Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: What the heck... Trojan.win32.pakes.x3 path C:\Windows\regedit.exe

  1. #1
    tekncl_kwestyn Guest

    Default What the heck... Trojan.win32.pakes.x3 path C:\Windows\regedit.exe

    Eh?
    I just uninstalled:
    WinPatrolSpybot Search and DestroyAdawareSpyBlaster
    I got a message during the uninstall of WinPatrol that parts of it could not be uninstalled and that I'd need to manually remove them. So I ran CCleaner, and then went hunting for
    WinPatrol in the programs folder...
    While I was in there
    poking around for it,
    I got this message that two files
    needed to run
    Windows properly had been replaced with unrecognized versions, and would I stick the XP SP2 disk in?.... I didn't have it so I left them at an unrecognized version. Soon after, ZA pops up with this message saying that these trojans had shown up, and then quarantined them... Looks for all the world like these are the registry.exe files...
    I can't get into the registry editor anymore, and supposedly when I rebooted, these files were deleted. But they show being quarantined now.
    What do I do now?



    Operating System:Windows XP Pro
    Software Version:7.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    pmarshall Guest

    Default Re: What the heck... Trojan.win32.pakes.x3 path C:\Windows\regedit.exe

    I just had a very similar thing happen. I got the "Windows File Protection" message "Files that are required for Windows to run properly have been replaced by unrecognized version. To maintain system stability, Windows must restore the original version of these files. Insert your Windows XP Professional Service Pack 2 CD now." This popped up while ZoneAlarm was scanning for viruses. I check out the scan results and it showed that both C:\WINDOWS\regedit.exe and C:\WINDOWS\system32\dllcache\regedit.exe were infected with Trojan.Win32.Pakes.x3 and that both had been quarantined. But a quick search showed that no regedit.exe or even regedit.exe.zl6 or regedit.zl6 (I'm not sure which way ZoneAlarm does it) existed on my hard drive. It looks like ZoneAlarm deleted regedit.exe rather than putting it into quarintine. I think this action by ZoneAlarm is why I got the "Windows File Protection" message. I don't have a Windows XP sp2 CD, just the original version without sp2. I went ahead and put that in and Windows copied regedit.exe back to the C:\WINDOWS\ and the C:\WINDOWS\system32\dllcache\ folders. This all smelled fishy to me...like the latest update to ZoneAlarm might have had a false positive (not unheard of from ZoneAlarm) against something in regedit.exe, so I ran virus scan again, expecting ZoneAlarm to implicate regedit.exe as a virus vector again. But everything came up clean. So maybe a virus really did get in and insert a contaminated version of regedit.exe. Is it really gone now...?

  3. #3
    tekncl_kwestyn Guest

    Default Re: What the heck... Trojan.win32.pakes.x3 path C:\Windows\regedit.exe

    Yep, sounds like you've got the exact same problem... Except you were more graceful than I was.
    Is it gone now?
    More importantly, was it really an infection? Or just a false positive, and now I'm screwed...
    I can't back up and let Windows replace those files now....
    I can choose "restore" from quarantine, but then what happened to cause them to be "replaced" with unrecognized versions of the file in the first place? I'm wondering if the registry got
    changed when I uninstalled WinPatrol, and ZA decided to flag it?
    Not having a good time with ZA so far....

    Message Edited by Tekncl-Kwestyn on 06-29-2007 05:52 PM

  4. #4
    jschodde Guest

    Default Re: What the heck... Trojan.win32.pakes.x3 path C:\Windows\regedit.exe

    I got it today too. I'm running a full scan and so far every copy of regedit has been quarantined. **bleep**?

  5. #5
    gesingle Guest

    Default Re: What the heck... Trojan.win32.pakes.x3 path C:\Windows\regedit.exe

    <blockquote><hr>Tekncl-Kwestyn wrote:
    Eh?I just uninstalled:WinPatrolSpybot Search and DestroyAdawareSpyBlasterI got a message during the uninstall of WinPatrol that parts of it could not be uninstalled and that I'd need to manually remove them. So I ran CCleaner, and then went hunting for WinPatrol in the programs folder...While I was in there poking around for it, I got this message that two files needed to run Windows properly had been replaced with unrecognized versions, and would I stick the XP SP2 disk in?.... I didn't have it so I left them at an unrecognized version. Soon after, ZA pops up with this message saying that these trojans had shown up, and then quarantined them... Looks for all the world like these are the registry.exe files...I can't get into the registry editor anymore, and supposedly when I rebooted, these files were deleted. But they show being quarantined now.What do I do now?

    Operating System: Windows XP Pro
    Software Version: 7.0
    Product Name: ZoneAlarm Internet Security Suite

    <hr></blockquote>
    I'm having the same problem. I am midway through a clean rebuild of my XP-SP2 system on a new hard drive, installing trusted applications that I have used for months and years, and have done no risky surfing or downloads since the rebuild began. ZoneAlarm has been freshly re-installed and updated. Anyway, I launched regedit and got the same messages as you did. After that, regedit.exe was no longer in the c:\windows folder. I copied regedit from the old drive image back to the c: drive and tried again. Again, ZA quarantined it. I did a ZA virus scan and ZA also quarantined c:\windows\ServicePackFiles\i386\regedit.exe and several c:\System Volume Information\_restore...exe files. All were identified as Trojan.Win32.Pakes.x3 infections. I suspect this is a false positive, but am not willing to override the quarantine until I know for sure. If it is a false positive, I expect there will be a later update to fix the problem and permit the files to be restored.

  6. #6
    tekncl_kwestyn Guest

    Default Re: What the heck... Trojan.win32.pakes.x3 path C:\Windows\regedit.exe

    I got an email from a ZA technician who tells me that it is probably indeed a Trojan. Don't know how it got in, but seems it did. Maybe when I uninstalled one of my antispyware programs it got let loose?
    I bet we'll hear more about it pretty quick, though.
    Don't restore it, keep it quarantined.
    If you get the message to replace the infected ones with the original ones, then by all means get your Windows disk out like the
    1st responder did, and avoid the mayhem.
    If you need to get into the Registry editor, I think you can get into one using regedit32.exe under Windows\System32. At least that's what the tech tells me..
    Good luck with this!
    If you find out how to re-create the orginal regedit files then let me know!
    I'll be looking for ways to get it back without re-infecting my system, and if I find it I'll post back here. (Can't find a thing on Microsoft's Knowledge Base.)

  7. #7

    Default Re: What the heck... Trojan.win32.pakes.x3 path C:\Windows\regedit.exe

    Check out the two post in this thread HERE Looks like a F/P

  8. #8
    morey Guest

    Default Re: What the heck... Trojan.win32.pakes.x3 path C:\Windows\regedit.exe

    To
    revitalize your System Restore files, disable System Restore.
    Wait about 10 minutes while it deletes all your old files.
    Then reboot.
    Then reinitialize System Restore again.
    All the new System Restore files will be good.
    To see the original thread go to:
    http://forums.zonealarm.com/zonelabs...essage.id=2275



    Message Edited by morey on 06-29-2007 07:19 PM

  9. #9
    solo_voyager Guest

    Default Re: What the heck... Trojan.win32.pakes.x3 path C:\Windows\regedit.exe

    I also got the: &quot;Files that are required for Windows to run properly have been replaced by unrecognized version. To maintain system stability, Windows must restore the original version of these files. Insert your Windows XP Professional Service Pack 2 CD now.&quot; I inserted the installation disc and the regedit.exe files were restored. The ones that were quarantined are still there. I do have Regedit back and functional. Ive done another update for ZA. Then, another scan. It left the new regedit.exe files in place. This could be a false positive. But, I'm sure I've heard of some type of malware a few weeks ago that hides itself as the regedit.exe files. I wouldn't bet money on it. But it does sound familiar. If you don't get the missing/unrecognized file notice, try running System File Checker. It may be a way to restore the files. Good luck

  10. #10
    willdarian Guest

    Default Re: What the heck... Trojan.win32.pakes.x3 path C:\Windows\regedit.exe

    I am not at the technical level of the others posting here so please bear with me. Yesterday Zone Alarm told me my compter had become infected with Trojan.win32.pakes.x3 and could not remove it. It said to do so manually.
    I tried many things and in the process found my registry locked. In desperation I ran Spybot and Trojanhunter and Trojanhunter said it found and removed the infected file from the CDS folder (DVD player I think). Then I reran ZoneAlarm virus checker which then said it found 2 more instances of the virus which it was able to quarantine. However I really do not know if I have been able to remove this trojan fully from my system and so far my registry is still locked and unable to be updated either by using Advanced System Optimizer or Regedit and when I run Regedit from the
    msconfig window it says file does not exist. Tried 'scannow' as suggested and it said:
    the files required for windows to run properly must be copied to DLL cache; I have no clue what files or where the cache is. And putting in the OS CD just came back with the error wrong CD even though it was the one that came with the computer...

    Any ideas on how to:
    1.
    find out for sure if the trojan is gone2. find out what files to replace
    3. get my registry really back4. how to better stop thios happening in the future
    Thanks, Will.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •