Solved

Regedit disabled

Posted on 2006-06-09
23
4,245 Views
Last Modified: 2007-12-19
I believe I have the cashdeluxe spyware on my machine.  Not sure if this is related, but when I goto run-regedit, the registry editor opens and is enabled for about 2 seconds and then gets disabled so I can't edit it.  Any ideas on how to enable it?  I've tried going through policies-user-administrative-system, but I can't change anything for the edit registry option.
0
Comment
Question by:msanzenb
  • 10
  • 8
  • 2
  • +3
23 Comments
 
LVL 23

Expert Comment

by:basicinstinct
ID: 16874016
boot into 'safe mode' and do it from there
0
 
LVL 15

Expert Comment

by:venom96737
ID: 16874128
what is the message that is displayed when it gets disabled?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16874485
Most likely that you have this file in your system or system32 folder -->regedit.com
Find and delete that(showing hidden files and folders first if needed)

If it is caused by a virus then it also has other files there, can we look at your hijackthis log please? Hijackthis log should show us the culprit.

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything.
Notepad will also open, copy its contents and paste it to either these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16874533
If it's caused by worm/virus, it's more likely that your ctrl+alt+del is also not working,
cmd won't run, etc. Your hijackthis log can tell us if it is caused by worm or viruses.

Trying to fix the regedit alone won't do much good if it's caused by worm because it will be disabled again unless the culprit is removed.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 16874760
Download and run this tool, then you will be able to run the reg-edit, but you will need to clean your system becoz spywares/trojans/batches does effect your system and disable all the important utilities like Msconfig + Task manager + regedit ..etc

http://www.dougknox.com/xp/utils/xp_emergencyutil.zip
0
 

Author Comment

by:msanzenb
ID: 16877685
I'm currently running hijackthis...I'll paste the log when it's finished

I also removed the following files from my computer after reading via the web that they were adware files:
system32\susp.exe
system32\users32.exe
system32\runsrvr32.dll
system32\runsrvr32.exe
renamed all *.hta files to *.hta_
system32\zserv.dll
system32\Pynix.dll
system32\dlmax.dll
system32\BTGrab.dll
system32\alxtb1.dll
system32\alxie328.dll
system32\alexaie.dll

I also removed some gifs in the system32 directory that had a timestamp of the current date and looked to be part of the homepage that was coming up on my internet explorer.

After I removed the gifs, my computer started running extremely slow.  When I try to open Internet Explorer I get an hour glass and then nothing.  I can see the iexplore.exe process running in my task manager but it never comes up.  Any other program I try to open takes at least 3-5 minutes to open.

Thanks in advance for any help!
0
 

Author Comment

by:msanzenb
ID: 16877772
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 16877791
Your HJT log seems to be clean .. But delete the following entry..

O4 - Global Startup: ToDo.txt

Then check again if you can now open the regedit ???

Also do an online scan with Trend micro online scanner..
http://housecall.trendmicro.com/
0
 

Author Comment

by:msanzenb
ID: 16877840
Now everything is ok, but when I open a windows explorer window everything slows to a crawl.  If I don't open a windows explorer window, everything works normal.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 16877859
Goto Start --> cmd --> type Tasklist > C:\tasks.txt

You will find the tasks.txt file created on your c:\ drive, open it with ontepad and post whats inside it here, this will let us take alook @ your running processes now..!

0
 

Author Comment

by:msanzenb
ID: 16878094
Here's the file contents:
Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
System Idle Process            0 Console                 0         16 K
System                         4 Console                 0        220 K
smss.exe                     584 Console                 0        376 K
csrss.exe                    652 Console                 0      3,632 K
winlogon.exe                 676 Console                 0      3,340 K
services.exe                 720 Console                 0      3,948 K
lsass.exe                    732 Console                 0      1,616 K
svchost.exe                  912 Console                 0      4,744 K
svchost.exe                  980 Console                 0      3,908 K
MsMpEng.exe                 1016 Console                 0     12,748 K
svchost.exe                 1060 Console                 0     19,780 K
S24EvMon.exe                1100 Console                 0      1,840 K
svchost.exe                 1152 Console                 0      2,668 K
svchost.exe                 1204 Console                 0      4,104 K
ZCfgSvc.exe                 1404 Console                 0      7,840 K
1XConfig.exe                1480 Console                 0      4,116 K
BRSVC01A.EXE                1528 Console                 0      1,076 K
spoolsv.exe                 1544 Console                 0      4,848 K
BRSS01A.EXE                 1572 Console                 0      1,692 K
Mcdetect.exe                1768 Console                 0      3,096 K
McShield.exe                1792 Console                 0     22,772 K
McTskshd.exe                1824 Console                 0      2,696 K
explorer.exe                 228 Console                 0    153,924 K
MDM.EXE                      316 Console                 0      2,600 K
mnmsrvc.exe                  328 Console                 0      2,760 K
sqlservr.exe                 352 Console                 0      7,128 K
rundll32.exe                 384 Console                 0      2,376 K
BCMSMMSG.exe                 460 Console                 0      1,752 K
Apoint.exe                   476 Console                 0      4,764 K
jusched.exe                  484 Console                 0      1,792 K
BacsTray.exe                 492 Console                 0      2,404 K
tfswctrl.exe                 516 Console                 0      3,456 K
sgtray.exe                   524 Console                 0      4,252 K
PCMService.exe               548 Console                 0     13,848 K
DVDLauncher.exe              380 Console                 0      2,764 K
quickset.exe                 564 Console                 0      3,952 K
mcagent.exe                  644 Console                 0      6,440 K
nvsvc32.exe                  656 Console                 0      2,884 K
mcvsshld.exe                 936 Console                 0      7,748 K
oasclnt.exe                 1176 Console                 0      2,688 K
MSASCui.exe                 1188 Console                 0      7,212 K
RegSrvc.exe                 1172 Console                 0      3,028 K
ctfmon.exe                  1140 Console                 0      3,440 K
DSAgnt.exe                  1332 Console                 0      3,472 K
svchost.exe                 1356 Console                 0      3,844 K
McVSEscn.exe                1424 Console                 0      7,432 K
acrotray.exe                1696 Console                 0      2,340 K
ApntEx.exe                  2156 Console                 0      1,868 K
alg.exe                     2824 Console                 0      3,276 K
wuauclt.exe                 3208 Console                 0      6,848 K
cmd.exe                     3500 Console                 0      2,408 K
TASKLIST.EXE                3556 Console                 0      4,212 K
wmiprvse.exe                3596 Console                 0      5,388 K
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 16878109
WOW, your Explorer.exe file is 100% infected...........!  It's using 150 MBs, and that's for sure upnormal...!

But, there's still something to check ..!
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 16878140
OK, I have checked all the processes running on your task list, and it seems no infection is runinng on the memory..

The only weird thing which is the size of the Explorer.exe file ....

Press ctrl alt + del to bring up the task manager, goto processes tab, right click Explorer.exe and click end process..

The computer desktop will disappear now, Click on File menu of the task manager -- > New task --> type %windir%\explorer.exe   and Enter

It should open now a new task which is explorer.exe, this will bring you back the desktop background --> go back and check the size next to the Explorer.exe it should be at least 30,000 K if not less...!

Try closing all the programs from the tray icon, by right clicking on them and exit ..!

If the size has not changed then you should Do a scan online to make sure there's still no infection and you will have to extract a new copy of explorer.ex_ from your I:\I386 directory to windows directory ...!

hope this will help..

0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 16878145
BTW: Quit using Mcafee, it's the worse antivirus ever...!

0
 

Author Comment

by:msanzenb
ID: 16878193
How do I extract a new copy of explorer.exe?
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 16878240
First you should close the Explorer.exe from the task process list, End the task..

Click on File on task manager --> New task (Run) type CMD and enter

If you have your I386 directory already in your HDD, then follow these commands

On command prompt type.. Assuming that the I386 folder is found on your C:\drive , And Windows is on C:\ drive too.

C:
cd\
cd I386                                  
expand explorer.ex_ c:\windows\explorer.exe
then copy c:\windows\explorer.exe c:\windows\system32\dllcache

If you couldn't copy or remove the file then you should try using a bootable CD or floppy, or maybe the recovery console..

Good luck
0
 

Author Comment

by:msanzenb
ID: 16878247
When I'm in safe mode explorer window opens with no problem...does that make any difference?
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 16878249
If you have the I386 folder on a CD, then type

Expand X:\I386\explorer.ex_ C:\windows          the X means the CD Rom drive letter.
0
 
LVL 23

Accepted Solution

by:
Mohammed Hamada earned 500 total points
ID: 16878261
Sure it does, this means you have a service conflict, or device driver error or startup item that causing this...

Try to disable all the start up items first.. to make sure nothing affect it..

Goto Start --> run --> type Msconfig and enter
goto Startup tab and click disable all..!

Restart and see if it works ??
If not then again get the msconfig and goto Services tab, click Hide MS services and click disable all then restart again and see if it works ?

If not then you will have to uninstall the Devices one by one to see which one is conflicting..!
0
 

Author Comment

by:msanzenb
ID: 16878330
I still had the problem after disabling and restarting both the services and startup tabs.  I looked at the device manager and none of the devices have a warning mark next to them.  But I guess I'll have to uninstall each one in any case....
0
 

Author Comment

by:msanzenb
ID: 16878354
Thank you for all your help!!
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 16878365
Your welcome, and i'll be here in case you didn't solve it.
0
 

Expert Comment

by:tryagian
ID: 21596167
You may download a free tool at www.digitalsupporttech.com. The tool will tell you what causes the problem. It is also free to get it fixed.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question