Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Regedit disabled

Posted on 2006-06-09
Medium Priority
Last Modified: 2007-12-19
I believe I have the cashdeluxe spyware on my machine.  Not sure if this is related, but when I goto run-regedit, the registry editor opens and is enabled for about 2 seconds and then gets disabled so I can't edit it.  Any ideas on how to enable it?  I've tried going through policies-user-administrative-system, but I can't change anything for the edit registry option.
Question by:msanzenb
  • 10
  • 8
  • 2
  • +3
LVL 23

Expert Comment

ID: 16874016
boot into 'safe mode' and do it from there
LVL 15

Expert Comment

ID: 16874128
what is the message that is displayed when it gets disabled?
LVL 47

Expert Comment

ID: 16874485
Most likely that you have this file in your system or system32 folder -->regedit.com
Find and delete that(showing hidden files and folders first if needed)

If it is caused by a virus then it also has other files there, can we look at your hijackthis log please? Hijackthis log should show us the culprit.

Please download HijackThis 1.99.1
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything.
Notepad will also open, copy its contents and paste it to either these sites:
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 47

Expert Comment

ID: 16874533
If it's caused by worm/virus, it's more likely that your ctrl+alt+del is also not working,
cmd won't run, etc. Your hijackthis log can tell us if it is caused by worm or viruses.

Trying to fix the regedit alone won't do much good if it's caused by worm because it will be disabled again unless the culprit is removed.
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 16874760
Download and run this tool, then you will be able to run the reg-edit, but you will need to clean your system becoz spywares/trojans/batches does effect your system and disable all the important utilities like Msconfig + Task manager + regedit ..etc


Author Comment

ID: 16877685
I'm currently running hijackthis...I'll paste the log when it's finished

I also removed the following files from my computer after reading via the web that they were adware files:
renamed all *.hta files to *.hta_

I also removed some gifs in the system32 directory that had a timestamp of the current date and looked to be part of the homepage that was coming up on my internet explorer.

After I removed the gifs, my computer started running extremely slow.  When I try to open Internet Explorer I get an hour glass and then nothing.  I can see the iexplore.exe process running in my task manager but it never comes up.  Any other program I try to open takes at least 3-5 minutes to open.

Thanks in advance for any help!

Author Comment

ID: 16877772
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 16877791
Your HJT log seems to be clean .. But delete the following entry..

O4 - Global Startup: ToDo.txt

Then check again if you can now open the regedit ???

Also do an online scan with Trend micro online scanner..

Author Comment

ID: 16877840
Now everything is ok, but when I open a windows explorer window everything slows to a crawl.  If I don't open a windows explorer window, everything works normal.
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 16877859
Goto Start --> cmd --> type Tasklist > C:\tasks.txt

You will find the tasks.txt file created on your c:\ drive, open it with ontepad and post whats inside it here, this will let us take alook @ your running processes now..!


Author Comment

ID: 16878094
Here's the file contents:
Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
System Idle Process            0 Console                 0         16 K
System                         4 Console                 0        220 K
smss.exe                     584 Console                 0        376 K
csrss.exe                    652 Console                 0      3,632 K
winlogon.exe                 676 Console                 0      3,340 K
services.exe                 720 Console                 0      3,948 K
lsass.exe                    732 Console                 0      1,616 K
svchost.exe                  912 Console                 0      4,744 K
svchost.exe                  980 Console                 0      3,908 K
MsMpEng.exe                 1016 Console                 0     12,748 K
svchost.exe                 1060 Console                 0     19,780 K
S24EvMon.exe                1100 Console                 0      1,840 K
svchost.exe                 1152 Console                 0      2,668 K
svchost.exe                 1204 Console                 0      4,104 K
ZCfgSvc.exe                 1404 Console                 0      7,840 K
1XConfig.exe                1480 Console                 0      4,116 K
BRSVC01A.EXE                1528 Console                 0      1,076 K
spoolsv.exe                 1544 Console                 0      4,848 K
BRSS01A.EXE                 1572 Console                 0      1,692 K
Mcdetect.exe                1768 Console                 0      3,096 K
McShield.exe                1792 Console                 0     22,772 K
McTskshd.exe                1824 Console                 0      2,696 K
explorer.exe                 228 Console                 0    153,924 K
MDM.EXE                      316 Console                 0      2,600 K
mnmsrvc.exe                  328 Console                 0      2,760 K
sqlservr.exe                 352 Console                 0      7,128 K
rundll32.exe                 384 Console                 0      2,376 K
BCMSMMSG.exe                 460 Console                 0      1,752 K
Apoint.exe                   476 Console                 0      4,764 K
jusched.exe                  484 Console                 0      1,792 K
BacsTray.exe                 492 Console                 0      2,404 K
tfswctrl.exe                 516 Console                 0      3,456 K
sgtray.exe                   524 Console                 0      4,252 K
PCMService.exe               548 Console                 0     13,848 K
DVDLauncher.exe              380 Console                 0      2,764 K
quickset.exe                 564 Console                 0      3,952 K
mcagent.exe                  644 Console                 0      6,440 K
nvsvc32.exe                  656 Console                 0      2,884 K
mcvsshld.exe                 936 Console                 0      7,748 K
oasclnt.exe                 1176 Console                 0      2,688 K
MSASCui.exe                 1188 Console                 0      7,212 K
RegSrvc.exe                 1172 Console                 0      3,028 K
ctfmon.exe                  1140 Console                 0      3,440 K
DSAgnt.exe                  1332 Console                 0      3,472 K
svchost.exe                 1356 Console                 0      3,844 K
McVSEscn.exe                1424 Console                 0      7,432 K
acrotray.exe                1696 Console                 0      2,340 K
ApntEx.exe                  2156 Console                 0      1,868 K
alg.exe                     2824 Console                 0      3,276 K
wuauclt.exe                 3208 Console                 0      6,848 K
cmd.exe                     3500 Console                 0      2,408 K
TASKLIST.EXE                3556 Console                 0      4,212 K
wmiprvse.exe                3596 Console                 0      5,388 K
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 16878109
WOW, your Explorer.exe file is 100% infected...........!  It's using 150 MBs, and that's for sure upnormal...!

But, there's still something to check ..!
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 16878140
OK, I have checked all the processes running on your task list, and it seems no infection is runinng on the memory..

The only weird thing which is the size of the Explorer.exe file ....

Press ctrl alt + del to bring up the task manager, goto processes tab, right click Explorer.exe and click end process..

The computer desktop will disappear now, Click on File menu of the task manager -- > New task --> type %windir%\explorer.exe   and Enter

It should open now a new task which is explorer.exe, this will bring you back the desktop background --> go back and check the size next to the Explorer.exe it should be at least 30,000 K if not less...!

Try closing all the programs from the tray icon, by right clicking on them and exit ..!

If the size has not changed then you should Do a scan online to make sure there's still no infection and you will have to extract a new copy of explorer.ex_ from your I:\I386 directory to windows directory ...!

hope this will help..

LVL 24

Expert Comment

by:Mohammed Hamada
ID: 16878145
BTW: Quit using Mcafee, it's the worse antivirus ever...!


Author Comment

ID: 16878193
How do I extract a new copy of explorer.exe?
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 16878240
First you should close the Explorer.exe from the task process list, End the task..

Click on File on task manager --> New task (Run) type CMD and enter

If you have your I386 directory already in your HDD, then follow these commands

On command prompt type.. Assuming that the I386 folder is found on your C:\drive , And Windows is on C:\ drive too.

cd I386                                  
expand explorer.ex_ c:\windows\explorer.exe
then copy c:\windows\explorer.exe c:\windows\system32\dllcache

If you couldn't copy or remove the file then you should try using a bootable CD or floppy, or maybe the recovery console..

Good luck

Author Comment

ID: 16878247
When I'm in safe mode explorer window opens with no problem...does that make any difference?
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 16878249
If you have the I386 folder on a CD, then type

Expand X:\I386\explorer.ex_ C:\windows          the X means the CD Rom drive letter.
LVL 24

Accepted Solution

Mohammed Hamada earned 2000 total points
ID: 16878261
Sure it does, this means you have a service conflict, or device driver error or startup item that causing this...

Try to disable all the start up items first.. to make sure nothing affect it..

Goto Start --> run --> type Msconfig and enter
goto Startup tab and click disable all..!

Restart and see if it works ??
If not then again get the msconfig and goto Services tab, click Hide MS services and click disable all then restart again and see if it works ?

If not then you will have to uninstall the Devices one by one to see which one is conflicting..!

Author Comment

ID: 16878330
I still had the problem after disabling and restarting both the services and startup tabs.  I looked at the device manager and none of the devices have a warning mark next to them.  But I guess I'll have to uninstall each one in any case....

Author Comment

ID: 16878354
Thank you for all your help!!
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 16878365
Your welcome, and i'll be here in case you didn't solve it.

Expert Comment

ID: 21596167
You may download a free tool at www.digitalsupporttech.com. The tool will tell you what causes the problem. It is also free to get it fixed.

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Can you find a fax from a vendor you saved a decade ago in seconds? Have you ever cursed your PC under your breath during an audit because you couldn’t find the requested statement or driver history?  If you answered no to the first question or yes …
Ok I have been working on this for some time having learned and gained certification in XenDesktop 4 along came version 5 which was released last month. Since then I have been working to deploy XenDesktop 5 in a small environment with only 2 virt…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question