regedit window will not stay open

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

wildbull

Thread Starter
Joined
Jan 19, 2003
Messages
4
I have a three year old Compaq 333mhz Ayhlon processor 196MRAM.
I've been having trouble loading Norton System Works because there is a problem in my Registry files.
When I try to go to the registry files to correct the problem, then after I go to >RUN type in regedit... then the window just pops open then shuts down right away.
Is there any way to get the REGEDIT window to stay open?
Thanks,
Wildbull
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Hi, and welcome to the board.

This is one of the things a virus like Yaha might do.

Start by running an online scan at Trend Micro HouseCall or Panda Active Scan

Next, go to http://www.spywareinfo.com/downloads.php#startup , and download 'Startuplist'.

Unzip, doubleclick it, and it will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

Go to Edit > select all, copy it and post the contents here.
 

wildbull

Thread Starter
Joined
Jan 19, 2003
Messages
4
going in circles here; ran Trend Micro Housecall as suggested, found 3 virus' and deleted them, by name they were JS NOCLOSE.H; Worm YaHa.k, and another Worm YaHa.k. They were deleted, as stated.

Downloaded Startuplist, obtained zipfile unzip wizard and when it tried to unzip the Startuplist got error message as follows: ' A required .DLL file MSVBM60.DLL was not found'; downloaded same zip file again thinking there might have been download error, unzipped and got same error message.

However, now regedit window stays open, so how do I recover the MSVBM60.DLL ?
 

wildbull

Thread Starter
Joined
Jan 19, 2003
Messages
4
StartupList report, 1/20/03, 8:05:48 PM
StartupList version: 1.51
Started from : C:\WINDOWS\DESKTOP\STARTUPLIST.EXE
Detected: Windows 98 Gold (Win9x 4.10.1998)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\COREL\SUITE8\PROGRAMS\DAD8.EXE
C:\CPQS\BACKWEB\PROGRAM\BACKWEB.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\WINDOWS\DESKTOP\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
BackWeb.LNK = C:\CPQS\BackWeb\Program\UserProf.EXE
Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
NRunOnce.lnk = C:\Program Files\Norton AntiVirus\NRunOnce.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
Watch Dog Program = C:\COMPAQ\INTERNET\WATCHDOG.EXE
BillMinder = C:\QUICKENW\BILLMIND.EXE
NAV DefAlert = C:\PROGRA~1\NORTON~1\DEFALERT.EXE /q
Norton Auto-Protect = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Aureal A3D Interactive Audio = sa3dsrv.exe
Scheduling Agent = C:\windows\system\mstask.exe
EncMonitor = C:\Program Files\Encompass\Monitor.exe
SchedulingAgent = mstask.exe
ConfigServices =

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 15/1/2003, 16:42:24)

[rename]
NUL=C:\WINDOWS\NAVUSTUB.EXE
NUL=C:\PROGRA~1\NORTON~1\DEFANNRS.DLL
NUL=C:\PROGRA~1\NORTON~1\NAVSHELL.DLL
NUL=C:\PROGRA~1\NORTON~1
NUL=C:\PROGRA~1\COMMON~1\SYMANT~1
NUL=C:\PROGRA~1\NORTON~1\DEFANNRS.DLL
NUL=C:\PROGRA~1\NORTON~1
NUL=C:\WINDOWS\TEMP\PFT52E~1\VCSETUP.EXE
C:\Program Files\Symantec\SYMEVNT1.DLL=C:\WINDOWS\SYSTEM\SYMEVNT1.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\002DF6E1._MP
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\ZDATAI51.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_WUTL951.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP24.DIR\_INS5576._MP
NUL=C:\WINDOWS\TEMP\_ISTMP24.DIR\ZDATAI51.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP24.DIR\_WUTL951.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP24.DIR\_INS5576._MP
NUL=C:\WINDOWS\TEMP\_ISTMP24.DIR\ZDATAI51.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP24.DIR\_WUTL951.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP25.DIR\_INS5576._MP
NUL=C:\WINDOWS\TEMP\_ISTMP25.DIR\ZDATAI51.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP25.DIR\_WUTL951.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\CORECOMP.INI
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\CTL3D32.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\2E1A6A.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INSTOPTS.INI
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\ISUNINST.EXE
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\BBRD1.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\BBRD2.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\BBRD3.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INST16_1.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INST16_2.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INST16_3.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INST16_4.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INST16_5.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INST16_6.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INST16_7.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INST16_8.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INSTALL1.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INSTALL2.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INSTALL3.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INSTALL4.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INSTALL5.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INSTALL6.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INSTALL7.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INSTALL8.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\LICENSE.TXT
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\NAVW32.HLP
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INSTSCAN.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\N32CALL.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\N32USERL.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\NAVEX32A.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\NAVINS95.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\NAVKRNLO.VXD
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\S32NAVO.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\VIRSCAN1.DAT
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\VIRSCAN2.DAT
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\VIRSCAN3.DAT
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\VIRSCAN4.DAT
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\VALUE.SHL
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\2E1A63.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\RESCUE.ISS
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\RESQLOG.TXT
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\OLEAUT32.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\REGSVR32.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\MCAFEE\VIRUSS~1\SCANPM.EXE C:\
ban /nc
ndisban
redirall
arswait
z:login
SET BLASTER=A220 I5 D1
IF EXIST C:\CPQS\BACKWEB\BWSETUP.BAT CALL C:\CPQS\BACKWEB\BWSETUP.BAT
ECHO bw_workgroup=,"Service Connection">>%DSHD%\CPQS\BACKWEB\USERPROF.DAT
IF EXIST \PIPOST.BAT CALL \PIPOST.BAT
IF EXIST \PIPOST.BAT DEL \PIPOST.BAT
\CPQS\TOOLS\MINIFER2.EXE CREV=,200 LANG=,"EN"
c:\windows\system\verflop.com
c:\windows\system\verflop.com

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\SWFLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[QDiagHUpdateObj Class]
InProcServer32 = C:\WINDOWS\SYSTEM\QDIAGH.OCX
CODEBASE = http://h30043.www3.hp.com/dj/qdiagh.cab?223

[InstallShield International Setup Player]
InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUP.DLL
CODEBASE = http://diagnostics.support.hp.com/motivedocs/ces/ishield/isetup.cab

[ActiveDataObj Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ACTIVEDATA.DLL
CODEBASE = https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

[symsupportutil]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ACTIVEDATA.DLL
CODEBASE = https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
OSD = C:\WINDOWS\Downloaded Program Files\OSD34.OSD

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AVSNIFF.DLL
CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2003011601/housecall.antivirus.com/housecall/xscan53.cab

--------------------------------------------------
End of report, 8,618 bytes
Report generated in 0.379 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
Joined
Dec 9, 2000
Messages
45,855
Based on what I see in your startups, I don't know why you are having that problem with regedit.exe, you may need to restore a new copy of it. One thing you can try to get it to stay open is to run it in Safe Mode. To do that, press and hold the ctrl key immediately when starting up; then select safe mode from the startup menu. Run regedit and see if it stays open; if it doesn't I'd definitely replace it.

One thing I do see in your startups is that an old McAfee file is apparently running from autoexec.bat:

C:\PROGRA~1\MCAFEE\VIRUSS~1\SCANPM.EXE C:\

You can remove that by running sysedit and deleting the line, or you can run msconfig and simply uncheck the entry under the autoexec.bat tab.

I suspect this should be removed from startups as well:

NRunOnce.lnk = C:\Program Files\Norton AntiVirus\NRunOnce.exe
 

wildbull

Thread Starter
Joined
Jan 19, 2003
Messages
4
The regedit window has stayed open since we did the virus scan.
we are getting a smoother boot now and it seems that with your help we have narrowed the mryid of problem down to just a few...daughters come home from college and open everything on the computer mail program. It keeps me busy after they leave though.
Thanks so much for your help!
Wildbull
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Well , that looks pretty much OK, except for two weird entries in your Autoexec.bat:

c:\windows\system\verflop.com
c:\windows\system\verflop.com


Open your autoexec.bat in Notepad, and edit those two lines by inserting a ; at the beginning, so that they'll look like

; c:\windows\system\verflop.com
; c:\windows\system\verflop.com


Save in File, and close your Autoexec.bat.

That way Windows will not try to execute the file at startup.

Also have a look at the properties of this verflop.com file to see what it could possibly be.

Other than thay, I'd say you're clean.

Cheers,
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top