Solved

Regedit disabled

Posted on 2006-06-09
23
4,234 Views
Last Modified: 2007-12-19
I believe I have the cashdeluxe spyware on my machine.  Not sure if this is related, but when I goto run-regedit, the registry editor opens and is enabled for about 2 seconds and then gets disabled so I can't edit it.  Any ideas on how to enable it?  I've tried going through policies-user-administrative-system, but I can't change anything for the edit registry option.
0
Comment
Question by:msanzenb
  • 10
  • 8
  • 2
  • +3
23 Comments
 
LVL 23

Expert Comment

by:basicinstinct
Comment Utility
boot into 'safe mode' and do it from there
0
 
LVL 15

Expert Comment

by:venom96737
Comment Utility
what is the message that is displayed when it gets disabled?
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Most likely that you have this file in your system or system32 folder -->regedit.com
Find and delete that(showing hidden files and folders first if needed)

If it is caused by a virus then it also has other files there, can we look at your hijackthis log please? Hijackthis log should show us the culprit.

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything.
Notepad will also open, copy its contents and paste it to either these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/
and click "Analyse", click "Save".  Post the link to the saved list here.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
If it's caused by worm/virus, it's more likely that your ctrl+alt+del is also not working,
cmd won't run, etc. Your hijackthis log can tell us if it is caused by worm or viruses.

Trying to fix the regedit alone won't do much good if it's caused by worm because it will be disabled again unless the culprit is removed.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
Comment Utility
Download and run this tool, then you will be able to run the reg-edit, but you will need to clean your system becoz spywares/trojans/batches does effect your system and disable all the important utilities like Msconfig + Task manager + regedit ..etc

http://www.dougknox.com/xp/utils/xp_emergencyutil.zip
0
 

Author Comment

by:msanzenb
Comment Utility
I'm currently running hijackthis...I'll paste the log when it's finished

I also removed the following files from my computer after reading via the web that they were adware files:
system32\susp.exe
system32\users32.exe
system32\runsrvr32.dll
system32\runsrvr32.exe
renamed all *.hta files to *.hta_
system32\zserv.dll
system32\Pynix.dll
system32\dlmax.dll
system32\BTGrab.dll
system32\alxtb1.dll
system32\alxie328.dll
system32\alexaie.dll

I also removed some gifs in the system32 directory that had a timestamp of the current date and looked to be part of the homepage that was coming up on my internet explorer.

After I removed the gifs, my computer started running extremely slow.  When I try to open Internet Explorer I get an hour glass and then nothing.  I can see the iexplore.exe process running in my task manager but it never comes up.  Any other program I try to open takes at least 3-5 minutes to open.

Thanks in advance for any help!
0
 

Author Comment

by:msanzenb
Comment Utility
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
Comment Utility
Your HJT log seems to be clean .. But delete the following entry..

O4 - Global Startup: ToDo.txt

Then check again if you can now open the regedit ???

Also do an online scan with Trend micro online scanner..
http://housecall.trendmicro.com/
0
 

Author Comment

by:msanzenb
Comment Utility
Now everything is ok, but when I open a windows explorer window everything slows to a crawl.  If I don't open a windows explorer window, everything works normal.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
Comment Utility
Goto Start --> cmd --> type Tasklist > C:\tasks.txt

You will find the tasks.txt file created on your c:\ drive, open it with ontepad and post whats inside it here, this will let us take alook @ your running processes now..!

0
 

Author Comment

by:msanzenb
Comment Utility
Here's the file contents:
Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
System Idle Process            0 Console                 0         16 K
System                         4 Console                 0        220 K
smss.exe                     584 Console                 0        376 K
csrss.exe                    652 Console                 0      3,632 K
winlogon.exe                 676 Console                 0      3,340 K
services.exe                 720 Console                 0      3,948 K
lsass.exe                    732 Console                 0      1,616 K
svchost.exe                  912 Console                 0      4,744 K
svchost.exe                  980 Console                 0      3,908 K
MsMpEng.exe                 1016 Console                 0     12,748 K
svchost.exe                 1060 Console                 0     19,780 K
S24EvMon.exe                1100 Console                 0      1,840 K
svchost.exe                 1152 Console                 0      2,668 K
svchost.exe                 1204 Console                 0      4,104 K
ZCfgSvc.exe                 1404 Console                 0      7,840 K
1XConfig.exe                1480 Console                 0      4,116 K
BRSVC01A.EXE                1528 Console                 0      1,076 K
spoolsv.exe                 1544 Console                 0      4,848 K
BRSS01A.EXE                 1572 Console                 0      1,692 K
Mcdetect.exe                1768 Console                 0      3,096 K
McShield.exe                1792 Console                 0     22,772 K
McTskshd.exe                1824 Console                 0      2,696 K
explorer.exe                 228 Console                 0    153,924 K
MDM.EXE                      316 Console                 0      2,600 K
mnmsrvc.exe                  328 Console                 0      2,760 K
sqlservr.exe                 352 Console                 0      7,128 K
rundll32.exe                 384 Console                 0      2,376 K
BCMSMMSG.exe                 460 Console                 0      1,752 K
Apoint.exe                   476 Console                 0      4,764 K
jusched.exe                  484 Console                 0      1,792 K
BacsTray.exe                 492 Console                 0      2,404 K
tfswctrl.exe                 516 Console                 0      3,456 K
sgtray.exe                   524 Console                 0      4,252 K
PCMService.exe               548 Console                 0     13,848 K
DVDLauncher.exe              380 Console                 0      2,764 K
quickset.exe                 564 Console                 0      3,952 K
mcagent.exe                  644 Console                 0      6,440 K
nvsvc32.exe                  656 Console                 0      2,884 K
mcvsshld.exe                 936 Console                 0      7,748 K
oasclnt.exe                 1176 Console                 0      2,688 K
MSASCui.exe                 1188 Console                 0      7,212 K
RegSrvc.exe                 1172 Console                 0      3,028 K
ctfmon.exe                  1140 Console                 0      3,440 K
DSAgnt.exe                  1332 Console                 0      3,472 K
svchost.exe                 1356 Console                 0      3,844 K
McVSEscn.exe                1424 Console                 0      7,432 K
acrotray.exe                1696 Console                 0      2,340 K
ApntEx.exe                  2156 Console                 0      1,868 K
alg.exe                     2824 Console                 0      3,276 K
wuauclt.exe                 3208 Console                 0      6,848 K
cmd.exe                     3500 Console                 0      2,408 K
TASKLIST.EXE                3556 Console                 0      4,212 K
wmiprvse.exe                3596 Console                 0      5,388 K
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 23

Expert Comment

by:Mohammed Hamada
Comment Utility
WOW, your Explorer.exe file is 100% infected...........!  It's using 150 MBs, and that's for sure upnormal...!

But, there's still something to check ..!
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
Comment Utility
OK, I have checked all the processes running on your task list, and it seems no infection is runinng on the memory..

The only weird thing which is the size of the Explorer.exe file ....

Press ctrl alt + del to bring up the task manager, goto processes tab, right click Explorer.exe and click end process..

The computer desktop will disappear now, Click on File menu of the task manager -- > New task --> type %windir%\explorer.exe   and Enter

It should open now a new task which is explorer.exe, this will bring you back the desktop background --> go back and check the size next to the Explorer.exe it should be at least 30,000 K if not less...!

Try closing all the programs from the tray icon, by right clicking on them and exit ..!

If the size has not changed then you should Do a scan online to make sure there's still no infection and you will have to extract a new copy of explorer.ex_ from your I:\I386 directory to windows directory ...!

hope this will help..

0
 
LVL 23

Expert Comment

by:Mohammed Hamada
Comment Utility
BTW: Quit using Mcafee, it's the worse antivirus ever...!

0
 

Author Comment

by:msanzenb
Comment Utility
How do I extract a new copy of explorer.exe?
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
Comment Utility
First you should close the Explorer.exe from the task process list, End the task..

Click on File on task manager --> New task (Run) type CMD and enter

If you have your I386 directory already in your HDD, then follow these commands

On command prompt type.. Assuming that the I386 folder is found on your C:\drive , And Windows is on C:\ drive too.

C:
cd\
cd I386                                  
expand explorer.ex_ c:\windows\explorer.exe
then copy c:\windows\explorer.exe c:\windows\system32\dllcache

If you couldn't copy or remove the file then you should try using a bootable CD or floppy, or maybe the recovery console..

Good luck
0
 

Author Comment

by:msanzenb
Comment Utility
When I'm in safe mode explorer window opens with no problem...does that make any difference?
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
Comment Utility
If you have the I386 folder on a CD, then type

Expand X:\I386\explorer.ex_ C:\windows          the X means the CD Rom drive letter.
0
 
LVL 23

Accepted Solution

by:
Mohammed Hamada earned 500 total points
Comment Utility
Sure it does, this means you have a service conflict, or device driver error or startup item that causing this...

Try to disable all the start up items first.. to make sure nothing affect it..

Goto Start --> run --> type Msconfig and enter
goto Startup tab and click disable all..!

Restart and see if it works ??
If not then again get the msconfig and goto Services tab, click Hide MS services and click disable all then restart again and see if it works ?

If not then you will have to uninstall the Devices one by one to see which one is conflicting..!
0
 

Author Comment

by:msanzenb
Comment Utility
I still had the problem after disabling and restarting both the services and startup tabs.  I looked at the device manager and none of the devices have a warning mark next to them.  But I guess I'll have to uninstall each one in any case....
0
 

Author Comment

by:msanzenb
Comment Utility
Thank you for all your help!!
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
Comment Utility
Your welcome, and i'll be here in case you didn't solve it.
0
 

Expert Comment

by:tryagian
Comment Utility
You may download a free tool at www.digitalsupporttech.com. The tool will tell you what causes the problem. It is also free to get it fixed.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Disclosure: Use this tutorial only when no other options helps to get Windows XP running without any problems and you don't want to format the drive. The back up of the data is the responsible of the user, however there is a description of how t…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now