hi jose,
i ran malwarebyes and it found several bad files, so i removed them and
rebooted as instructed by the software.
regedit still would not run.
per your email below, i did the following:
1. i tried to run regedt32 and nothing happened.
2. i made a copy of regedit and placed it on my desktop and named it
copy.exe
i left the original regedit.exe file where it was, untouched.
when i double-clicked on copy.exe, the registry editor opened. yippee!
3. in the registry, i went to this location
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
in this folder, i do not have a drivers32 subkey, or do you mean the folder
drivers32
okay, this is where i think i got lost trying to do what you told me to
in what i call the drivers32 (yellow) folder, i see the following entry
name data
aux C:\DOCUME~1\Tracy\LOCALS~1\Temp\..\ygpeaky.xyx
am i suppose to delete the entry above?
i'm sorry, but i don't know how to fix the file so that it makes sense
no other entry in the drivers32 folder has anything close to what you said
to look for
i don't know how to post the registry export and i do not understand
anything in the last 5 paragraphs of your email, but i am very willing to
learn and do what you say.
let me know what i need to do next.
thank you so much
Tracy
* * * * * * * * * *
hi jose,
ok, i will download and run malwarebyes right now and will report back
shortly.
a few minutes ago, i responded to your prior email.
thank you
Tracy
* * * * * * * * * *
Try Malwarebytes free download, install, update, full scan.
I would still like to know the answers to my other questions since I
have seen this 3 times now and am zeroing in on a one response fix.
Good. In a way...
If regedit.exe and cmd will not work from Start, Run AND you have run
MBAM, read this and follow the instructions and report back:
I believe part of the effect of this problem is that regedit and cmd
won't run merely by their name alone. This is why COMMAND works.
Tricky malware.
I think that regedt32 might work, so try that just to see. Regedt32
uses regedit so it might not run but your result will be a clue. If
regedt32 works exit out of any registry edit program when you are done
testing. We'll stick with regedit.
Get into your c:\windows folder and make a copy of regedit.exe - call
it copy.exe or something you can remember. You can do all this file
manipulation through Windows Explorer or your newfound COMMAND window.
Using Start, Run, your copy.exe may not work just because regedit.exe
still exists, so if copy.exe doesn't work and behaves like regedit,
get rid of copy.exe it and RENAME regedit.exe to copy.exe. Now,
regedit.exe does not exist, but copy.exe does. You will want to
replace your regedit.exe later, so make a note. The thing is we must
get into the registry somehow.
You should now be able to either run copy.exe or regedt32.exe to get
into the registry, but try copy.exe first since you are more familiar
with that look.
When you get into the registry, navigate to here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Drivers32
Highlight the Drivers32 sub-key and under File menu choose Export.
Name the file something like drivers32 and save the file to the
desktop or someplace you can find it. It will have the default .reg
extension for registry files. You will get drivers32.reg in the place
you saved it.
Depending on your expertise, you may be able to spot the problem here
right away and fix it. Even if you do something wrong, you just
exported the key so you can always import the original if you need to
restore it to the original state.
Look for suspicious entries like this with the double backslahes and
the double dot (..) notations and references to files that do not
exist or make no sense. Maybe something like this:
"aux"="C:\\WINDOWS\\system32\\..\\jwmrus.yds"
These are the remnants of your trojan that your scan did not delete.
The scan may have deleted the file (you can't find it after a scan),
but not the registry entry. In the example above, "aux" should just
be "wdmaud.drv" but you may see other results.
Delete the entry or fix the data part so it makes sense. If I don't
see it I can't tell you how to change it, but deleting may be safe -
you have a backup, right?
If you can't spot the problem, then you need to post the registry
export results here.
I want to see the contents of that file which has your exported key.
If you double click it, it will just import it back into the registry
(like it should with the .reg extension). It won't make any
duplicates, it will just overwrite what is there already. Even if you
call it drivers32.txt, if you double click it to open the .txt file,
it will import it into the registry just because of contents looks
like registry stuff.
So, right click the file, choose Open With and use notepad or wordpad
to open the file. There should not be a whole lot in the file.
In the editor, type Ctrl A to select all, Ctrl C to copy and then post
back here and type Ctrl V to paste the results here for more help.