# Solved: Regedit in run line - screen just flashes



## silliken (Jun 24, 2009)

XP OS - I have a few programs that run on DOS batch files accessing my network drive and when I click on them the screen just flashes. Currently I have this system at my home (not office) so I cannot test the "batch file" accessing the F drive - however, I suspect it still will not work as I tried to get into DOS with cmd and I couldn't get in there either.

I was able to get past that by running a repair with my XP cd that got me into DOS, so I renamed the batch file and created a new one... took the system back to the office - still no go. So I ran malwarebytes - nothing found, ran RegCure and it continually found items for several runs then finally came up all clear. So I tried typing in "regedit" in "run" and it will not come up. I see the file out there in windows\system32 but it cannot pull up the exe.

Ran hijack this, here is the log... I suspect I still have sometype of malicious issue here but I'm not techie enough to mess with the log... can you see anything wrong here?:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:25 AM, on 6/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Microsoft SQL Server\MSSQL$HONDAEPC\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RegCure\RegCure.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Microsoft SQL Server\MSSQL$HONDAEPC\Binn\sqlagent.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN\Toolbar\3.0.1125.0\msntask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Net Time.lnk = C:\WINDOWS\system32\net.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.164.109.25.72
O15 - Trusted Zone: *.207.130.86.35
O15 - Trusted Zone: *.acura.com
O15 - Trusted Zone: *.ahm-ownerlink.com
O15 - Trusted Zone: *.ahmdealer.com
O15 - Trusted Zone: *.edcor.com
O15 - Trusted Zone: http://www.in.honda.com
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.hondacars.com
O15 - Trusted Zone: *.xmradio.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.hn4w.com/rraaapps/rraasec/codebase/RRAAINAX/RraainAX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245696681249
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www.gotomeeting.com/default/applets/g2mdlax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9B8B974-6254-4399-88C7-A91576A20ACF}: NameServer = 192.168.1.1
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 6210 bytes

Thanks for the much appreciated assistance!


----------



## silliken (Jun 24, 2009)

I fixed it! (actually with the assistance of viewing another tech forum!)

I downloaded ComboFix from http://subs.geekstogo.com/ComboFix.exe and saved it to my desktop and ran it following these instructions:


*Close/disable all* anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
*Close* any* open windows*, including this one.
Double click on *ComboFix.exe *& follow the prompts.
As part of it's process, ComboFix will check to see if the *Microsoft Windows Recovery Console is installed*. With malware infections being as they are today, it's* strongly recommended *to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
If you did not have it installed, you will see the prompt below. Choose *YES*.









Follow the prompts to *allow ComboFix to download and install the Microsoft Windows Recovery Console*, and when prompted, *agree* to the End-User License Agreement to install the Microsoft Windows Recovery Console.
***Please note:* If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

*Note:*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:








Click on *Yes*, to continue scanning for malware. 
When finished, it will produce a report for you. Please post the contents of the log (*C:\ComboFix.txt*).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.

*Note:* Please Do *NOT* mouseclick combofix's window while its running because it may call it to stall.

************
This fixed the issue! Thanks to those who viewed this. Now I'm not sure how to "close" this post...will read the directions! Thanks!


----------



## Squashman (Apr 4, 2003)

If you look up a bit, we have a specific category for HiJackThis logs.


----------

