TechSpot

regedit, cmd & task manager lost! (in use by another program?)

By sgtfoo
Mar 27, 2006
  1. Within the past month, I lost my dos prompt (cmd), I lost regedit, and I can't seem to get my task manager.


    details...
    If I try to run cmd from the "run" method OR start menu, I get an error: "the program is currently in use."

    Same thing happens with "regedit."


    As for task manager... when I CTRL+ALT+DEL and click on task manager, I get nothing.... ever.

    Where did it go? I've got ad-aware & spybot working hard, and no viruses as far as I've checked. And that's why I doubt this is a mal-ware issue.... or could it be?
    I'm the administrator of the account in this XPProSP1 installation, and I have 3 other admin accounts on this machine.
     
  2. Nodsu

    Nodsu TS Rookie Posts: 9,431

    Are Ad-Aware and Spybot updated?

    What if you disable your antivirus?
     
  3. chunx

    chunx TS Rookie Posts: 20

    task manager, regedit, cmd.exe

    erm... i have a problem opening taskmanager... when i press ctrl+alt+delete, nth pop up and nth happens. i tried to run regedit, its says error 'another program is currently using this file'... i do not know wat had happened... can u all solve my problem??
     
  4. chunx

    chunx TS Rookie Posts: 20

    i also have this problem... im using zonealarm antivirus. will turning off anti virus helps? erm i use hijackthis and i got this log file.
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    These instructions are for both sgtfoo and chunx.

    Go and have your computer scanned HERE.

    Then, go and read both these threads by RBS. Follow all the instructions exactly.

    How to remove Trojans and its ilk! and How to remove Begin2search / coolwebsearch and other nasties.

    Then see. How to post your Hijackthis log-file as an ATTACHMENT.

    sgtfoo Post a HJT log Into this thread, only after doing the above.

    chunx Open a new thread in the security and the web forum and post a fresh hJT log, only after doing the above.

    Regards Howard :wave: :wave:
     
  6. chunx

    chunx TS Rookie Posts: 20

    erm... i did everything in the 'how to remove Begin2search...' thats y i post my hijackthis log file. but nth seems to change after following the steps. i scanned my comp with the trend micro but it says nth is wrong with my comp. pls help me.
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Chunx. Open a new thread in the security and the web forum and post a HJT log as an attachment, as I asked please.

    Regards Howard :)
     
  8. chunx

    chunx TS Rookie Posts: 20

    taskmgr,regedit,cmd.exe

    I used Hijackthis and i got this log file. i followed all the steps but it does not work.
     

    Attached Files:

  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Let HJT fix this entry from safe mode.

    O4 - Global Startup: wmplayer.exe

    Other than that your HJT log is clean.

    It`s possible that part of your OS has become corrupt.

    Try doing a Windows repair, as per this thread HERE.

    Regards Howard :)
     
  10. viet_83

    viet_83 TS Rookie

    sorry if i hijack this thread, but ur advice really work for my sis's computer. thank.
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    That`s nice to know. Thanks.

    Regards Howard :wave: :wave:
     
     
  12. chunx

    chunx TS Rookie Posts: 20

    Now my com is okay. with the taskmgr, regedit and cmd working. i wanna ask y my startup is slow?i have to wait for 5 mins for it to let me choose my account. wats the prob?
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Possibly you have an OS problem. Maybe it`s time to back up your important data and reformat.

    Regards Howard :)
     
  14. chunx

    chunx TS Rookie Posts: 20

    erm okay.. one finaly question. i got three accounts, my brother account have problem with taskmgr. when ctrl alt delete is pressed, its says 'the program is used by the adminstrator' wats the prob?
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Take a look at this thread HERE.

    Regards Howard :)
     
  16. sgtfoo

    sgtfoo TS Rookie Topic Starter

    did all the removal and shtuff..

    I followed the load of instruction to clean my computer..

    I'm attaching a HJT txt into this reply...
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    There`s quite a lot to do here, so take your time and follow these instructions exactly.

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    D:\Program Files\Network

    D:\PROGRA~1\Toolbar

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key. When the window appears, maximise it and locate these services(if there).

    Double click on them and if they are running select stop. Set the startup type to disabled.

    demm386.exe
    Microsoft Update
    $WindowsRegKey%update
    virtual
    TBPS
    IDriverT

    Click apply/ok.



    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ipnetwork.exe
    demm386.exe
    winfix3.exe
    IEXPLORE.EXE
    winit.exe
    TBPS.exe

    Close task manager.

    Click start/run and type regsvr32 /u D:\WINXP\System32\sjwmhui.dll Into the run box and press the enter key. Note the spaces between the 32 and the forward slash and again between the U and D.

    do this for this entry as well.

    D:\WINXP\System32\uhs.dll

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - D:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
    O2 - BHO: (no name) - {6BC43D2B-F6E8-A86C-9E3D-DCEF3D0AA6BF} - D:\WINXP\System32\sjwmhui.dll
    O2 - BHO: (no name) - {6BC43F2B-F6E8-A86C-9E3D-DCEF3D0AA6BF} - D:\WINXP\System32\sjwmhui.dll
    O2 - BHO: (no name) - {CC005144-C682-970B-F2B5-E12CF16600B2} - D:\WINXP\System32\uhs.dll

    O4 - HKLM\..\Run: [IpNetwork] D:\Program Files\Network\ipnetwork.exe
    O4 - HKLM\..\RunServices: [demm386.exe] demm386.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] winfix3.exe
    O4 - HKLM\..\RunServices: [$WindowsRegKey%update] IEXPLORE.EXE
    O4 - HKLM\..\RunServices: [virtual] winit.exe
    O4 - HKLM\..\RunServicesOnce: [TBPS] D:\PROGRA~1\Toolbar\TBPS.exe /boot

    O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files(if there).

    D:\WINXP\System32\sjwmhui.dll

    D:\WINXP\System32\uhs.dll

    D:\Program Files\Network\ipnetwork.exe

    demm386.exe

    winfix3.exe

    winit.exe

    D:\PROGRA~1\Toolbar\TBPS.exe

    Reboot into normal mode and turn system restore back on.

    Regards Howard :)
     
  18. germanpcdude

    germanpcdude TS Rookie

    Hi Dude,

    I had the same problem just like You and found a nasty worm/Trojan on my system.It has nothing to do with limewire here..........!!!!!!
    Go to your System 32 Folder and look for a File with the name "srshostu.exe"
    Delete this file manualy please !!! Than reboot the system after this and take a look again in the system 32 Folder to make sure that is gone the worm !!!!
    Now u should be fine and get your Taskmanager back.
    When not send me a email please! :cool:
     
  19. bryan829

    bryan829 TS Rookie Posts: 19

    regedit, cmd & task manager lost "in use by another program"?

    Im having the same problems with cmd, regedit, taskmanager. Although msconfig still works.
    I scanned my pc with trend micro and it found troj_vb.aml infected svchost.exe But it could not delete it.
    I also downloaded HJT, did a scan, and saved a .txt.log file. Could someone help me by telling me what it means? and where i should post it? any help would be appreciated. Thanks,

    bryan
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    Go HERE and follow all the instructions exactly.

    Then, open a new thread in the security and the web forum and post a fresh HJT log, only after doing the above.

    Regards Howard :wave: :wave:
     
  21. bryan829

    bryan829 TS Rookie Posts: 19

    Thanks Howard!!! the ewido program seemed to be the solution. I ran the spybot and other utilities but they didnt find anything, but ewido found 67 infections, most of which were Dropper.vb.lu, any idea on why my norton av, ad-aware or spybot didnt find it???
    PC seems to start a little faster now and cmd, regedit, and task manager works now, but I still see svchost running in processes. This is the file TrendMicro originally said was infected with troj.VB.aml, should i leave it be since all seems fine now or should i still run a hjt scan and post it? Thanks again for your help!!!

    bryan
     
  22. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Norton probably didn`t find it because it`s crap. Spybot and Adaware only look for certain infections. Ewido specialises in locating trojans, but even that won`t get them all, depending on what they are.

    Once you have finished following all the instructions, you should open a new thread in the security and the web forum and post a fresh HJT log as an attachment.

    Regards Howard :)
     
  23. bryan829

    bryan829 TS Rookie Posts: 19

    posted new thread in security and web,
    bryan
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.