• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4277
  • Last Modified:

Regedit disabled

I believe I have the cashdeluxe spyware on my machine.  Not sure if this is related, but when I goto run-regedit, the registry editor opens and is enabled for about 2 seconds and then gets disabled so I can't edit it.  Any ideas on how to enable it?  I've tried going through policies-user-administrative-system, but I can't change anything for the edit registry option.
  • 10
  • 8
  • 2
  • +3
1 Solution
boot into 'safe mode' and do it from there
what is the message that is displayed when it gets disabled?
Most likely that you have this file in your system or system32 folder -->regedit.com
Find and delete that(showing hidden files and folders first if needed)

If it is caused by a virus then it also has other files there, can we look at your hijackthis log please? Hijackthis log should show us the culprit.

Please download HijackThis 1.99.1
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything.
Notepad will also open, copy its contents and paste it to either these sites:
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

If it's caused by worm/virus, it's more likely that your ctrl+alt+del is also not working,
cmd won't run, etc. Your hijackthis log can tell us if it is caused by worm or viruses.

Trying to fix the regedit alone won't do much good if it's caused by worm because it will be disabled again unless the culprit is removed.
Mohammed HamadaSenior IT ConsultantCommented:
Download and run this tool, then you will be able to run the reg-edit, but you will need to clean your system becoz spywares/trojans/batches does effect your system and disable all the important utilities like Msconfig + Task manager + regedit ..etc

msanzenbAuthor Commented:
I'm currently running hijackthis...I'll paste the log when it's finished

I also removed the following files from my computer after reading via the web that they were adware files:
renamed all *.hta files to *.hta_

I also removed some gifs in the system32 directory that had a timestamp of the current date and looked to be part of the homepage that was coming up on my internet explorer.

After I removed the gifs, my computer started running extremely slow.  When I try to open Internet Explorer I get an hour glass and then nothing.  I can see the iexplore.exe process running in my task manager but it never comes up.  Any other program I try to open takes at least 3-5 minutes to open.

Thanks in advance for any help!
msanzenbAuthor Commented:
Mohammed HamadaSenior IT ConsultantCommented:
Your HJT log seems to be clean .. But delete the following entry..

O4 - Global Startup: ToDo.txt

Then check again if you can now open the regedit ???

Also do an online scan with Trend micro online scanner..
msanzenbAuthor Commented:
Now everything is ok, but when I open a windows explorer window everything slows to a crawl.  If I don't open a windows explorer window, everything works normal.
Mohammed HamadaSenior IT ConsultantCommented:
Goto Start --> cmd --> type Tasklist > C:\tasks.txt

You will find the tasks.txt file created on your c:\ drive, open it with ontepad and post whats inside it here, this will let us take alook @ your running processes now..!

msanzenbAuthor Commented:
Here's the file contents:
Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
System Idle Process            0 Console                 0         16 K
System                         4 Console                 0        220 K
smss.exe                     584 Console                 0        376 K
csrss.exe                    652 Console                 0      3,632 K
winlogon.exe                 676 Console                 0      3,340 K
services.exe                 720 Console                 0      3,948 K
lsass.exe                    732 Console                 0      1,616 K
svchost.exe                  912 Console                 0      4,744 K
svchost.exe                  980 Console                 0      3,908 K
MsMpEng.exe                 1016 Console                 0     12,748 K
svchost.exe                 1060 Console                 0     19,780 K
S24EvMon.exe                1100 Console                 0      1,840 K
svchost.exe                 1152 Console                 0      2,668 K
svchost.exe                 1204 Console                 0      4,104 K
ZCfgSvc.exe                 1404 Console                 0      7,840 K
1XConfig.exe                1480 Console                 0      4,116 K
BRSVC01A.EXE                1528 Console                 0      1,076 K
spoolsv.exe                 1544 Console                 0      4,848 K
BRSS01A.EXE                 1572 Console                 0      1,692 K
Mcdetect.exe                1768 Console                 0      3,096 K
McShield.exe                1792 Console                 0     22,772 K
McTskshd.exe                1824 Console                 0      2,696 K
explorer.exe                 228 Console                 0    153,924 K
MDM.EXE                      316 Console                 0      2,600 K
mnmsrvc.exe                  328 Console                 0      2,760 K
sqlservr.exe                 352 Console                 0      7,128 K
rundll32.exe                 384 Console                 0      2,376 K
BCMSMMSG.exe                 460 Console                 0      1,752 K
Apoint.exe                   476 Console                 0      4,764 K
jusched.exe                  484 Console                 0      1,792 K
BacsTray.exe                 492 Console                 0      2,404 K
tfswctrl.exe                 516 Console                 0      3,456 K
sgtray.exe                   524 Console                 0      4,252 K
PCMService.exe               548 Console                 0     13,848 K
DVDLauncher.exe              380 Console                 0      2,764 K
quickset.exe                 564 Console                 0      3,952 K
mcagent.exe                  644 Console                 0      6,440 K
nvsvc32.exe                  656 Console                 0      2,884 K
mcvsshld.exe                 936 Console                 0      7,748 K
oasclnt.exe                 1176 Console                 0      2,688 K
MSASCui.exe                 1188 Console                 0      7,212 K
RegSrvc.exe                 1172 Console                 0      3,028 K
ctfmon.exe                  1140 Console                 0      3,440 K
DSAgnt.exe                  1332 Console                 0      3,472 K
svchost.exe                 1356 Console                 0      3,844 K
McVSEscn.exe                1424 Console                 0      7,432 K
acrotray.exe                1696 Console                 0      2,340 K
ApntEx.exe                  2156 Console                 0      1,868 K
alg.exe                     2824 Console                 0      3,276 K
wuauclt.exe                 3208 Console                 0      6,848 K
cmd.exe                     3500 Console                 0      2,408 K
TASKLIST.EXE                3556 Console                 0      4,212 K
wmiprvse.exe                3596 Console                 0      5,388 K
Mohammed HamadaSenior IT ConsultantCommented:
WOW, your Explorer.exe file is 100% infected...........!  It's using 150 MBs, and that's for sure upnormal...!

But, there's still something to check ..!
Mohammed HamadaSenior IT ConsultantCommented:
OK, I have checked all the processes running on your task list, and it seems no infection is runinng on the memory..

The only weird thing which is the size of the Explorer.exe file ....

Press ctrl alt + del to bring up the task manager, goto processes tab, right click Explorer.exe and click end process..

The computer desktop will disappear now, Click on File menu of the task manager -- > New task --> type %windir%\explorer.exe   and Enter

It should open now a new task which is explorer.exe, this will bring you back the desktop background --> go back and check the size next to the Explorer.exe it should be at least 30,000 K if not less...!

Try closing all the programs from the tray icon, by right clicking on them and exit ..!

If the size has not changed then you should Do a scan online to make sure there's still no infection and you will have to extract a new copy of explorer.ex_ from your I:\I386 directory to windows directory ...!

hope this will help..

Mohammed HamadaSenior IT ConsultantCommented:
BTW: Quit using Mcafee, it's the worse antivirus ever...!

msanzenbAuthor Commented:
How do I extract a new copy of explorer.exe?
Mohammed HamadaSenior IT ConsultantCommented:
First you should close the Explorer.exe from the task process list, End the task..

Click on File on task manager --> New task (Run) type CMD and enter

If you have your I386 directory already in your HDD, then follow these commands

On command prompt type.. Assuming that the I386 folder is found on your C:\drive , And Windows is on C:\ drive too.

cd I386                                  
expand explorer.ex_ c:\windows\explorer.exe
then copy c:\windows\explorer.exe c:\windows\system32\dllcache

If you couldn't copy or remove the file then you should try using a bootable CD or floppy, or maybe the recovery console..

Good luck
msanzenbAuthor Commented:
When I'm in safe mode explorer window opens with no problem...does that make any difference?
Mohammed HamadaSenior IT ConsultantCommented:
If you have the I386 folder on a CD, then type

Expand X:\I386\explorer.ex_ C:\windows          the X means the CD Rom drive letter.
Mohammed HamadaSenior IT ConsultantCommented:
Sure it does, this means you have a service conflict, or device driver error or startup item that causing this...

Try to disable all the start up items first.. to make sure nothing affect it..

Goto Start --> run --> type Msconfig and enter
goto Startup tab and click disable all..!

Restart and see if it works ??
If not then again get the msconfig and goto Services tab, click Hide MS services and click disable all then restart again and see if it works ?

If not then you will have to uninstall the Devices one by one to see which one is conflicting..!
msanzenbAuthor Commented:
I still had the problem after disabling and restarting both the services and startup tabs.  I looked at the device manager and none of the devices have a warning mark next to them.  But I guess I'll have to uninstall each one in any case....
msanzenbAuthor Commented:
Thank you for all your help!!
Mohammed HamadaSenior IT ConsultantCommented:
Your welcome, and i'll be here in case you didn't solve it.
You may download a free tool at www.digitalsupporttech.com. The tool will tell you what causes the problem. It is also free to get it fixed.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

  • 10
  • 8
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now