Solved

edit start up programs without starting windows

Posted on 2013-01-28
10
1,353 Views
Last Modified: 2013-11-22
I am trying to remove a virus from a computer which runs as soon as windows starts, I need to be able to disable the virus so I can deal with it but the whole screen has been taken over by a fake security program called PCeU which is asking for £100 to "unlock" the computer. I am unable to use task manager or the run command even in safe mode, I have tried last known good configuration and also tried using a windows disc to use system restore but apparently there are no restore points. I would like to be able to take this program out of the start up list as if I was using msconfig to access system configuration. Is this possible by accessing the hard drive using another computer and editing a file? The system is Windows 7 Home Premium.
0
Comment
Question by:it4
  • 3
  • 2
  • 2
  • +3
10 Comments
 
LVL 6

Expert Comment

by:CaptainGiblets
ID: 38827536
Can you press F8 while the PC is booting to force it to boot into safe mode?

From there you will be able to disable everything that boots on starting by clicking start > run > msconfig

you can also ammend the registry if things are still starting up.
0
 
LVL 9

Expert Comment

by:TunerML
ID: 38827540
You could also try using a recovery/rescue disc available free from many anti-virus companies to do a full scan of the system and remove the virus.

Kasperksy is available here: http://support.kaspersky.com/viruses/rescuedisk,

AVG, Avast and the other major players all have their various versions some free some not.
0
 
LVL 6

Expert Comment

by:CaptainGiblets
ID: 38827541
Sorry ignore my answer, i missed the line where you already said you had tried safe mode.
0
 
LVL 6

Expert Comment

by:CaptainGiblets
ID: 38827574
There are 2 ways i can think of but could risk spreading the virus so make sure the other pc has good AV on it first.


1 - connect another PC to same subnet and try to access the registry over the network, however i have never tried this on a none domain pc so i dont know if it will work with just the ip address.

2 - plug your hard drive into a working pc, go into the registry editor and click file and then "load hive"

You should then be able to edit the other registry i think the file is located at C:\windows\system32\config

The keys you will be looking for are

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
 HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
 
For Windows 64-bit users you may also find entries listed under the following keys:-
 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
 HKLM\SOFTWARE\Wow6432Node\\Microsoft\Windows\CurrentVersion\RunOnce
 
Occasionally the following keys will also be used - primarily by malware:-
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
0
 
LVL 16

Accepted Solution

by:
Brian Pringle earned 500 total points
ID: 38827705
I use Ultimate Boot CD 4 Windows (http://www.ubcd4win.com).  You can either use the standard installation or you can customize it.

It does require for you to have a Windows XP computer or the XP installation disc (i386 folder) to build your own bootable disc.  

After booting, you will see a desktop similar to Windows XP.  From there, you can run regedit, load the hives listed above, and edit them.  

Just make sure that you UNLOAD the hives after editing them for them to get saved properly.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 16

Expert Comment

by:Brian Pringle
ID: 38827707
UBCD4Win will work with Windows 7, even though it is based on Windows XP.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 38827901
I will second the recommendation for the Kapersky Rescue Disk.  It boots by itself since it is a Linux Live disk.  You need an active internet connection so it can download it's current definitions but it will scan your hard without booting up Windows.
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 38828018
If you are going to use an alternate boot disk, I highly suggest one created with SARDU, that way you have everything (including the kitchen sink) in one place.  This generally means booting to a USB device - but SARDU creates that for you.  See my article:

http://www.experts-exchange.com/Storage/Misc/A_3038-Boot-Disks-UBCD-UBCD4Win-and-SARDU.html
0
 

Author Closing Comment

by:it4
ID: 38876977
Thanks that worked
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 38877023
I highly suggest you create a disk with SARDU anyway.  It will include UBCD if you wish, but it has so much more.  I use it all the time.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now