Cannot open in safe mode

cannot open in safe mode, access registry, or task manager

I'm no techy, but I'm posting here because my internet searches have not been able to fully get rid of a virus that I got a couple of days ago.

I was transferring a file from a friend's usb, and I virus checked it with AVG and though no threats came up, it put a virus on my computer.

Everytime I tried to go to task manager or regedit, I'd get the message "registry editing has been disabled by your administrator" and my computer would automatically restart.

When the computer restarts, the firewall is automatically disabled.

I cannot run AVG anti-virus, so I tried installing Kaspersky trial, but I cannot open it either.

I cannot "show hidden files"

When I try to boot in safe mode, it says there is some "power failure" and only lets me boot normally.

I was able to find these files in my windows\system32 directory:
bad1.exe
bad2.exe
bad3.exe

I think I deleted them using HijackThis, but I have a feeling they will show up again.

I was able to delete a hidden autorun.inf file from the c:\windows\ directory using the command prompt.

Now, thankfully my computer doesn't automatically restart even if I try to run the regedit, but I still can't access the virus checker/regedit/task manager.

Please help (see my attached hijackthis file)! I've been searching the internet, but so far no fixes for the un-safe mode!

Thank you.

Go HERE, follow the instructions and post the log files once done.

One more thing..

I'm about to go through with the steps you suggested.. I forgot to post that I previously ran Malwarebytes and got one error with the vendor "hijack.taskmanager."

I'll post as soon as I'm finished, thanks!

hi good day,
that was happened to me before... through research i use remove restriction tools software which is very effective. I suggest that you download remove restricion tool(rrt) just follow the instructions there and i'ts very easy

Strange .exe files in Temp directory

Ok, here are my logs.

I wasn't able to run any of the anti-viruses (the virus seems to have prevented it)

I was able to install the CCleaner, but it would automatically shut down after 2-3 seconds of use.

I couldn't find any program to temp disable real time monitering

Malwarebytes' Anti-Malware, SuperAntiSpyware, Java-updates, and Hijack this all worked.

The rrt tool didn't fix my problem.

I've noticed there are always some .exe files running in the C:\Temp\ directory and their file names seem to change randomly.


Ok, please advise!

Try this little program

Download RatsCheddar

It contains a program written by Rathat, and it is a Policy Controller.
Save and extract this program to the desktop.
Once extracted, Double click on the RatsCheddar.exe file.
Enable everything, then click Exit
Reboot your Computer.

Hmm...ratschedder didn't seem to do anything...

Hmm, sorry this will fix SafeMode in Xp SP2

http://www.techspot.com/vb/showthread.php?p=638518#post638518

Is this a file I need to run or put somewhere? I cannot run it because I don't have access to the registry :blush:

just unzip and double click to run (or merge rather)

When I double click, I get the same message "Registry editing has been disabled by your administrator."

Seems a catch 22! (just what a virus likes, i guess)

Using SUPERanti-spyware, I was able to finally load in Safemode. While their, I ran a script to let me into my rededit--unfortunately, about three minutes later, my access was denied again (even in safe mode)! Please help!!

I see the only way to resolve this is to remove the HardDrive, plug it into a desktop computer, as a secondary drive, and either backup any data, or run a full scan, with a few tools (Antivirus; Spyware; Malware)
Or just backup all your data; format; and start a new!

Can you see which files are causing the problems? I discovered I can load into Ubuntu (linux) using their boot CD and delete any files on my original drive... might that help?

this key is locking the reg
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

I will attatch the ANTI.log run hijack this and check remove ALL those in the file
run again and post a new log

WOLF

Thanks for the reply. I've followed your intstructions, except I didn't know how to stop the Temp\*.exe files using hijackthis. Now there are even more .exe files running in the Temp dir.! The google updater service (023) came back too. 07 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 always comes back right away. How can I stop these temp files when I cannot access task manager? Anyway, even if I stop them, they just come back it seems... Please advise

yes they will
Let me research this a little and see if i can give you a complete fis

I am now able to start in Safe Mode. When I run some scripts to allow task manager and regedit, I am able to open them for a few secs before the virus overrides and closes the window... in my last hijackthis log, there were no temp exe files even running yet (on clean reboot).... so which is the culprit??

Right Click on MyComputer icon and go to properties
Turn Off system restore
open IE and go to TOOLS OPTIONS delete temporary internet files and cookies
do a disk cleanup in your Start/accessories/system tools/ Menu

run hijackthis and malwarebytes at the same time
select ALL MATCHING files and or keys I posted below in hijackthis
but on both maiwarebytes and hijackthis click fix at the same time.
then reboot immediatly.

if you forget to turn off system restore it will return no matter

reboot once complete, run hijack this and post your log here again


Watson Subscriber for SENS Network Notifications do you use this ? I would remove it as you can always subscribe again if you want
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')


C:\Temp\amsvyp.exe
C:\Temp\winpgvyp.exe
C:\Temp\dubfh.exe
C:\Temp\winacscs.exe
C:\Temp\mvocs.exe
C:\Temp\qyirc.exe
C:\Temp\fbha.exe
C:\Temp\winejkjk.exe
C:\Temp\upprhd.exe
C:\Temp\vyml.exe
C:\Temp\winnxpuk.exe
C:\Temp\winlhogow.exe
C:\Temp\lhqda.exe
C:\Temp\pjwft.exe
C:\Temp\lmkblv.exe
C:\Temp\dscs.exe
C:\Temp\vyjvuc.exe
C:\Temp\winjgulud.exe
C:\Temp\winucbso.exe
C:\Temp\winruav.exe
C:\Temp\bheysv.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL\AOL Search Enhancement\AOLSearch.dll (file missing)

O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL\AOL Search Enhancement\AOLSearch.dll (file missing)
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1A93C65-BD66-4E12-A85B-FEAEE7FC9626}: NameServer = 202.54.15.30 202.54.1.30
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

BikHeartWolf~

I followed your exact intructions--fortunately, no temp .exe files running, but 07 came back again...

What do you make of it?

Another things is that my system freezes up quite easily how when I try to do things in explorer, ie right click on a folder, try to drag and drop a folder from one location to the other. I've been defragmenting my drive lots... that's not it, is it?

BTW, in the meantime (in my frustration), I got a free Ubuntu CD and installed it so I now have a dual-boot system w/two partitions... is there a way i could run a virus scanner through linux to search my windows-occupied partition, and if so, what's the best software?

Thanks for all your help

Here's my log: