Tech Support Forum - View Single Post - Corrupt Norton, almost all webpages are redirected to microsoft.com

Ried · 09-25-2006, 09:58 PM

Ok, this is what I'd like you to do.

Do a search for another copy of regedit.exe--there should be another copy in system32\dllcache

Please note that the proper file size for regedit.exe is 134,144

If found, rename C:\windows\regedit.exe to regedit.old

Wait about 5 seconds & then refresh to see if windows regenerated a fresh copy.

If not, simply copy regedit.exe over from the dllcache

------------------------------------

In the event the dllcache is also infected, delete both copies and invoke Windows File Protection:

Go to the Run box on the Start Menu and type in or copy/paste sfc /scannow (there is a space between sfc and /)

This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem. If any problems are found, you will be prompted to insert the Windows XP install disc so have it handy.

------------------------------------

Download and run Blacklight

Start the program and accept the license. Note that you must have local administrative privileges to run the program.

Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this.

When it finishes, click Next. Then click on Close.

BlackLight beta would create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log along with a new HijackThis log.

09-25-2006, 09:58 PM	#9 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,578 OS: WinXP and Vista	Ok, this is what I'd like you to do. Do a search for another copy of regedit.exe--there should be another copy in system32\dllcache Please note that the proper file size for regedit.exe is 134,144 If found, rename C:\windows\regedit.exe to regedit.old Wait about 5 seconds & then refresh to see if windows regenerated a fresh copy. If not, simply copy regedit.exe over from the dllcache ------------------------------------ In the event the dllcache is also infected, delete both copies and invoke Windows File Protection: Go to the Run box on the Start Menu and type in or copy/paste sfc /scannow (there is a space between sfc and /) This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem. If any problems are found, you will be prompted to insert the Windows XP install disc so have it handy. ------------------------------------ Download and run Blacklight Start the program and accept the license. Note that you must have local administrative privileges to run the program. Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this. When it finishes, click Next. Then click on Close. BlackLight beta would create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log along with a new HijackThis log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."