# Regedit.exe not working



## justauser (May 14, 2007)

Hi

The regedit utility refused to work on my machine. The error that comes up is "Windows cannot find 'Regedit'...". 

The EXE is available on my machine.

I did come across other posts mentioning this as the outcome of a virus attack. I tried all the suggested solutions - installed fixswen.inf, tried correcting the file associations but all in vain.

Any help would be much appreciated


----------



## bonk (Sep 8, 2005)

Does going Start>>Run typing *cmd *and click OK work??


----------



## justauser (May 14, 2007)

Yep. I can even launch utilities like msconfig. Seems like just a prob with regedit.


----------



## bonk (Sep 8, 2005)

Try going to* C:\WINDOWS\system32* and looking for *regedit32.exe*....if found double click it.

You may have to show hidden files first

*How to Show Hidden Files*

Click *Start*. 
Open *My Computer*. 
Select the *Tools *menu and click *Folder Options*. 
Select the *View *Tab. 
Under the *Hidden files and folders *heading select *Show hidden files and folders*.
Uncheck the *Hide protected operating system files (recommended)* and uncheck *Hide Extensions for known file *option. 
Click *Yes *to confirm. 
Click *OK*.


----------



## justauser (May 14, 2007)

I found regedt32.exe and regedit.exe. The former did nothing on double-click and the latter gave the same response as before!!


----------



## bonk (Sep 8, 2005)

Try running this tool [email protected] Removal Tool


----------



## Frank4d (Sep 10, 2006)

Also, make a copy of regedit.exe and rename the copy regedit.COM, then run it.


----------



## WhitPhil (Oct 4, 2000)

You are infected with "something".

Run HiJackThis and post back the log file that it creates.


----------



## justauser (May 14, 2007)

bonk said:


> Try running this tool [email protected] Removal Tool


Ran this. Result as "no infection". The exe still does not run!


----------



## justauser (May 14, 2007)

Frank4d said:


> Also, make a copy of regedit.exe and rename the copy regedit.COM, then run it.


Thanks Frank4d. This worked!! I would still need the regedit.exe to work in order to use some utilities\files to make reg changes. Any thots?


----------



## justauser (May 14, 2007)

WhitPhil said:


> You are infected with "something".
> 
> Run HiJackThis and post back the log file that it creates.


Here u go; the log file of the system scan:

Logfile of HijackThis v1.99.1
Scan saved at 11:24:24 PM, on 5/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HotKey\Hotkey.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\drivers\conime.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - Global Startup: Hotkey.lnk = C:\Program Files\HotKey\Hotkey.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D9D2161-B7BF-4034-AF28-1D007397B362}: NameServer = 218.248.240.79 218.248.240.135
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


----------



## Frank4d (Sep 10, 2006)

You do (or did at one time) have something that caused the problem though.

Regarding your question, you can edit the registry using the renamed file. Other utilities\files that make calls to regedit should work too, as long as they don't use the full filename with the EXE extension. This is because COM is listed before EXE in your environment variables.


----------



## dvk01 (Dec 14, 2002)

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive% 
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.

 Open the extracted SDFix folder and double click *RunThis.bat* to start the script. 
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. 
 Press any Key and it will restart the PC. 
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt* 
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


----------



## justauser (May 14, 2007)

Frank4d said:


> You do (or did at one time) have something that caused the problem though.
> 
> Regarding your question, you can edit the registry using the renamed file. Other utilities\files that make calls to regedit should work too, as long as they don't use the full filename with the EXE extension. This is because COM is listed before EXE in your environment variables.


True. Seems like the virus did infect, got cleaned but the residual effect got left behind. I will follow your suggestions. Thanks a ton and best wishes.


----------



## justauser (May 14, 2007)

dvk01 said:


> Download *SDFix* and save it to your Desktop.
> 
> Double click *SDFix.exe* and it will extract the files to %systemdrive%
> (Drive that contains the Windows Directory, typically C:\SDFix)
> ...


Followed the instructions. The HJT log is as follows, followed by SDFix log. During the running of SDFix, it kept saying "Cannot find C:\SDFix\Regedit.exe"
---------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:38:23 AM, on 5/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HotKey\Hotkey.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\drivers\conime.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - Global Startup: Hotkey.lnk = C:\Program Files\HotKey\Hotkey.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D9D2161-B7BF-4034-AF28-1D007397B362}: NameServer = 218.248.240.79 218.248.240.135
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

---------------------------------------------------------
---------------------------------------------------------

SDFix: Version 1.84

Run by hello - Tue 05/15/2007 - 11:29:53.03

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\regedit.com - Deleted

Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder 
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Final Check:

Remaining Services:
------------------

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Program Files\Common Files\Microsoft Shared\MSInfo\SysWFGQQ2.dll
C:\Documents and Settings\hello\Local Settings\Temp\is-IJU4S.tmp\ABCNH.exe
C:\Documents and Settings\hello\Local Settings\Temp\is-IJU4S.tmp\ABCNTB.exe
C:\Documents and Settings\hello\Local Settings\Temp\is-IJU4S.tmp\ABCNH.exe
C:\Documents and Settings\hello\Local Settings\Temp\is-IJU4S.tmp\ABCNTB.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8cd6b657df2be1875bba5acbd76b9294\download\BIT85.tmp

Finished

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found...

Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder 
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Final Check:

Remaining Services:
------------------

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Program Files\Common Files\Microsoft Shared\MSInfo\SysWFGQQ2.dll
C:\Documents and Settings\hello\Local Settings\Temp\is-IJU4S.tmp\ABCNH.exe
C:\Documents and Settings\hello\Local Settings\Temp\is-IJU4S.tmp\ABCNTB.exe
C:\Documents and Settings\hello\Local Settings\Temp\is-IJU4S.tmp\ABCNH.exe
C:\Documents and Settings\hello\Local Settings\Temp\is-IJU4S.tmp\ABCNTB.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8cd6b657df2be1875bba5acbd76b9294\download\BIT85.tmp

Finished


----------



## dvk01 (Dec 14, 2002)

1. Please *download* *The Avenger* by Swandog46 to your *Desktop*.
Click on Avenger.zip to open the file
Extract *avenger.exe* to your desktop

2. Copy *all the text* contained in the quote box below including the *" Files to delete:" *line, to your Clipboard by highlighting it and pressing (*Ctrl+C*):



> Files to delete:
> C:\Program Files\Common Files\Microsoft Shared\MSInfo\SysWFGQQ2.dll


_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, *start The Avenger program* by clicking on its icon on your desktop.
 Under "*Script file to execute*" choose "*Input Script Manually*".
Now click on the *Magnifying Glass icon* which will open a new window titled "*View/edit script*" 
 Paste the text copied to clipboard into this window by pressing (*Ctrl+V*).
 Click *Done* 
 Now click on the *Green Light* to begin execution of the script 
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Unload*", The Avenger will actually *restart your system twice.*) 
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avenger's actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply.

then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:

C:\avenger\backup.zip
C:\SDFix\backups\backups.zip

then 
Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.


Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.
In the *Processes * group click *Non-Microsoft* 
In the *Win32 Services * group click *Non-Microsoft* 
In the *Driver Services * group click *Non-Microsoft* 
In the *Registry * group click *Non-Microsoft* 
In the *Files Created Within* group click *30 days* Make sure Non-Microsoft only is *CHECKED*
In the *Files Modified Within* group select *30 days* Make sure Non-Microsoft only is *CHECKED*
In the *File String Search* group select *Non-Microsoft*
In the *additional scans section*, please select *ALL and check NON-Microsoft only

*
*
[*]Now click the Run Scan button on the toolbar.
[*]The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Save that notepad file 
*
*
Use the  Reply button and attach the notepad file here . I will review it when it comes in.*


----------



## justauser (May 14, 2007)

dvk01 said:


> Download *SDFix* and save it to your Desktop.
> 
> Double click *SDFix.exe* and it will extract the files to %systemdrive%
> (Drive that contains the Windows Directory, typically C:\SDFix)
> ...


Seems like there is a new complication. Everytime my machine is starting SDFix starts with some registry repairs!! Is this expected? Anything I should do?


----------



## justauser (May 14, 2007)

Files uploaded as instructed.
Avenger results below and WinPFind3u results attached:
--------------------------------------------------------------------------------

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hthrypwc

*******************

Script file located at: \??\C:\WINDOWS\^tququob.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Program Files\Common Files\Microsoft Shared\MSInfo\SysWFGQQ2.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


----------



## dvk01 (Dec 14, 2002)

this will also sort out the sdfix starting on every boot

for some reason it is running every time & it shouldn't do

WinPFind3 Fix -

Start WinPFind3U. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the *Run Fix* button.


```
[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> hndsfawb -> %SystemDrive%\mjoqxtcb.bat
YY -> SDFix -> %SystemDrive%\SDFix\RunThis.bat
< IFEO [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
YN -> regedit.exe -> %System32%\drivers\jwbnlb.exe [Debugger]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YN -> {91B1E846-2BEF-4345-8848-7699C7C9935F} [HKLM] -> %CommonProgramFiles%\Microsoft Shared\MSINFO\SysWFGQQ2.dll []
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
YN -> C:\WINDOWS\system32\drivers\conime.exe -> %System32%\drivers\conime.exe
[Registry - Additional Scans - Non-Microsoft Only]
< Disabled MSConfig Registry Items [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YN -> jwbnlb -> %System32%\qvkwjh.exe
[Files/Folders - Created Within 30 days]
NY -> qq.exe -> %System32%\qq.exe
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```
The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

when it reboots

Post the following back here:

the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log)

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.


----------



## dvk01 (Dec 14, 2002)

It looks like regedit.exe has been deleted by mistake along the way so we will need to restore it

but before we do anything I need to see exactly what files we do haev and where

first set your files like this

as some of the files or folders may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

then

go to start/search , select all files & folders and in the file name box type *regedit *

in the look in box, select browse & navigate to c:\windows

press search & tell us what files are found


----------



## dvk01 (Dec 14, 2002)

lets get regedit back working anyway

download http://andymanchesta.com/Files/regedit.exe & save it to c:\windows

that will make sure you have a genuine legit copy of regedit.exe where it is supposed to be

then

do this please

go to 
Start > Run >

copy teh below & paste into the box, press ok

cmd /c reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s>%systemdrive%\Result.txt & notepad %systemdrive%\Result.txt

post back with teh results


----------



## justauser (May 14, 2007)

The search results are as such-

regedit.exe - C\windows
regedit.chm - C\windows\help
regedit.hlp - C\windows\help
regedit.com-07B9D0C4.pf - C\windows\prefetch
regedit.exe - C\windows\system32


----------



## justauser (May 14, 2007)

dvk01 said:


> lets get regedit back working anyway
> 
> download http://andymanchesta.com/Files/regedit.exe & save it to c:\windows
> 
> ...


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
ApplicationGoo	REG_BINARY	140200001002000000020000900434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100000007000B000000000007000B0000003F000000020000000400010001000000000000000000000000000000440000000100560061007200460069006C00650049006E0066006F00000000002400040000005400720061006E0073006C006100740069006F006E00000000000904E404F0030000010053007400720069006E006700460069006C00650049006E0066006F000000CC03000001003000340030003900300034004500340000004A001900010043006F006D006D0065006E007400730000004300720079007300740061006C002000530051004C002000440065007300690067006E0065007200200037002E0030000000000088003400010043006F006D00700061006E0079004E0061006D006500000000005300650061006700610074006500200053006F00660074007700610072006500200049006E0066006F0072006D006100740069006F006E0020004D0061006E006100670065006D0065006E0074002000470072006F00750070002C00200049006E0063002E000000AE00450001004C006500670061006C0043006F007000790072006900670068007400000043006F0070007900720069006700680074002000280063002900200031003900390031002D003100390039001000000000000000

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
DisableHeapLookAside	REG_SZ	1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
ApplicationGoo	REG_BINARY	5409000054020000000200008C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000200A8112E0400000200A8112E0400003F000000200000000400000001000000000000000000000000000000EC020000010053007400720069006E006700460069006C00650049006E0066006F000000C8020000010030003000300030003000340062003000000038001000010043006F006D006D0065006E007400730000004F007200690067006E0061006C002000560065007200730069006F006E00000042001100010043006F006D00700061006E0079004E0061006D006500000000005300410050002000410047002C002000570061006C006C0064006F0072006600000000005A0019000100460069006C0065004400650073006300720069007000740069006F006E00000000005300410050002000460072006F006E00740065006E006400200066006F0072002000570069006E0064006F0077007300000000003C000E000100460069006C006500560065007200730069006F006E000000000034003500320030002E0032002E0030002E003100300037003000000032000900010049006E007400650072006E0061006C004E0061006D0065000000460045005700460052004F004E005400000000007A002B0001004C006500670061006C0043006F007000790072006900670068000200000000000000010000004C0000003CFD0600040000000000000065050000020000000300000000000100530065007200760069006300650020005000610063006B00200033000000230054020000000200008C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE0000010003009E112604000003009E11260400003F000000200000000400000001000000000000000000000000000000EC020000010053007400720069006E006700460069006C00650049006E0066006F000000C8020000010030003000300030003000340062003000000038001000010043006F006D006D0065006E007400730000004F007200690067006E0061006C002000560065007200730069006F006E00000042001100010043006F006D00700061006E0079004E0061006D006500000000005300410050002000410047002C002000570061006C006C0064006F0072006600000000005A0019000100460069006C0065004400650073006300720069007000740069006F006E00000000005300410050002000460072006F006E00740065006E006400200066006F0072002000570069006E0064006F0077007300000000003C000E000100460069006C006500560065007200730069006F006E000000000034003500310030002E0033002E0030002E003100300036003200000032000900010049006E007400650072006E0061006C004E0061006D0065000000460045005700460052004F004E005400000000007A002B0001004C006500670061006C0043006F007000790072006900670068000200000000000000010000004C0000003CFD0600040000000000000065050000020000000300000000000100530065007200760069006300650020005000610063006B0020003300000023005402000000020000200334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE0000010000000400F003000000000400F00300003F0000000000000004000100010000000000000000000000000000007E020000010053007400720069006E006700460069006C00650049006E0066006F0000005A02000001003000340030003900300034004500340000002E000700010043006F006D00700061006E0079004E0061006D00650000000000530041005000200041004700000000005A0019000100460069006C0065004400650073006300720069007000740069006F006E00000000005300410050002000460072006F006E00740065006E006400200066006F0072002000570069006E0064006F00770073000000000036000B000100460069006C006500560065007200730069006F006E000000000034002E0030002E0030002E003100300030003800000000002C000600010049006E007400650072006E0061006C004E0061006D0065000000460052004F004E00540000005E001D0001004C006500670061006C0043006F007000790072006900670068007400000043006F0070007900720069006700680074002000A900200031003900390033002D0031003900390037002000530041005000200041004700000000002800000001004C006500670061006C0054007200610064000200000000000000010000004C0000003CFD0600040000000000000065050000020000000300000000000100530065007200760069006300650020005000610063006B0020003300000023005402000000020000180334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE0000010000000400DD03000000000400DD0300003F00000000000000040001000100000000000000000000000000000078020000010053007400720069006E006700460069006C00650049006E0066006F0000005402000001003000340030003900300034004500340000002E000700010043006F006D00700061006E0079004E0061006D00650000000000530041005000200041004700000000005A0019000100460069006C0065004400650073006300720069007000740069006F006E00000000005300410050002000460072006F006E00740065006E006400200066006F0072002000570069006E0064006F00770073000000000034000A000100460069006C006500560065007200730069006F006E000000000034002E0030002E0030002E0039003800390000002C000600010049006E007400650072006E0061006C004E0061006D0065000000460052004F004E00540000005E001D0001004C006500670061006C0043006F007000790072006900670068007400000043006F0070007900720069006700680074002000A900200031003900390033002D0031003900390037002000530041005000200041004700000000002800000001004C006500670061006C00540072006100640065006D000200000000000000010000004C0000003CFD0600040000000000000065050000020000000300000000000100530065007200760069006300650020005000610063006B002000330000002300

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
ApplicationGoo	REG_BINARY	5802000054020000000200006C0734000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100050005000700A807050005000700A8073F000000000000000400040001000000000000000000000000000000CC060000010053007400720069006E006700460069006C00650049006E0066006F00000054030000010030003400300039003000340042003000000018000000010043006F006D006D0065006E007400730000004C001600010043006F006D00700061006E0079004E0061006D006500000000004D006900630072006F0073006F0066007400200043006F00720070006F0072006100740069006F006E000000680020000100460069006C0065004400650073006300720069007000740069006F006E00000000004D006900630072006F0073006F00660074002000450078006300680061006E00670065002000530065007200760065007200200053006500740075007000000036000B000100460069006C006500560065007200730069006F006E000000000035002E0035002E0031003900360030002E003700000000002C000600010049006E007400650072006E0061006C004E0061006D00650000005300650074007500700000009C003C0001004C006500670061006C0043006F007000790072006900670068007400000043006F00700079007200690067006800740020000200000000000000010000004C0000003CFD0600050000000000000065050000020000000300000002000000530065007200760069006300650020005000610063006B002000340000002300

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
ApplicationGoo	REG_BINARY	580200005402000000020000440234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100010001000C000000010001000C00000000000000000000000400000001000000000000000000000000000000440000000000560061007200460069006C00650049006E0066006F00000000002400040000005400720061006E0073006C006100740069006F006E00000000000904B004A4010000010053007400720069006E006700460069006C00650049006E0066006F00000080010000010030003400300039003000340042003000000040002000010043006F006D00700061006E0079004E0061006D00650000000000440065004C006F0072006D00650020004D0061007000700069006E0067000000440022000100500072006F0064007500630074004E0061006D006500000000005200650067002000280044004C0069006200620079005C006D0073006600290000000000340014000100460069006C006500560065007200730069006F006E000000000031002E00300031002E0030003000310032000000380014000100500072006F006400750063007400560065007200730069006F006E00000031002E00300031002E003000300031003200000034001200010049006E007400650072006E0061006C004E0061006D00650000004D004E00470052004500470033003200000000000200000000000000010000004C0000003CFD0600040000000000000065050000020000000300000000000100530065007200760069006300650020005000610063006B002000330000002300

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
GlobalFlag	REG_SZ	0x00200000

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
GlobalFlag	REG_SZ	0x00200000

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
DisableHeapLookAside	REG_SZ	1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
DisableHeapLookAside	REG_SZ	1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
ApplicationGoo	REG_BINARY	140200001002000000020000B40234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100350007000000000035000700000000003F00000000000000040000000100000000000000000000000000000012020000010053007400720069006E006700460069006C00650049006E0066006F000000EE010000010030003400300039003000340062003000000042001100010043006F006D00700061006E0079004E0061006D00650000000000500065006F0070006C00650053006F00660074002C00200049006E0063002E0000000000280000000100460069006C0065004400650073006300720069007000740069006F006E00000000002A0005000100460069006C006500560065007200730069006F006E000000000037002E0035003300000000009C003C0001004C006500670061006C0043006F007000790072006900670068007400000043006F0070007900720069006700680074002000A900200031003900380038002D0031003900390038002000500065006F0070006C00650053006F00660074002C00200049006E0063002E002000200041006C006C00200052006900670068007400730020005200650073006500720076006500640000003C000A0001004F0072006900670069006E0061006C00460069006C0065006E0061006D00650000007000730064006D0074002E001000000000000000

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
DisableHeapLookAside	REG_SZ	1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
DisableHeapLookAside	REG_SZ	1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
Debugger	REG_SZ	C:\WINDOWS\system32\drivers\jwbnlb.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\salwrap.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
ApplicationGoo	REG_BINARY	000700005402000000020000840734000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100050005000700A807050005000700A8073F000000000000000400040001000000000000000000000000000000E4060000010053007400720069006E006700460069006C00650049006E0066006F00000060030000010030003400300039003000340042003000000018000000010043006F006D006D0065006E007400730000004C001600010043006F006D00700061006E0079004E0061006D006500000000004D006900630072006F0073006F0066007400200043006F00720070006F0072006100740069006F006E000000680020000100460069006C0065004400650073006300720069007000740069006F006E00000000004D006900630072006F0073006F00660074002000450078006300680061006E00670065002000530065007200760065007200200053006500740075007000000036000B000100460069006C006500560065007200730069006F006E000000000035002E0035002E0031003900360030002E003700000000002C000600010049006E007400650072006E0061006C004E0061006D00650000005300650074007500700000009E003D0001004C006500670061006C0043006F007000790072006900670068007400000043006F00700079007200690067006800740020000200000000000000010000004C0000003CFD0600050000000000000065050000020000000000000000000000530065007200760069006300650020005000610063006B0020003300000024005402000000020000A40834000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100050005000700A807050005000700A8073F00000000000000040004000100000000000000000000000000000004080000010053007400720069006E006700460069006C00650049006E0066006F000000F0030000010030003400300039003000340042003000000018000000010043006F006D006D0065006E007400730000004C001600010043006F006D00700061006E0079004E0061006D006500000000004D006900630072006F0073006F0066007400200043006F00720070006F0072006100740069006F006E000000680020000100460069006C0065004400650073006300720069007000740069006F006E00000000004D006900630072006F0073006F00660074002000450078006300680061006E00670065002000530065007200760065007200200053006500740075007000000036000B000100460069006C006500560065007200730069006F006E000000000035002E0035002E0031003900360030002E003700000000002C000600010049006E007400650072006E0061006C004E0061006D0065000000530065007400750070000000A600410001004C006500670061006C0043006F007000790072006900670068007400000043006F00700079007200690067006800740020000200000000000000010000004C0000003CFD0600050000000000000065050000020000000000000000000000530065007200760069006300650020005000610063006B0020003300000024005402000000020000180434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100050005000700A807050005000700A8073F00000000000000040004000100000000000000000000000000000078030000010053007400720069006E006700460069006C00650049006E0066006F00000054030000010030003400300039003000340042003000000018000000010043006F006D006D0065006E007400730000004C001600010043006F006D00700061006E0079004E0061006D006500000000004D006900630072006F0073006F0066007400200043006F00720070006F0072006100740069006F006E000000680020000100460069006C0065004400650073006300720069007000740069006F006E00000000004D006900630072006F0073006F00660074002000450078006300680061006E00670065002000530065007200760065007200200053006500740075007000000036000B000100460069006C006500560065007200730069006F006E000000000035002E0035002E0031003900360030002E003700000000002C000600010049006E007400650072006E0061006C004E0061006D00650000005300650074007500700000009A003B0001004C006500670061006C0043006F007000790072006900670068007400000043006F00700079007200690067006800740020000200000000000000010000004C0000003CFD0600050000000000000065050000020000000000000000000000530065007200760069006300650020005000610063006B002000330000002400

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
ApplicationGoo	REG_BINARY	140200001002000000020000040334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001001C0008000000000000000800000000003F00000000000000040000000100000000000000000000000000000064020000010053007400720069006E006700460069006C00650049006E0066006F00000040020000010030003400300039003000340062003000000044001200010043006F006D00700061006E0079004E0061006D0065000000000043006F00720065006C00200043006F00720070006F0072006100740069006F006E0000004E0013000100460069006C0065004400650073006300720069007000740069006F006E000000000043006F00720065006C002000530065007400750070002000570069007A00610072006400000000002C0006000100460069006C006500560065007200730069006F006E000000000038002E00300032003800000046001300010049006E007400650072006E0061006C004E0061006D006500000043006F00720065006C002000530065007400750070002000570069007A00610072006400000000006C00240001004C006500670061006C0043006F007000790072006900670068007400000043006F0070007900720069006700680074002000A900200031003900390037002C00200043006F00720065006C00200043006F00720070006F0072000800000000000000

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
ApplicationGoo	REG_BINARY	140200001002000000020000380334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE0000010002000A0001000A0002000A0001000A000000000000000000040001000100000000000000000000000000000098020000010053007400720069006E006700460069006C00650049006E0066006F0000007402000001003000340030003900300034004500340000004A001500010043006F006D00700061006E0079004E0061006D00650000000000530079006D0061006E00740065006300200043006F00720070006F0072006100740069006F006E000000000060001C000100460069006C0065004400650073006300720069007000740069006F006E0000000000530079006D0061006E007400650063002000530079006D006500760065006E007400200049006E007300740061006C006C0065007200000034000A000100460069006C006500560065007200730069006F006E0000000000310030002E0032002E00310030002E003100000030000800010049006E007400650072006E0061006C004E0061006D006500000053004500560049004E005300540000007E002D0001004C006500670061006C0043006F007000790072006900670068007400000043006F00700079007200690067006800740020002800430029002000530079006D0061006E00740065006300200043006F0072000100000000000000

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.DLL
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
DisableHeapLookAside	REG_SZ	1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
DisableHeapLookAside	REG_SZ	1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll
CheckAppHelp	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
ApplicationGoo	REG_BINARY	1402000010020000000200007C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100000001000900260000000100090026003F000000000000000400000001000000000000000000000000000000DC020000010053007400720069006E006700460069006C00650049006E0066006F000000B8020000010030003400300039003000340062003000000066002700010043006F006D006D0065006E0074007300000042007500730069006E00650073007300200049006E00740065006C006C006900670065006E006300650020006F006E0020004500760065007200790020004400650073006B0074006F0070000000000048001400010043006F006D00700061006E0079004E0061006D0065000000000043006F0067006E006F007300200049006E0063006F00720070006F0072006100740065006400000060001C000100460069006C0065004400650073006300720069007000740069006F006E000000000043006F0067006E006F0073002000470065006E006500720069006300200049006E007300740061006C006C006100740069006F006E00000038000C000100460069006C006500560065007200730069006F006E000000000031002C00200030002C002000330038002C0020003900000030000800010049006E007400650072006E0061006C004E0061006D00650000000100000000000000

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger	REG_SZ	ntsd -d
GlobalFlag	REG_SZ	0x000010F0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE
ApplicationGoo	REG_BINARY	140200001002000000020000A40234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100000001000100000000000100010000003F00000000000000010001000100000000000000000000000000000004020000010053007400720069006E006700460069006C00650049006E0066006F000000E0010000010030003400300039003000340045003400000020000000010043006F006D00700061006E0079004E0061006D00650000000000580018000100460069006C0065004400650073006300720069007000740069006F006E000000000049004E005300540041004C004C0020004D004600430020004100700070006C00690063006100740069006F006E000000300008000100460069006C006500560065007200730069006F006E000000000031002E0030002E00300030003100000030000800010049006E007400650072006E0061006C004E0061006D006500000049004E005300540041004C004C0000002400000001004C006500670061006C0043006F00700079007200690067006800740000002800000001004C006500670061006C00540072006100640065006D00610072006B0073000000000040000C0001004F0072006900670069006E0061006C00460069006C0065006E0061006D006500000049004E005300540041004C004C002E004500580045000000300008000800000000000000


----------



## justauser (May 14, 2007)

dvk01 said:


> this will also sort out the sdfix starting on every boot
> 
> for some reason it is running every time & it shouldn't do
> 
> ...


Thanks a lot for all the help dvk. Appreciate it.
The log files had the following details -

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\hndsfawb deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SDFix deleted successfully.
C:\SDFix\RunThis.bat moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{91B1E846-2BEF-4345-8848-7699C7C9935F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91B1E846-2BEF-4345-8848-7699C7C9935F} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell written successfully.
[Registry - Additional Scans - Non-Microsoft Only]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\jwbnlb deleted successfully.
File not found.
[Files/Folders - Created Within 30 days]
C:\WINDOWS\SYSTEM32\qq.exe moved successfully.
[Empty Temp Folders]
C:\DOCUME~1\hello\LOCALS~1\Temp\ -> emptied.
C:\Documents and Settings\hello\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
RecycleBin -> emptied.
Explorer started successfully
< End of log >
Created on 05/17/2007 20:05:45


----------



## dvk01 (Dec 14, 2002)

You did the reg export before you ran wpfind didn't you as the entry still shows 

can you repeat the reg export again please as I want to make sure that the entry we were concerned about that was stopping regedit.exe from working has gone 

how is the computer at the moment


----------



## dvk01 (Dec 14, 2002)

actually I have had another thought 

can you do this instead first

download the attached fix_regedit.zip & save to desktop
unzip it & double click it the reg file & say yes to prompts to merge with registry


----------



## justauser (May 14, 2007)

Thanks a ton for all the help to all and especially dvk. I had to go away from that computer abruptly and hence this effort will have to stop mid-way. I guess there was a considerable repair that happened. Appreciate all the help again. Best


----------

