Question

Locked

windows cannot find c:\Windows\regedit.exe

By vanbinh.nguyen ·
Previous time my PC infected with virus.
Now virus be cleaned by Symantec Antivirus. But i still cannot open "Registry".
When I try to open "Registry" by Start->Run->regedit, an error message display "windows cannot find c:\windows\regedit.exe. Make sure you typed the name correctly, and then try again. To search for a file, click Start button and click Search".
open regedit.exe in c:\windows folder and Command Propmt is the same problem.
Repairing OS and "Sfc /Scannow" command cannot solve the problem.
Please help me open registry?

This conversation is currently closed to new comments.

15 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

You maybe still infected

by Jacky Howe In reply to windows cannot find c:\Wi ...

http://support.microsoft.com/kb/311446

Follow the steps below with the System started and restarted in Safe Mode with Networking. Running in Safe Mode loads a minimal set of drivers for the Operating System. You can use these options to start Windows so that you can modify the registry or load or remove drivers.

If you can't access the internet to update MBAM try the instructions below to clear a path to the internet to be able to run MBAM. You can also download the updates for MBAM and run them from the USB.

From another System download and install Spybot, update it and copy the the installed folders to a USB Stick. Copy MBAM and the Update as well.

Removing malware from System Restore points
To remove the malware, you must first disable System Restore, then scan the system with up-to-date antivirus software - allowing it to clean, delete, or quarantine any viruses found. After the system has been disinfected, you may then re-enable System Restore. The steps for disabling System Restore vary, depending on whether the default Start Menu or the Classic Start Menu is being used.

Default Start Menu XP
If using the default Start Menu, click Start | Control Panel | Performance and Maintenance | System. Select the System Restore tab and check "Turn off System Restore".

Classic Start Menu XP
If using the Classic Start Menu, click Start | Settings | Control Panel and double-click the System icon. Select the System Restore tab and check "Turn off System Restore".

Vista
Start, right mouse click Computer and select Properties. Select Advanced System Properties, click contine and then System Protection. Untick the box nect to Local Disk C: and click on Turn System Restore off.


After scanning the system and removing the offending malware, re-enable System Restore by repeating the steps, this time removing the check from "Turn off System Restore".

Once you have restarted the Infected System in Safe Mode, navigate to the USB stick and run Spybot.

Download Spybot - Search & Destroy and install it. Update it. http://www.safer-networking.org/en/download/index.html

Download Malwarebytes Anti-Malware, install it and update it.

<a href="http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe" target="_blank"><u>Malwarebytes</u></a>

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.

If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
<a href="http://malwarebytes.gt500.org/mbam-rules.exe" target="_blank"><u>mbam-rules</u></a>

I would keep scanning with it until it is clean by closing out and rebooting and running it again.

Run this Rootkit Revealer GMer
<a href="http://www.gmer.net/index.php" target="_blank"><u>Gmer</u></a>

FAQ
<a href="http://www.gmer.net/faq.php" target="_blank"><u>FAQ</u></a>

Tip! If you want to write protect the USB drive/stick while you are working on an infected System.
In the recent release of Windows XP Service Pack 2 (SP2), a new feature was added by Microsoft to allow the write protection of USB block storage devices. This entails a simple Registry modification that requires no hardware devices to write protect thumb drives.

If the USB drive has no small switch for write protection you can turn it on through the Registry via Command Line.

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /v WriteProtect /t REG_DWORD /d 1 /f

and one to turn it off but a System restart is required. Place the Batch file on the USB to turn it off.

reg delete HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /f


If TaskManager has been disabled this will enable TaskManager to allow access to the Registry.

Command line removal or create Batch files.

Click Start Run and type cmd and then press Enter.

Execute the following commands in the command line in order to activate the registry editor and Task Manager:

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /f

With the new strains of Virus that have been created you may find it necessary to rename the executable files so that they will work. Rename mbam-setup.exe and then navigate to the install folder and rename mbam.exe. Do not change the files extension from .exe. Do the same with Spybot.

Collapse -

A couple of checks

by Jacky Howe In reply to You maybe still infected

Can you access the registry by renaming regedit to reggy.exe and see if you have access.

If you can access the Registry navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Now look for a Key named regedit.exe. Delete the Key.


Copy and paste this line into the run box and press Enter.

cmd /k reg query hkcr\exefile\shell /s > C:\shell.txt

It should resemble this structure below.

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\exefile\shell

HKEY_CLASSES_ROOT\exefile\shell\open
EditFlags REG_BINARY 00000000

HKEY_CLASSES_ROOT\exefile\shell\open\command
<NO NAME> REG_SZ "%1" %*

HKEY_CLASSES_ROOT\exefile\shell\runas

HKEY_CLASSES_ROOT\exefile\shell\runas\command
<NO NAME> REG_SZ "%1" %*
If there are other references in there have a look at the sircam link that I provided in my first post.

Collapse -

renaming Regedit.exe or copying regedt32.exe work well

by vanbinh.nguyen In reply to A couple of checks

Thank for your solutions, Jacky.
renaming regedit.exe to reggy.exe or copying
regedt32.exe from other PC work well. Now i can open registry.
"cmd /k reg query hkcr\exefile\shell /s > C:\shell.txt" command didn't display anything. But I just want open registry.

Thanks

Collapse -

LOL

by Jacky Howe In reply to renaming Regedit.exe or c ...

have a look for C:\shell.txt and open it in Notepad. Let me know if you don't understand something as I know that english isn't your first language.

Rob

Collapse -

cannt find out c:\shell.txt

by vanbinh.nguyen In reply to LOL

I have already shown "hidden file&folder" and "protected operation system files".
But there are no shell.txt file in C.
as i know the file is not exist

Collapse -

OK

by Jacky Howe In reply to cannt find out c:\shell.t ...

Click Start, Run and then type cmd and press Enter.

At the command prompt type: reg query hkcr\exefile\shell /s > C:\shell.txt

and press Enter.

Let us know if it works as it should.

Collapse -

It is still not work

by vanbinh.nguyen In reply to OK

I have just tried that command with many PC.
But it didn't work. Are there any wrong here, Jacky? I haven't ever seen shell.txt file in c.

Collapse -

RE: not working

by Jacky Howe In reply to LOL

can you get to a command prompt and type reg /? and see what happens. Let us know the error message if there is one.

Collapse -

Question

by BFilmFan In reply to windows cannot find c:\Wi ...

Did you perform an inplace reinstallation of Windows?

Collapse -

I repaired Windows only(upgrade installation)

by vanbinh.nguyen In reply to Question

I repaired Windows only, i didn't
reinstall Windows newly.

Back to Malware Forum
15 total posts (Page 1 of 2)   01 | 02   Next

Related Forums