hijackthis" log is attached

 

Antone

BJ will ask you to update to current HJT and to place it in a safe folder such as instructed in post#2 of this thread. Do those and then resubmit HJT log.

 

Please update to Hijack This 1.99.1 and attach a new log using the new version.


Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
(C:\Program Files\HJT) and click Next.

Now run HJT from there. Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

 

here it is

 

Are you running selective startup via msconfig? If so, what are you stopping from running?

PP

 

these are the ones i disabled, and i think i deleted most of these files but just never knew how to fix this part. note that my windwos directory is in windows2 and i included the command with the stopped start up items. All services, system.ini, win.ini are enabled

C:\program files\panda software\panda titanium antivirus 2004\APVXDWIN.exe
C:\program files\ati technologies\ati control panel\atiptaxx.exe
C:\windows2\xcopy.exe
C:\windows2\system32\cmd32.exe internat.dll,LoadkeyboardProfile
C:\windows2\system32\ctfmon.exe
C:\windows2\system32\regedit.exe (this one is in system32 folder)
C:\windows2\IME\imjp8_1\IMJPMIG.EXE /spoil /remadvdef /migration32
C:\program files\itunes\ituneshelper.exe
C:\windows2\LMU.exe
msdns.exe
C:\windows2\system32\csrss.exe
C:\windows2\system32\IME\PINTLGNT\imscinst.exe /sync
C:\windows2\Rcb.exe
C:\windows2\system32\\NeroCheck.exe (has two slashes for some reason)
C:\windows2\system32\Jnh.exe
C:\windows2\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
C:\windows2\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"C:\Program files\quicktime\qttask.exe" -atboottime
C:\kirby.exe
C:\Documents and Settings\Bobby Blue.BOBBYBLUE\Application Data\oeac.exe
(a blank line but still has a checkmark
C:\Program FIles\Java\j2re1.4.2_05\bin\jusched.exe
C:\rundll32 "C:\Program Files\SurfBuddy\sbuddy.dll",run
C:\windows2\system32\eqddic.exe
"C:\program files\common files\real\update_OB\realsched.exe" -osboot
rundll32 "C:\Program Files\webspecials\webspec.dll",run
C:\PROGRA~\MICROS~2\OFFICE\OSA9.EXE -b -I

These are the ones still running

Mixer.exe/ startup (for my sound card)
C:\Program Files\Multires\multires.exe (for my video card)
C:\windows2\system32\ctfmon.exe (language input)

 

Well, it has always been my policy that, on questionable items and selective startup, the user knows best how he or she wants things! So I tend to leave those alone . . .

Give me a few moments to run through your log. AFTER you get cleaned up, you really ought to visit Windows Updates and get updated!

PP

 

alright i have time ty fer spending your time on this any ways

 

Hi Antone,

Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and try to end it:

r?gedit.exe

Now scan with HijackThis and Check the Boxes for the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O2 - BHO: winnss - {016A4A33-B045-7BF0-33F3-733A59485028} - C:\WINDOWS2\System32\winnss.dll (file missing)
O2 - BHO: (no name) - {EDE52A28-9835-4FC6-8930-489D88778C78} - C:\WINDOWS2\System32\cadj.dll (file missing)
O2 - BHO: (no name) - {FE133B83-F93A-84C4-47D7-873A93421294} - C:\WINDOWS2\System32\brsvsibv.dll

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe (file missing)

O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)

FIX these 016 entries – If you see one you absolutely cannot do without, leave it:
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01dbf0dc380af770d706/netzip/RdxIE601.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {AE609930-A6EB-4A78-B7DA-B3200705FEBD} (Mophun Control) - http://www.mophun.com/codebase/mophun.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://desync.com/nsvplayx_vp6_aac.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://ds1.downloadtech.net/cn1060/pcpowerscan.cab
O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} (download_35mb_com.applet) - http://www.35mb.com/downloadapplet.cab

FIX these two entries:
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS2\System32\angelex.exe (file missing)
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS2\zeta.exe (file missing)

Check these three to make sure you want and need them – Fix the two with missing files. Or, check to make sure that they are functioning the way you want them to work.
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS2\System32\npkcsvc.exe
O23 - Service: Smart Card Helper (SCardDrv) - Unknown owner - C:\WINDOWS2\system32\SCardSer.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

These may not be accurate, so leave them alone – But, check your Panda AV to make sure it is functioning properly!
O23 - Service: Panda Function Service (PAVFNSVR) - Unknown owner - C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\PavFnSvr.exe (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Unknown owner - C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe (file missing)
O23 - Service: Panda IManager Service (PSIMSVC) - Unknown owner - C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain (most should be gone):

C:\WINDOWS2\System32\cadj.dll
C:\WINDOWS2\system32\r?gedit.exe
C:\WINDOWS2\System32\angelex.exe
C:\WINDOWS2\zeta.exe
C:\WINDOWS2\System32\brsvsibv.dll
C:\WINDOWS2\System32\winnss.dll

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now.

I'm heading out the door, but will try to check back Saturday evening.

Best luck
PP

 

wow thanks got rid off the system32/regedit.exe problem and other ones i never knew i had. well here is the HJT log. Thanks

 

Hi Antone,

The first thing I need to point out is that your Operating System is WAY out dated. After we get your system clean I would recommend your updating to Windows XP Service Pack 2 for security purposes. Without a service pack your prone to re-infection so please get updated so you can stay clean.


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab

O20 - AppInit_DLLs: PAVWAIT.DLL

Again, make sure All Browser Windows are Closed when you Click FIX.


NEXT:
Run CCleaner


FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.



Now, Check to see if Panda Titanium Antivirus 2004 is running ok.


After doing the above, reboot and let me know if you experience any further problems.