You can use the UnHookExec.inf file from Symantec to enable the registry editor:

http://www.symantec.com/security_response/writeup.jsp?docid=2004-050614-0532-99

After that, restart your computer to Safe Mode and run scan using any of the security programs in your computer.

Yogesh

What ever this Malware is it also disabled Safe mode.  I found a Regeditor that allows me to edit it.  So now I need to know which bits to change to reinable System Restore & Safe Mode.  I was able to reinable Task Manager.

Hi

Yogesh is probably trying to work out what is happening, and will be with you once he has figured it out.

Quads

Hi bghanson,

I am not sure about re-enabling the Safe Mode, but you can try to reenable the System Restore using the registry editor. Here are the steps:

1. Navigate to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore and verify that the key on right DisableSR has a value of 0.
2. If DisableSR is set to 1, change it to 0.
3. If the key is not there, then create one DWORD value with the name DisableSR and give it a value 0.

Do not know why Quads has assured you that I will come up with a solution, may be he got some kind of  6th sense about me. But, I have not limited anyone from posting here, anyone with a good solution can post in this thread and help bghanson.

Yogesh

Hello bghanson

Please do the registry fix only if you are comfortable in doing things in the registry and also please back up your registry before you make any changes.  This is just basic before you do any changes to the registry, not meant to say that Yogesh is giving you bad instructions.

I have done that but I know the back up is infected with what ever the Malware is.  I tried the regedits he suggested and it did reinable the SR but when I click on it it says to restart the system before it will protect my system.  When I do that I am back in the same boat.  Would it work if i took a copy of a reg. from a similar machine and inported it into mine. (same hardware but some different apps.)  then ran SR and restored to a date prior to my infection?  Also do you know which reg bit might have been changed to diable Symantec 360 from running?  Mayby if I cna reinable that and run it it will clear the Malware off my system so my regedits will stay..

Probably still infected with the Malware that when trying to enable things, The Malware fights back by just setting things like System Restore back to the way it want's there that means SR is disabled again, (and other settings) Restore Points are gone, or corrupt.

Safe Mode:  One of 2 things, Safe Mode is blocked, and anything else it wants, OR  Safe Mode has been removed.

Things have not been done in the usual correct order for Malware.  Try changing the PC settings while the infection is active and all you end up dong is going around in circles. You change something, Malware changes back....................................

Quads

bghanson,

As Quads said you wont be able to make any progress while the malware is running, rkill is a small app. that can stop the running malware processes so that maybe you could then run MBAM. You mentioned in your first post that the name of the rogue is Antimalware Doctor. You can get removal instructions and download rkill here:  BleepingComputer

I havecome to the same conclusion.  where or can I get a copy of rkill. I will give that a try.  Any thought on inporting a regester from a similar hardware computer?