1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

regedit window will not stay open

Discussion in 'Earlier Versions of Windows' started by wildbull, Jan 20, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. wildbull

    wildbull Thread Starter

    Joined:
    Jan 19, 2003
    Messages:
    4
    I have a three year old Compaq 333mhz Ayhlon processor 196MRAM.
    I've been having trouble loading Norton System Works because there is a problem in my Registry files.
    When I try to go to the registry files to correct the problem, then after I go to >RUN type in regedit... then the window just pops open then shuts down right away.
    Is there any way to get the REGEDIT window to stay open?
    Thanks,
    Wildbull
     
  2. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Hi, and welcome to the board.

    This is one of the things a virus like Yaha might do.

    Start by running an online scan at Trend Micro HouseCall or Panda Active Scan

    Next, go to http://www.spywareinfo.com/downloads.php#startup , and download 'Startuplist'.

    Unzip, doubleclick it, and it will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

    Go to Edit > select all, copy it and post the contents here.
     
  3. wildbull

    wildbull Thread Starter

    Joined:
    Jan 19, 2003
    Messages:
    4
    going in circles here; ran Trend Micro Housecall as suggested, found 3 virus' and deleted them, by name they were JS NOCLOSE.H; Worm YaHa.k, and another Worm YaHa.k. They were deleted, as stated.

    Downloaded Startuplist, obtained zipfile unzip wizard and when it tried to unzip the Startuplist got error message as follows: ' A required .DLL file MSVBM60.DLL was not found'; downloaded same zip file again thinking there might have been download error, unzipped and got same error message.

    However, now regedit window stays open, so how do I recover the MSVBM60.DLL ?
     
  4. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    I had a hunch it would be Yaha.

    About MSVBM60.DLL, that's no big deal; download the MS visual basic 6.0 runtime files

    Just doubleclick after downloading, and let it install.

    You'll be able to run Startuplist afterwards
     
  5. wildbull

    wildbull Thread Starter

    Joined:
    Jan 19, 2003
    Messages:
    4
    StartupList report, 1/20/03, 8:05:48 PM
    StartupList version: 1.51
    Started from : C:\WINDOWS\DESKTOP\STARTUPLIST.EXE
    Detected: Windows 98 Gold (Win9x 4.10.1998)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\SA3DSRV.EXE
    C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\COREL\SUITE8\PROGRAMS\DAD8.EXE
    C:\CPQS\BACKWEB\PROGRAM\BACKWEB.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\HPZSTATX.EXE
    C:\WINDOWS\DESKTOP\STARTUPLIST.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    BackWeb.LNK = C:\CPQS\BackWeb\Program\UserProf.EXE
    Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
    NRunOnce.lnk = C:\Program Files\Norton AntiVirus\NRunOnce.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    SystemTray = SysTray.Exe
    Watch Dog Program = C:\COMPAQ\INTERNET\WATCHDOG.EXE
    BillMinder = C:\QUICKENW\BILLMIND.EXE
    NAV DefAlert = C:\PROGRA~1\NORTON~1\DEFALERT.EXE /q
    Norton Auto-Protect = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    Aureal A3D Interactive Audio = sa3dsrv.exe
    Scheduling Agent = C:\windows\system\mstask.exe
    EncMonitor = C:\Program Files\Encompass\Monitor.exe
    SchedulingAgent = mstask.exe
    ConfigServices =

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 15/1/2003, 16:42:24)

    [rename]
    NUL=C:\WINDOWS\NAVUSTUB.EXE
    NUL=C:\PROGRA~1\NORTON~1\DEFANNRS.DLL
    NUL=C:\PROGRA~1\NORTON~1\NAVSHELL.DLL
    NUL=C:\PROGRA~1\NORTON~1
    NUL=C:\PROGRA~1\COMMON~1\SYMANT~1
    NUL=C:\PROGRA~1\NORTON~1\DEFANNRS.DLL
    NUL=C:\PROGRA~1\NORTON~1
    NUL=C:\WINDOWS\TEMP\PFT52E~1\VCSETUP.EXE
    C:\Program Files\Symantec\SYMEVNT1.DLL=C:\WINDOWS\SYSTEM\SYMEVNT1.DLL
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\002DF6E1._MP
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\ZDATAI51.DLL
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_WUTL951.DLL
    NUL=C:\WINDOWS\TEMP\_ISTMP24.DIR\_INS5576._MP
    NUL=C:\WINDOWS\TEMP\_ISTMP24.DIR\ZDATAI51.DLL
    NUL=C:\WINDOWS\TEMP\_ISTMP24.DIR\_WUTL951.DLL
    NUL=C:\WINDOWS\TEMP\_ISTMP24.DIR\_INS5576._MP
    NUL=C:\WINDOWS\TEMP\_ISTMP24.DIR\ZDATAI51.DLL
    NUL=C:\WINDOWS\TEMP\_ISTMP24.DIR\_WUTL951.DLL
    NUL=C:\WINDOWS\TEMP\_ISTMP25.DIR\_INS5576._MP
    NUL=C:\WINDOWS\TEMP\_ISTMP25.DIR\ZDATAI51.DLL
    NUL=C:\WINDOWS\TEMP\_ISTMP25.DIR\_WUTL951.DLL
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\CORECOMP.INI
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\CTL3D32.DLL
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\2E1A6A.DLL
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INSTOPTS.INI
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\ISUNINST.EXE
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\BBRD1.BMP
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\BBRD2.BMP
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\BBRD3.BMP
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INST16_1.BMP
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INST16_2.BMP
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INST16_3.BMP
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INST16_4.BMP
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INST16_5.BMP
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INST16_6.BMP
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INST16_7.BMP
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INST16_8.BMP
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INSTALL1.BMP
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INSTALL2.BMP
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INSTALL3.BMP
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INSTALL4.BMP
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INSTALL5.BMP
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INSTALL6.BMP
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INSTALL7.BMP
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INSTALL8.BMP
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\LICENSE.TXT
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\NAVW32.HLP
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\INSTSCAN.DLL
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\N32CALL.DLL
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\N32USERL.DLL
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\NAVEX32A.DLL
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\NAVINS95.DLL
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\NAVKRNLO.VXD
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\S32NAVO.DLL
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\VIRSCAN1.DAT
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\VIRSCAN2.DAT
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\VIRSCAN3.DAT
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\VIRSCAN4.DAT
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\VALUE.SHL
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\2E1A63.DLL
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\RESCUE.ISS
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\RESQLOG.TXT
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\OLEAUT32.DLL
    NUL=C:\WINDOWS\TEMP\_ISTMP23.DIR\_ISTMP0.DIR\REGSVR32.EXE

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    C:\PROGRA~1\MCAFEE\VIRUSS~1\SCANPM.EXE C:\
    ban /nc
    ndisban
    redirall
    arswait
    z:login
    SET BLASTER=A220 I5 D1
    IF EXIST C:\CPQS\BACKWEB\BWSETUP.BAT CALL C:\CPQS\BACKWEB\BWSETUP.BAT
    ECHO bw_workgroup=,"Service Connection">>%DSHD%\CPQS\BACKWEB\USERPROF.DAT
    IF EXIST \PIPOST.BAT CALL \PIPOST.BAT
    IF EXIST \PIPOST.BAT DEL \PIPOST.BAT
    \CPQS\TOOLS\MINIFER2.EXE CREV=,200 LANG=,"EN"
    c:\windows\system\verflop.com
    c:\windows\system\verflop.com

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    Maintenance-Defragment programs.job
    Maintenance-ScanDisk.job
    Maintenance-Disk cleanup.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\SWFLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [QDiagHUpdateObj Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\QDIAGH.OCX
    CODEBASE = http://h30043.www3.hp.com/dj/qdiagh.cab?223

    [InstallShield International Setup Player]
    InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUP.DLL
    CODEBASE = http://diagnostics.support.hp.com/motivedocs/ces/ishield/isetup.cab

    [ActiveDataObj Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ACTIVEDATA.DLL
    CODEBASE = https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

    [symsupportutil]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ACTIVEDATA.DLL
    CODEBASE = https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
    OSD = C:\WINDOWS\Downloaded Program Files\OSD34.OSD

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
    CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AVSNIFF.DLL
    CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
    CODEBASE = http://a840.g.akamai.net/7/840/537/2003011601/housecall.antivirus.com/housecall/xscan53.cab

    --------------------------------------------------
    End of report, 8,618 bytes
    Report generated in 0.379 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Based on what I see in your startups, I don't know why you are having that problem with regedit.exe, you may need to restore a new copy of it. One thing you can try to get it to stay open is to run it in Safe Mode. To do that, press and hold the ctrl key immediately when starting up; then select safe mode from the startup menu. Run regedit and see if it stays open; if it doesn't I'd definitely replace it.

    One thing I do see in your startups is that an old McAfee file is apparently running from autoexec.bat:

    C:\PROGRA~1\MCAFEE\VIRUSS~1\SCANPM.EXE C:\

    You can remove that by running sysedit and deleting the line, or you can run msconfig and simply uncheck the entry under the autoexec.bat tab.

    I suspect this should be removed from startups as well:

    NRunOnce.lnk = C:\Program Files\Norton AntiVirus\NRunOnce.exe
     
  7. wildbull

    wildbull Thread Starter

    Joined:
    Jan 19, 2003
    Messages:
    4
    The regedit window has stayed open since we did the virus scan.
    we are getting a smoother boot now and it seems that with your help we have narrowed the mryid of problem down to just a few...daughters come home from college and open everything on the computer mail program. It keeps me busy after they leave though.
    Thanks so much for your help!
    Wildbull
     
  8. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Well , that looks pretty much OK, except for two weird entries in your Autoexec.bat:

    c:\windows\system\verflop.com
    c:\windows\system\verflop.com


    Open your autoexec.bat in Notepad, and edit those two lines by inserting a ; at the beginning, so that they'll look like

    ; c:\windows\system\verflop.com
    ; c:\windows\system\verflop.com


    Save in File, and close your Autoexec.bat.

    That way Windows will not try to execute the file at startup.

    Also have a look at the properties of this verflop.com file to see what it could possibly be.

    Other than thay, I'd say you're clean.

    Cheers,
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/114237

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice