Cannot open in safe mode

By beezwings
Dec 28, 2008
  1. cannot open in safe mode, access registry, or task manager

    I'm no techy, but I'm posting here because my internet searches have not been able to fully get rid of a virus that I got a couple of days ago.

    I was transferring a file from a friend's usb, and I virus checked it with AVG and though no threats came up, it put a virus on my computer.

    Everytime I tried to go to task manager or regedit, I'd get the message "registry editing has been disabled by your administrator" and my computer would automatically restart.

    When the computer restarts, the firewall is automatically disabled.

    I cannot run AVG anti-virus, so I tried installing Kaspersky trial, but I cannot open it either.

    I cannot "show hidden files"

    When I try to boot in safe mode, it says there is some "power failure" and only lets me boot normally.

    I was able to find these files in my windows\system32 directory:

    I think I deleted them using HijackThis, but I have a feeling they will show up again.

    I was able to delete a hidden autorun.inf file from the c:\windows\ directory using the command prompt.

    Now, thankfully my computer doesn't automatically restart even if I try to run the regedit, but I still can't access the virus checker/regedit/task manager.

    Please help (see my attached hijackthis file)! I've been searching the internet, but so far no fixes for the un-safe mode!

    Thank you.

    Attached Files:

  2. gillianbrown

    gillianbrown Banned Posts: 141

    Go HERE, follow the instructions and post the log files once done.
  3. beezwings

    beezwings TS Rookie Topic Starter

    One more thing..

    I'm about to go through with the steps you suggested.. I forgot to post that I previously ran Malwarebytes and got one error with the vendor "hijack.taskmanager."

    I'll post as soon as I'm finished, thanks!
  4. filimarcus

    filimarcus TS Rookie Posts: 29

    hi good day,
    that was happened to me before... through research i use remove restriction tools software which is very effective. I suggest that you download remove restricion tool(rrt) just follow the instructions there and i'ts very easy
  5. beezwings

    beezwings TS Rookie Topic Starter

    Strange .exe files in Temp directory

    Ok, here are my logs.

    I wasn't able to run any of the anti-viruses (the virus seems to have prevented it)

    I was able to install the CCleaner, but it would automatically shut down after 2-3 seconds of use.

    I couldn't find any program to temp disable real time monitering

    Malwarebytes' Anti-Malware, SuperAntiSpyware, Java-updates, and Hijack this all worked.

    The rrt tool didn't fix my problem.

    I've noticed there are always some .exe files running in the C:\Temp\ directory and their file names seem to change randomly.

    Ok, please advise!
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Try this little program

    Download RatsCheddar

    It contains a program written by Rathat, and it is a Policy Controller.
    Save and extract this program to the desktop.
    Once extracted, Double click on the RatsCheddar.exe file.
    Enable everything, then click Exit
    Reboot your Computer.
  7. beezwings

    beezwings TS Rookie Topic Starter

    Hmm...ratschedder didn't seem to do anything...
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  9. beezwings

    beezwings TS Rookie Topic Starter

    Is this a file I need to run or put somewhere? I cannot run it because I don't have access to the registry :blush:
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    just unzip and double click to run (or merge rather)
  11. beezwings

    beezwings TS Rookie Topic Starter

    When I double click, I get the same message "Registry editing has been disabled by your administrator."

    Seems a catch 22! (just what a virus likes, i guess)
  12. beezwings

    beezwings TS Rookie Topic Starter

    Using SUPERanti-spyware, I was able to finally load in Safemode. While their, I ran a script to let me into my rededit--unfortunately, about three minutes later, my access was denied again (even in safe mode)! Please help!!
  13. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I see the only way to resolve this is to remove the HardDrive, plug it into a desktop computer, as a secondary drive, and either backup any data, or run a full scan, with a few tools (Antivirus; Spyware; Malware)
    Or just backup all your data; format; and start a new!
  14. beezwings

    beezwings TS Rookie Topic Starter

    Can you see which files are causing the problems? I discovered I can load into Ubuntu (linux) using their boot CD and delete any files on my original drive... might that help?
  15. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 151

    this key is locking the reg
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

    I will attatch the ANTI.log run hijack this and check remove ALL those in the file
    run again and post a new log


    Attached Files:

    • ANTI.log
      File size:
      672 bytes
  16. beezwings

    beezwings TS Rookie Topic Starter

    Thanks for the reply. I've followed your intstructions, except I didn't know how to stop the Temp\*.exe files using hijackthis. Now there are even more .exe files running in the Temp dir.! The google updater service (023) came back too. 07 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 always comes back right away. How can I stop these temp files when I cannot access task manager? Anyway, even if I stop them, they just come back it seems... Please advise:)
  17. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 151

    yes they will
    Let me research this a little and see if i can give you a complete fis
  18. beezwings

    beezwings TS Rookie Topic Starter

    I am now able to start in Safe Mode. When I run some scripts to allow task manager and regedit, I am able to open them for a few secs before the virus overrides and closes the window... in my last hijackthis log, there were no temp exe files even running yet (on clean reboot).... so which is the culprit??
  19. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 151

    Right Click on MyComputer icon and go to properties
    Turn Off system restore
    open IE and go to TOOLS OPTIONS delete temporary internet files and cookies
    do a disk cleanup in your Start/accessories/system tools/ Menu

    run hijackthis and malwarebytes at the same time
    select ALL MATCHING files and or keys I posted below in hijackthis
    but on both maiwarebytes and hijackthis click fix at the same time.
    then reboot immediatly

    if you forget to turn off system restore it will return no matter

    reboot once complete, run hijack this and post your log here again

    Watson Subscriber for SENS Network Notifications do you use this ? I would remove it as you can always subscribe again if you want :)
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL\AOL Search Enhancement\AOLSearch.dll (file missing)

    O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL\AOL Search Enhancement\AOLSearch.dll (file missing)
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D1A93C65-BD66-4E12-A85B-FEAEE7FC9626}: NameServer =
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
  20. beezwings

    beezwings TS Rookie Topic Starter


    I followed your exact intructions--fortunately, no temp .exe files running, but 07 came back again...

    What do you make of it?

    Another things is that my system freezes up quite easily how when I try to do things in explorer, ie right click on a folder, try to drag and drop a folder from one location to the other. I've been defragmenting my drive lots... that's not it, is it?

    BTW, in the meantime (in my frustration), I got a free Ubuntu CD and installed it so I now have a dual-boot system w/two partitions... is there a way i could run a virus scanner through linux to search my windows-occupied partition, and if so, what's the best software?

    Thanks for all your help:)

    Here's my log:
  21. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 151

    NOT SURE how to say this but Looks good ;)
    take care
  22. beezwings

    beezwings TS Rookie Topic Starter

    MMmmm... My task manager is still disabled, and on reboot, my firewall is still automatically disabled.. there's still something going on here...
  23. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 151

  24. beezwings

    beezwings TS Rookie Topic Starter

    Thanks for the taskmanager fix--it works! (but only if I run it three or four times in a row). Do have such a fix for regedit? I tried "regedit fix" but it doesn't work. I tried changing the name of regedit.exe, but "regedit.exe" automatically reappears. Any ideas?

    I was able to finally run Kapersky succesfully, the results of which seemed confusing--posting Word, Excel, etc as threats (log attached). But one thing is that it prevents programs from running without your consent. Here are the names of some of the programs that were attempting to run:


    I couldn't find them on the internet, so I suspect they are randomly created names by the virus. I'm afraid I'm still infected!!

    Please help...
  25. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 151

    Download VUNDO
    and save it to your desktop

    Double-click VundoFix.exe to run it.
    Click the Scan for Vundo button.
    Once it's done scanning, click the Remove Vundo button.
    You will receive a prompt asking if you want to remove the files,
    click YES
    Once you click yes, your desktop will go blank as it starts removing
    When completed, it will prompt that it will reboot your computer,
    Click ok
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...