Jump to content


Photo

I have two regedit files!


  • Please log in to reply
8 replies to this topic

#1 Karamel_Kreme13

Karamel_Kreme13

    Member

  • New Member
  • Pip
  • 4 posts

Posted 01 June 2004 - 05:27 PM

I don't know much about programming languages, however, I when I noticed that I had two copies of "regedit.exe" on my computer, I knew something was a strange. I went to cnet.com and downloaded Win Hex. I had it compare the two files and they are different. I don't know which one to keep and which one to delete. Can someone help me?

#2 sights0d

sights0d

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 02 June 2004 - 12:07 PM

Hmm... Never heard of this. I'd wait a few days and then go check to see which one has been accessed most recently. That should be the keeper. Is it doing anything strange aside from that?

#3 Trilobite

Trilobite

    Malware Hunter

  • Trusted Advisor
  • PipPipPipPipPip
  • 711 posts

Posted 02 June 2004 - 01:41 PM

@Karamel_Kreme13

Do not delete these files yet!!!

It is not uncommon to have more than one legitimate copies of regedit.exe on a single computer. However certain viruses can overwrite regedit.exe.

Have you scanned these files (or your entire system) with an up-to-date virus scanner?

What is the location of these two files?

What are the sizes of these two files?

What are the versions of these two files?

What version of Windows are you running?

Edited by Trilobite, 02 June 2004 - 02:09 PM.


#4 Karamel_Kreme13

Karamel_Kreme13

    Member

  • New Member
  • Pip
  • 4 posts

Posted 02 June 2004 - 08:14 PM

Virus scans came back negative.
adware came back negative
spybot came back negative
firewall is comming back positive for halted connections attempting to go out through various ports.

One copy of regedit.exe is in C:\ the other in C:\windows
I'm running windows 98.

The one in c: is 103 kb, 105,984 bytes, 114,688 bytes used.
created: unknown
modified: saturday august 24,1996 11:11:10 am
accessed: today

the one in c:\windows is 116 kb, 118,784 bytes, 131,072 bytes used.
created: unknown
modified: friday april 23, 1999 10:22:00 pm
accessed: today

#5 Trilobite

Trilobite

    Malware Hunter

  • Trusted Advisor
  • PipPipPipPipPip
  • 711 posts

Posted 02 June 2004 - 10:28 PM

For Windows 98 second edition:
Regedit.exe should be version 4.10.0.1998, size 118,784 bytes and reside in the Windows directory (i.e.: C:\Windows)
The modified date of April 23, 1999 10:22:00 pm also looks correct for Windows 98se.

The regedit.exe in your c:\ directory appears to be from Windows 95 version B
The properties of Win95B regedit.exe from one of my old backups reads:
Version: 4.0.0.1111
Size: 103 KB (105,984 bytes)
Created: Saturday, August 24, 1996, 11:11:10 AM

I am unsure as to how a Windows 95 regedit executable ended up on the root directory of your hard disk. Did you perform an upgrade install of Windows 98 over Windows 95?

Anyway, the C:\Windows\regedit.exe appears to be the correct file and location for your operating system. It is probably safe to delete C:\regedit.exe, however I would recommend that you rename C:\regedit.exe to something like C:\regedit.OLD (it is easier to recover this way if something goes wrong). Then run the computer normally for a few days to see if there are any ill effects. If after a few days there are no further problems, then I would say it is safe to delete C:\regedit.exe (C:\regedit.OLD).

firewall is comming back positive for halted connections attempting to go out through various ports.

This could be an indication of a more serious problem. Download HijackThis . Run HijackThis (do not fix anything yet) and post the log here.

Edited by Trilobite, 02 June 2004 - 10:48 PM.


#6 Karamel_Kreme13

Karamel_Kreme13

    Member

  • New Member
  • Pip
  • 4 posts

Posted 04 June 2004 - 12:37 AM

here is the hijack this log...


Logfile of HijackThis v1.97.7
Scan saved at 12:36:21 AM, on 6/4/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\TINY PERSONAL FIREWALL\PERSFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PRICEDOUT\MIRC.EXE
C:\PROGRAM FILES\TROJAN REMOVER\JJPF2E2.EXE
C:\PROGRAM FILES\TROJAN REMOVER\JJPF2E2.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunServices: [PersFw] "C:\PROGRAM FILES\TINY PERSONAL FIREWALL\PERSFW.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_07) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8117.3383101852
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...363/mcfscan.cab

#7 Trilobite

Trilobite

    Malware Hunter

  • Trusted Advisor
  • PipPipPipPipPip
  • 711 posts

Posted 04 June 2004 - 04:16 PM

Since your virus/adware/spyware scans do not show any infection on your system, the firewall halting outgoing connections is probably nothing to worry about. But, it never hurts to check to see if there is a nasty program hiding in there. :evilgrin:

I asked the Helpers, Moderators, Experts, etc. in this forum to check your log (I am presently not too skilled in reading HJT logfiles), and according to the very helpful ‘expert’ nellie2, you log appears to be clean of spyware, Trojans and other crudware. :bounce: :bounce: :bounce:

There are many non-trojan and non-spyware programs that will attempt to connect to the internet. If your firewall is configured to only allow the outgoing connections from programs that you specify (which it should be), then when any other program tries to connect to the internet it will show up as a halted outgoing connection.

#8 Karamel_Kreme13

Karamel_Kreme13

    Member

  • New Member
  • Pip
  • 4 posts

Posted 05 June 2004 - 12:05 AM

Okay, I have been going through the computer folders file by file and came across some strange stuff. In your opinion, should i delete it:

c:\windows\system\Adsinsoftv3.ocx
c:\windows\system\buyb12.dll
c:\windows\system\buyb12ax.ocx
c:\windows\system\buyb12ex.dll
c:\windows\system\dllhost.exe (27,576 bytes) 32,768 bytes used
c:\windows\system\dsssig.exe
c:\windows\system\dshowvblib.tlb
c:\windows\system\keyex32.exe (90,112 bytes) 98,304 bytes used

#9 Trilobite

Trilobite

    Malware Hunter

  • Trusted Advisor
  • PipPipPipPipPip
  • 711 posts

Posted 05 June 2004 - 10:07 AM

NO!
If you delete these files, several of your programs may stop working and Windows may fail to boot. :gah:

Adsinsoftv3.ocx might be part of AdsInSoft APicViewer?
buyb12.dll is part of the J River Media Jukebox program
buyb12ax.ocx is part of the J River Media Jukebox program
buyb12ex.dll is part of the J River Media Jukebox program
dllhost.exe is an integral part of Microsoft Windows
dsssig.exe is an integral part of Microsoft's Internet explorer
dshowvblib.tlb is part of DirectShow
keyex32.exe is part of Microsoft Windows/Microsoft Office

It is generally NOT a good idea to search around your computer trying to find unfamiliar files to delete, particularly in the c:\windows\system\ directory. You could seriously damage Windows and other installed programs by deleting unfamiliar or apparently unused files. If you want to remove installed software and their components, you should use ‘Add/Remove programs’ under the control panel in windows.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button