Re: update: can't open regedit.exe

Tech-Archive recommends: Fix windows errors by optimizing your registry

On May 11, 3:27 pm, "Tracy" <Tracy.bug...@xxxxxxxxxxxx> wrote:
hi jose,

i ran malwarebyes and it found several bad files, so i removed them and
rebooted as instructed by the software.
regedit still would not run.

per your email below, i did the following:

1. i tried to run regedt32 and nothing happened.

2. i made a copy of regedit and placed it on my desktop and named it
copy.exe
i left the original regedit.exe file where it was, untouched.
when i double-clicked on copy.exe, the registry editor opened. yippee!

3. in the registry, i went to this location
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32

in this folder, i do not have a drivers32 subkey, or do you mean the folder
drivers32

okay, this is where i think i got lost trying to do what you told me to

in what i call the drivers32 (yellow) folder, i see the following entry

name    data
aux       C:\DOCUME~1\Tracy\LOCALS~1\Temp\..\ygpeaky.xyx

am i suppose to delete the entry above?
i'm sorry, but i don't know how to fix the file so that it makes sense

no other entry in the drivers32 folder has anything close to what you said
to look for

i don't know how to post the registry export and i do not understand
anything in the last 5 paragraphs of your email, but i am very willing to
learn and do what you say.

let me know what i need to do next.

thank you so much

Tracy
* * * * * * * * * *

"Jose" <jose_e...@xxxxxxxxx> wrote in message

news:b872109f-5c1d-4fb7-864f-509729447915@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On May 11, 1:37 pm, "Tracy" <Tracy.bug...@xxxxxxxxxxxx> wrote:



hi jose,

ok, i will download and run malwarebyes right now and will report back
shortly.

a few minutes ago, i responded to your prior email.

thank you

Tracy
* * * * * * * * * *

"Jose" <jose_e...@xxxxxxxxx> wrote in message

news:d49bf263-1fd0-4ce1-9b5c-e0f2c035d4be@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On May 6, 7:20 pm, "Tracy" <Tracy.bug...@xxxxxxxxxxxx> wrote:

hello,

i have windows xp service pack 2 and can no longer run regedit.
i run it, the desktop goes blank for a few seconds and the taskbar
disappears. they come back, but the registry editor will not open.
the file regedit.exe is in the winnt folder, so i don't know what's
going
on.
any help would be greatly appreciated.

thank you.

Tracy
* * * * * * * * * *

Try Malwarebytes free download, install, update, full scan.

I would still like to know the answers to my other questions since I
have seen this 3 times now and am zeroing in on a one response fix.

Good.  In a way...

If regedit.exe and cmd will not work from Start, Run AND you have run
MBAM, read this and follow the instructions and report back:

I believe part of the effect of this problem is that regedit and cmd
won't run merely by their name alone.  This is why COMMAND works.
Tricky malware.

I think that regedt32 might work, so try that just to see.  Regedt32
uses regedit so it might not run but your result will be a clue.  If
regedt32 works exit out of any registry edit program when you are done
testing.  We'll stick with regedit.

Get into your c:\windows folder and make a copy of regedit.exe - call
it copy.exe or something you can remember.  You can do all this file
manipulation through Windows Explorer or your newfound COMMAND window.

Using Start, Run, your copy.exe may not work just because regedit.exe
still exists, so if copy.exe doesn't work and behaves like regedit,
get rid of copy.exe it and RENAME regedit.exe to copy.exe.  Now,
regedit.exe does not exist, but copy.exe does.  You will want to
replace your regedit.exe later, so make a note.  The thing is we must
get into the registry somehow.

You should now be able to either run copy.exe or regedt32.exe to get
into the registry, but try copy.exe first since you are more familiar
with that look.

When you get into the registry, navigate to here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Drivers32

Highlight the Drivers32 sub-key and under File menu choose Export.

Name the file something like drivers32 and save the file to the
desktop or someplace you can find it. It will have the default .reg
extension for registry files.  You will get drivers32.reg in the place
you saved it.

Depending on your expertise, you may be able to spot the problem here
right away and fix it.  Even if you do something wrong, you just
exported the key so you can always import the original if you need to
restore it to the original state.

Look for suspicious entries like this with the double backslahes and
the double dot (..) notations and references to files that do not
exist or make no sense.  Maybe something like this:

"aux"="C:\\WINDOWS\\system32\\..\\jwmrus.yds"

These are the remnants of your trojan that your scan did not delete.
The scan may have deleted the file (you can't find it after a scan),
but not the registry entry.  In the example above, "aux" should just
be "wdmaud.drv" but you may see other results.

Delete the entry or fix the data part so it makes sense.  If I don't
see it I can't tell you how to change it, but deleting may be safe -
you have a backup, right?

If you can't spot the problem, then you need to post the registry
export results here.

I want to see the contents of that file which has your exported key.
If you double click it, it will just import it back into the registry
(like it should with the .reg extension).  It won't make any
duplicates, it will just overwrite what is there already.  Even if you
call it drivers32.txt, if you double click it to open the .txt file,
it will import it into the registry just because of contents looks
like registry stuff.

So, right click the file, choose Open With and use notepad or wordpad
to open the file.  There should not be a whole lot in the file.

In the editor, type Ctrl A to select all, Ctrl C to copy and then post
back here and type Ctrl V to paste the results here for more help.

Yeah - you found the bogus entry. That file name makes no sense -
ygpeaky.xyx. The drivers32 folder is right. Are there any other
entries that look similar?

I would have to research (and I will) more about that"aux" entry
because sometimes I have seen an aux and an aux2.

I don't have an aux on my system at all, but have seen some, so it
depends on what is installed.

So first, change it to wdmaud.drv (no path) and try that. Double
click the aux key and change the value to wdmaud.drv and click OK to
save it. Then exit regedit (or copy.exe).

Hmmm... I will work on my instructions that are not clear to you, but
so far you are doing a good job!

When you are done, be sure to copy/rename copy.exe back to
regedit.exe.

Please report your results.
.

Quantcast