Re: Virus in Registry - REGEDIT

From: MartynB (anonymous_at_discussions.microsoft.com)
Date: 01/02/05 

Date: Sun, 2 Jan 2005 11:02:20 -0400

cwan:

I had the same problem after a trojan infection with the error message
"Registry editing has been disabled by your administrator." when trying to
use Regedit.

This was my solution for WinXP SP2, but be careful as you are editing the
"live" registry via a command prompt.

To check for the problem, open a Command Window and type the following:-

>REG QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /s

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    HideLogoffScripts REG_DWORD 0x0
    HideLogonScripts REG_DWORD 0x0
    DisableRegistryTools REG_DWORD 0x1

The value 0x1 after DisableRegistryTools, shows that Regedit is disabled,
and to change the value of DisableRegistryTools use the REG ADD command:-

>REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v
>DisableRegistryTools /t REG_DWORD /d 0
Value DisableRegistryTools exists, overwrite(Y/N)? y

The operation completed successfully

and now running REG QUERY again:-

>REG QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /s

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    HideLogoffScripts REG_DWORD 0x0
    HideLogonScripts REG_DWORD 0x0
    DisableRegistryTools REG_DWORD 0x0

Regedit is now available

Martyn

"cwan" <cwan@discussions.microsoft.com> wrote in message
news:3092ACE2-F20A-4FED-B1E0-1C63FDB0C376@microsoft.com...
> I've used AD-Aware to locate and quarantine some Malware viruses and
> trojans
> on my computer, so that I can install Norton AntiVirus 2005. The problem
> is
> that each time I restart my computer and re-run Ad-Aware, these same
> registry
> entries are found again, and one is a dialer kind of malware that keeps
> starting Internet Explorer and logging onto some kind of porn site. I'm
> unable to use: RUN--> REGEDIT on my computer, therefore I can't get to the
> registry to delete these viruses manually. QUESTION: IS there another
> way
> to edit the registry without using REGEDIT?
>
> Thanx,
> cwan

Relevant Pages

  • Re: regedit
    ... Since you have regedit disabled under Windows XP then maybe this registry ... DisableRegistryTools data value goes under the ...\Policies\System subkey ... registry tools would be to run a .reg file that disables this registry data ...
    (microsoft.public.windowsxp.basics)
  • Re: regedit quickie
    ... posted via regwrite or regedit. ... > a WinXP Pro machine and enable registry editing to override the GPO, ... >> We use Novell's zenworks to control workstations. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Run, cmd not working
    ... what other trojans may be affecting my regedit / cmd prompts? ... the removal by editing the registry using ERD5.0 ... I get a command prompt window if I run "command"  (that is something new to ... What do you see when you run CMD? ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Run, cmd not working
    ... what other trojans may be affecting my regedit / cmd prompts? ... the removal by editing the registry using ERD5.0 ... I get a command prompt window if I run "command"  (that is something new to ... What do you see when you run CMD? ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Run, cmd not working
    ... what other trojans may be affecting my regedit / cmd prompts? ... the removal by editing the registry using ERD5.0 ... I get a command prompt window if I run "command"  (that is something new to ... What do you see when you run CMD? ...
    (microsoft.public.windowsxp.help_and_support)