Task Manager Not Working - Regedit.sys not found?

Hey guys,

So i am getting this message when I try to go to the task manager by right clicking the windows bar.

Cannot find script file "C:\windows\system32\regedit.sys"

REgedit and MSconfig work just fine...

Help?

thanks!

 

try this

http://support.microsoft.com/kb/929833

 

I'm running XP, can i find a similar guide for XP?

http://support.microsoft.com/kb/310747

this seems right?

man, when i type "sfc.exe" in run, it opens up then closes. Help on this?

 

Make sure you have a compatible install disk available to use sfc in XP. Vista and 7 don't need it, but the utility won't run without it (install media) in XP. In XP, it actually pulls the needed sys files from the disc repository.

Edit: MS says it *might*, but that has never been my experience. It has always failed to run for me unless the system disc was accessible to it.

 

So do I only need the disc in the drive?

 

Open a command line, and run this, without quotes, "sfc /scannow". What happens?

To your second question: You can try without, but it might (will probably) prompt you for it.

 

alrighty, it doesn't need to be a slipstreamed disc with SP2 does it?

 

Yes, it does....if you have XP sp2 installed

 

Not sure. Every time I have used it, it was the same original MS XP SP3 disc, which matched the install.

Only one way to find out, right?

Edit: Post 300!!! Official Addiction level 1!!!

 

i have sp3, but i havent slip streamed it yet lets see if it works without

 

WAIT A SECOND

This is what I get for not reading the entire thread and just following the last few.

There is no LEGITIMATE regedit.sys.

You have a virus/trojan

 

Good call. Not sure how I missed that, either.

This seems to be up your alley: http://forums.techguy.org/malware-r...089-system-restore-inactive-alert-script.html except that was an issue with system restore.. Seems like identical symptoms, though.

Do this: Run Malwarebytes Anti-Malware, along with the HiJackThis scan.

MB: http://majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

HiJackThis: http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html

Post back your results, if you need any help figuring out your HJT scan results.

 

It's not so much a system restore problem as a virus modifying your shell so that normal commands are not executed properly. It probably effects dozens of normal windows functions.

 

i've run MBAM already, and seems like it got the trojan off. I guess i should've mentioned that before....

I'm running it again to see if it picks it up again, i'll run hijack this after that

 

@gerryf19: Well, the issue in the link I posted WAS, in fact, a system restore issue, but with the same symptoms.

Let us know if you need any help interpreting your results.

 

thanks! will do

 

My results

C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\ZEN Media Explorer\CTCheck.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\******\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\******\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\******\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\******\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\******\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\******\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\******\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\ZEN Media Explorer\CTCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CTFMON] C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\regedit.sys
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Startup: Registration Far Cry.LNK = E:\Program Files\Ubisoft\Crytek\Far Cry\Register\RegistrationReminder.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1248644901794
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/su/ocx/15110/CTPID.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 9003 bytes

******

 

Out a check infront of the above and click fix now

Reboot

Then go to
C:\WINDOWS\system32\
and delete regedit.sys

Set your computer to see hidden and system files under folder options

 

Ok, but there was no regedit.sys
During the process, Avast found some crap, and it made me delete it. Apparently my page files were corrupt. But now, i can't access my folder system through My Computer. I have to do it through explorer?

I went to system32, but there was no regedit.sys file. there was a reg, regedt32, regini (which has been modified in July).

Help? And whats with teh page files thing? Thanks!

 

Did you go into folder options and click SHOW HIDDEN FILES AND FOLDERS and uncheck HIDE PROTECTED OPERATING SYSTEM FILES?

And run a second hijack log to make sure you don't have a root kit recreating the infection.

 

I have unchecked the Hide Protected...

But the radio button for "Show hidden files..." automatically goes back up to hide, even after i select the show and hit apply.

Gonna do another hijack

wow, now Hijack this won't even open... I have no clue what's going on. I'm going to run MBAM and Avast and see what comes up. This is really weird.

 

If hijack will not open, you are likely still infected and the virus/trojan is preventing it from opening.

try renaming the hijackthis.exe to hj.com and running it.

Is task manager able to run?

 

will try,

no, the task manager still gives me the error of not finding regedit.sys. It seems to think it needs such a file

 

Hehe, you're smart.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:05 PM, on 1/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\ZEN Media Explorer\CTCheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\****\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\J****\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\****\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\****\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Documents and Settings\****\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\****\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\****Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\****\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\DAEMON Tools Pro\DTProShellHlp.exe
C:\Documents and Settings\Jasonvdm\My Documents\Downloads\HJ.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\ZEN Media Explorer\CTCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CTFMON] C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\regedit.sys
O4 - HKLM\..\Run: [regdiit] C:\WINDOWS\win.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Startup: Registration Far Cry.LNK = E:\Program Files\Ubisoft\Crytek\Far Cry\Register\RegistrationReminder.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1248644901794
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/su/ocx/15110/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 8935 bytes

****

 

Weird. Mbam shows up a lot more viruses than Avast, and especially in the registry. However, as it "quartines" it, it continually pops up with errors that say the exact same message about regedit.sys

 

Wow, you're getting more infected by the minute

O4 - HKLM\..\Run: [CTFMON] C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\regedit.sys
O4 - HKLM\..\Run: [regdiit] C:\WINDOWS\win.exe

the second entry wasn't there before.

A lot of virus will have two or even more files that watch each others back. Kill one and other recreates it, or prevents you from killing it.

I know what I would do if I were in your shoes, but I think it may be over your head.

Let's try this the easier way. Reboot into safe mode. Run hijackthis and fix the above two entries.

Run MBAM and your Antivirus in safe mode as well.

Truth is, it will probably take something more, but that may get it.

 

I'll try that, and if it doens't work, i'm just going to reinstall. I have my OS on one HDD. My worries are that the other hdd's are infected too. Why does it complain about pagefiles being missing?

So weird! The regdiit doesn't show up in safe mode or regular mode anymore!

I deleted the other one, and ran MBAM. It came black clean. I'm still stuck wtih a broken task manager. Guess i'm just going to have to reinstall?

Ok, Avast and MBAM have eliminated all viruses. Should i repost HT results?

 

Yes

Your page file is your virtual memory. Did you disable it?

 

No, i didn't. It says the actual pagefile.sys file is missing, but i doubt there is sucha file. I can access everything from going to my documents first, just not from my computer.

NVM, i see that there is such a file... I'm going to look if it's disabled

Ok, it is not disabled on the C drive, only on the other drives. The pagefile.sys file should be generated at bootup, correct?

 

Yes, if it has been deleted.

What told you there was no pagefile?

 

If i got to My Computer, and click on my C drive, it gives me that error. If i go straight to MY Docs, i'm fine

 

Since you can run regedit, start it and navigate to

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

EXPORT that key, zip it up, and attach the file to your next post

Also, boot into safe mode and make sure your computer is set to view hidden files and system files

In the root of the C: drive, do you see autorun.inf?

If so, delete it

 

Here we go!

Deleted it. I also see a file named pagefile, and it's a system file....

 

Yikes, that registry is messed up

OK, here's the problem, I am out of time right now and need to leave, but I will return tonight and post again to address the rest of it.

For now, go back to regedit and navigate to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Look for a subkey called
taskmgr.exe

right click and delete it.

Reboot. You should have task manager back now.

The problem is there are crap load of other keys there that need to be deleted as well--this little virus prevents a lot of programs from running so we need to delete those references as well--I just don't want to delete anything necessary so I need to take some time to review the registry key.

 

Dude, thanks for much for your time and effort. I would just reinstall, but this next week it's necessary that I have a working computer,a nd i have no time to reinstall. Plus, what you're teaching me is invaluable. Thanks so much.

You are awesome.

Task Manager works, so does accessing my hard drives. I guess I still need to fix the rest of the registry, but thanks so far!

 

OK download the attached file and double click it, then say yes when it asks you to merge into the registry.

What the virus did was set a variety of files to debug rather than run--its aim was to disable any programs that could disable/delete it. By merging the attached file, you will delete these debug entries.

Note to others reading this: this file is specific to the OPs machine--do not download this for yours.

 

Thanks man.

Will this affect my computers performance at all? I seem to be running fine, but then again, ti's just the tip of the iceberg

 

No, it is simply removing some settings placed in that key by the registry, In addition to preventing taskmanager from running, it would also stop a number of other programs (parts of avast, avg, etc) from running.

 

Oh ok. Thanks man. This seems like it's all good. Can't say how much I appreciate what you did. How did you learn so much about the registry and HT?

 

registry--practice.

What is HT? Hijackthis? I barely ever use it. It's just easy for others to use and get a look at what is going on.

 

Ok, so my C drive works in my Computer, but my other drive (I have two more hdd's, one's got 4 partitions) still show "pagefile.sys" not found. Hm?

 

What shows that?

All drives do not have to have a pagefile (some argue none do, but I disagree). The settings for whether a drive has one or not are under the computer properties' advanced settings (virtual memory).

I have a three 1tb drives in my server and only have the pagefile on the system disk.

 

My other drives (J, K, L)

I seriously want to punch something. My brother claimed he got rid of the virus on his computer by reformating... But installing a second OS without reformatting doesn't count. He just gave me a flashdrive with some drivers i need, and guess what, i start getting MS errors. Task manager won't come up, but doesn't give me any errors....


ARGHGHGHHAISJIASDHSAIDHSADIHASD

he also claimed he scanned the flashdrive. OBviously, he didn't. Now i'm going to have to redo EVERYTHING.

 

and now we know where the original virus came from...his usb has an autoun.inf loading virus.