TechSpot

Can't open taskmanager, cmd prompt, regedit, msconfig

By bleepit
May 9, 2006
  1. Can't open taskmanager, cmd prompt, regedit, msconfig.

    I Have used a lot of programs to detect/clean (spybot,adaware,avg,ewido,hijackthis,cc,websearch) in safe mode with sys restore off.

    The only thing that could not be deleted was 2 instances one is DisableTaskMgr and the other one is DisableRegistryTools found by adaware. I've tried almost every possible way to delete those two but they keep showing up.

    I managed to enter the registry and delete those two with third party registry editor, but after reboot disabletaskmgr and disableregistrytools magically appears again!!!




    Can someone please help me get back my control of my machine?
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Go HERE and follow the instructions in the order they are given.

    Post a fresh HJT log as an attachment, only after doing the above.

    Regards Howard :wave: :wave:
     
  3. bleepit

    bleepit TS Rookie Topic Starter

    Went through all and finally I can access regedit, taskmanager e.t.c

    Here is a fresh log from hijackthis:

    -verbose HJT removed-

    Please re-read Howards post above and spot where you went wrong :) - .txt attachment. ---Spike
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Thanks Spike.

    bleepit: See these instructions HERE on how to post a HJT log as a .txt attachment.

    Regards Howard :)
     
  5. bleepit

    bleepit TS Rookie Topic Starter

    sorry... here is the attachement.
     

    Attached Files:

  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Click start/run and type regsvr32 /u C:\WINDOWS\SYSTEM32\hblogon.dll into the run box and press the enter key.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    winupdates

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    Keygen-Serial.exe

    Close task manager.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [rmalt] C:\Program Files\winupdates\Keygen-Serial.exe

    O20 - Winlogon Notify: hblogon - C:\WINDOWS\SYSTEM32\hblogon.dll

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files(if there).

    C:\Program Files\winupdates\Keygen-Serial.exe
    C:\WINDOWS\SYSTEM32\hblogon.dll

    Reboot into normal mode and turn system restore back on.


    Regards Howard :)
     
  7. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    I agree with Howard, this is the primary culprit right now:

    O20 - Winlogon Notify: hblogon - C:\WINDOWS\SYSTEM32\hblogon.dll

    Being that it is a Notify entry, it even runs in safe mode, so it may be difficult for you to delete it.
    If all the instructions don't seem to work, you can do 1 of 2 things:

    1) Use a program to delete the file upon restart.

    2) Go into Recovery Console and delete hblogon.dll from there. Then restart back into Safe Mode and remove the notify entry with HJT.

    Hope you get it taken care of
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hi Vigilante.

    These are both baddies.

    C:\Program Files\winupdates\Keygen-Serial.exe
    C:\WINDOWS\SYSTEM32\hblogon.dll

    For the attention of Vigilante only. HJT has a feature that allows a file to be deleted on reboot.

    If you run HJT and click on the config button, followed by the Misc Tools button. You will see amongst other things a button that says Delete file on reboot. If you click on this, a windows appears, where you can browse to the file you wish to delete. Open the file and HJT will ask you if you want to restart your computer. Click yes. The file should now be gone.

    Regards Howard :)
     
  9. bleepit

    bleepit TS Rookie Topic Starter

    Hi again, I used killbox to delet hblogon.dll on restart cause hjt could not delete it (didn't know until now that HJT could do the same thing).

    How does it look now?
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean. Well done.

    Regards Howard :)
     
  11. bleepit

    bleepit TS Rookie Topic Starter

    I really appreciate your help Howard I would be in a dark tunnel without it.

    thanks a lot!

    Also thanks to Vigilante.

    Do you have a recommendation on which software to have running so I'm protected in general by almost everything including malware, spyware, trojans and such.

    Right now I have zone alarm (free), avg (free), I update those two automatically every night, and ewido which will expire pretty soon (trial).

    And I also run once in a while adaware and spybot.
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Even when Ewido expires, you can stll use it. It`s just that you lose one or two features that`s all.

    Take a look at Spike`s thread HERE. It will help you to keep your system more secure.

    Regards Howard :)
     
  13. bleepit

    bleepit TS Rookie Topic Starter

    thanks again, will go over that link.
     
  14. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    Thanks howard, I never used the HJT file deleter deal, I'll sure try it next time. I HATE those notify entries!
     
  15. bleepit

    bleepit TS Rookie Topic Starter

    Sorry to bug you again, but there seems to be something strange. I went into my Administrator acount to change my User account privileges to 'Limited' but it is grayed out. only Administrator is available and selected.

    I have three accounts:

    Administrator
    User1 (Limited is grayed out administrator is selected and only available)
    Guest

    I tried the same in all accounts in safe mode but same there. 'limited' is grayed out.

    Is this a left over from some malware?
     
  16. altheman

    altheman TS Rookie Posts: 425


    this is the same for me. i dont thinks it malware, but probably there has to be at least one admin account the can be run from outside off safe mode. probably a winxp "feature".
     
  17. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    I just did a quick test, was able to create an administrative account and then back it down to limited. I was thinking maybe you can't change admin to limited, but I guess you can.

    I think you need one admin account. But that usually is the hidden, built-in "administrator" user.
    I would just create a brand new account, limited. And leave yourself at least one password-protected admin account besides administrator.
     
  18. bleepit

    bleepit TS Rookie Topic Starter

    Thanks for all replies I surely think it is something fishy, I'll probably do a format.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...