Task Manager and regedit not working

By Thatone
Aug 10, 2008
Topic Status:
Not open for further replies.
  1. I cannot access the task manager or regedit
    i have just reformated my pc as it had the xp 2008 antivirus on.
    Have tried taskmanager v.2 opens then closes
    any help on this would be greatly appreciated.

    have included hijackthis log.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:45:40, on 10/08/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winwqov.exe
    C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\wineobsrj.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    This is not the full HijackThis log. Please go to the following URL, read and follow the malware cleaning instructions, including instructions for attaching the logs rather than pasting them:

    New malware cleaning instructions from TechSpot:

    http://www.techspot.com/vb/post645589-1.html
  3. Thatone

    Thatone Newcomer, in training Topic Starter Posts: 19

    have downloaded ATF Cleaner by Atribune
    as soon as it opens it shuts down straight away
    unable to check any boxes
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Did you follow the early steps about shutting down any Real Time monitoring programs? If you cannot run ATF, go on to Step 4 for now. Was there a particular reason for the shortened HijackThis log you pasted in? Was that all that ran?

    There isn't enough to check for malware yet.
  5. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Try this:
    Download RatsCheddar.

    http://rathat.geekstogo.com/Applications/RatsCheddar.zip

    It contains a program written by Rathat, and it is a Policy Controller.
    Save and extract this program to the desktop.
    Once extracted, click on the RatsCheddar.exe file.
    Enable everything, then click Exit
    Reboot your Computer.
  6. Thatone

    Thatone Newcomer, in training Topic Starter Posts: 19

    have installed comod firewall
    cannot install virus checker, have tried 4 different ones and none will install


    cannot access regedit
    cannot access task manager

    keep getting error windows popping up ( with big red circle white x)
    saying:- please insert disk into drive\device\hardisk1\dr3

    e,g dmascheduler.exe - no disk although comes up with a few more different one aswell

    Attached Files:

  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, mbam found the disabled Task Manager and fixed it, but missed the disabled regedit so we'll fix it here. (07)

    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot. Run a new HijackThis log and post it here.

    Have Superantispyware remove all of the Tracking Cookies.
  8. Thatone

    Thatone Newcomer, in training Topic Starter Posts: 19

    when switching on pc today this msg come up

    Data Execution Prevention - Microsoft Windows

    To help protect your computer, windows has closed this program

    Name: Generic Host Process for win32 services
    publisher: Microsoft Corporation


    have included new hijack log

    Attached Files:

  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Couple of questions:
    1. Are you the only user on this system?
    2. Are you using the Administrative Account?
    3. Did you or the Administrator (if another user) set policies to disable the Task Manager and Regedit?
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    4. Did you remove the items I listed?
    5. I see you got an AV program on- but I'm not sure it's running correctly as it shows 'file missing' in Services:
    O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - Unknown owner - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe (file missing)
    6. See the following for handling the DEP problem:
    You receive a "Data Execution Prevention" error message in Windows XP Service Pack 2:
    http://support.microsoft.com/kb/875351
    --
  10. Thatone

    Thatone Newcomer, in training Topic Starter Posts: 19

    1. Yes
    2. Yes
    3. No
    4. Yes
    5. i have managed to install avg as the other would not work


    a msg box comes up now
    c\hp\tmp\src\setup\destinations\

    looking to install
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Destinations is a part of HP Digital Imaging - HP Precisionscan Scanning software. It should not be running now.

    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.
    Go to Start> Run> type in 'msconfig; without quotes> enter> Selective Startup> Startup tab> UNCHECK these two processes:
    Click on Apply> OK.
    If you show any other HP files checked to start at boot, uncheck them.
    Go to Control Panel> Administrative Tools> Services> look for PCTAVSvc). Right click> Properties> set startup mode to Disabled> Stop the Service. If you have any problem handling that Service, make sure it's not running on the Startup Menu.
    Do a serch for tmp files and delete them all.
    Reboot into Normal Mode. Close the nag message that comes up about Selective Startup being 'diagnostic' after checking 'don't show this message again.' Stay in Selective Startup.
    Run another scan with HijackThis and post a new log.

    For your information, this is what those processes are for. They are valid programs but they do not need to start on boot:
    What is the status of the Data Execution problem?
     
  12. Thatone

    Thatone Newcomer, in training Topic Starter Posts: 19

    1.hpwuschd2.exe was not in the hijack scan.

    2.cannot boot into safe mode, pc starts to then crashes and restarts

    3.still went into msconfig niether was there.

    4.have run another hijack scan and attached
  13. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    @ Bobbye

    You could do this a number of ways - I am including entries for task manager, command prompt, and registrytools - so you can see different possibilities

    1) Here is a VBScript you could run - you could have them save this in notepad to their desktop as fixreg.vbs - then doulbe click it

    Code:
    Set WshShell = WScript.CreateObject("WScript.Shell")
    With WScript.CreateObject("WScript.Shell")
    
    On Error Resume Next
    
    .RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
    .RegDelete "HKCU\Software\Policies\Microsoft\Windows\System\DisableCMD"
    .RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
    .RegDelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr"
    
    End With
    
    Mybox = MsgBox(jobfunc & enab & vbCR & "Finished!", 4096, t)
    ------------------------------------

    2) You could use a .reg file

    Backup your regsitry
    First, we need to backup your registry:
    Please go to Start > Run
    Paste in the following line:
    • regedit /e c:\registrybackup.reg
    Click OK.
    It won't appear to be doing anything, that's normal.
    Your mouse pointer may turn to an hour glass for a minute.
    Please continue when it no longer has the hour glass.


    Making a .reg file
    Open notepad and copy and paste the text in the quotebox below in it:

    Code:
    [b]REGEDIT4
    
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "DisableRegistryTools"=dword:00000000
    
    [HKCU\Software\Policies\Microsoft\Windows\System]
    "DisableCMD"=dword:00000000
    
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "DisableTaskMgr"=dword:00000000
    
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
    "DisableTaskMgr"=dword:00000000
    [/b]
    Name the file as Fix.reg

    Change the "Save As" type to "All Files" and save it on the desktop.

    It should look like this: [​IMG]

    Double-click on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
    -------------------------------------------------------

    Or the easiest way for you for now - use Bill Castners program - which will solve it most of the time

    3) Download to your Desktop this self-extracting ZIP archive FixPolicies.exe

    • Double-click FixPolicies.exe
    • Click the Install button on the bottom toolbar of the box that will open.
    • The program will create a new Folder called FixPolicies
    • Double-click to Open the new Folder, and then double-click the file named Fix_Policies.cmd
    • A black box will briefly appear and then close. This will enable your Control Panel, Task Manager and stop any Administrative warnings.
  14. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

  15. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    I woulnd't use the VBscript on Vista as you would need to tweak to many things to make it worth while
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thank you Blind Dragon. I have also saved this for reference.

    Thatone, since BD has done such an excellent job for setting this up, I suggest you try #3 and see if that will handle the policy problems for you. Follow the instructions for:
  17. Thatone

    Thatone Newcomer, in training Topic Starter Posts: 19

    have done .3 can access task manager although still cannot access regedit


    where do i go next, have included a new hijack log
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Do you know what this is, because I can't ID it?

    If you do not specifically know what this is for or that it is necessary, please remove it- both this entry and the document itself. Follow by deleting the temp files. I'm wondering if an HP update caused this problem.

    Reboot after the removals. Run Hijack and see if the 07 entry is gone.
  19. Thatone

    Thatone Newcomer, in training Topic Starter Posts: 19

    ok pc went funny, (possessed even) and kept rebooting just to before the splash screen came up

    have done a complete system restore.
    i have installed comodo, marlwarye, antispware and avg also hijack
    it has not been connected to the internet yet but have done a hijack scan which is attached.

    at present i can access regedit and task manager
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You should not have used System Restore. You put files back on that had been removed. When malware cleaning has been completed, System Restore is turned off to drop old, infected restore points, then turned back on. You do NOT want your browser pages being redirected!
    These Java files need to be removed:
    Then download and install the current version which is v6u7:
    http://www.java.com/en/download/manual.jsp

    Then go to Add/Remove Programs in the Control Panel and uninstall all earlier Javas version.
  21. Thatone

    Thatone Newcomer, in training Topic Starter Posts: 19

    have done these and installed the new java

    attached new hijack log
  22. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    You have a Trojan: cssdll32.dll
    This quote by xxdanielxx should help
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    kimsland, maybe we can figure this out:

    First & Second HijackThis log:
    Mbam and SuperAntispyware run at same time so not show infection

    Third log still shows only the guard32.dll entry as above.

    Next log, after user adds AVG:
    Next log after fixing policy:
    Here's where it got picked up: "have done a complete system restore."
    User reinfected himself using an infected restore point! I missed it! Thank you for pointing it out.
  24. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Not yet - this may need special treatment

    Download haxfix.exe
    and save it to your desktop. Double click on haxfix.exe. A "dos window" (dos box) will open with options:

    • [*]1. Make Logfile
      [*]U. Uninstall Haxfix
      [*]E. Exit Haxfix​
    • Select option 1. Make logfile by typing 1 and then pressing Enter
    • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
    • Copy the contents of that logfile and paste it into this thread
  25. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Filename: guard32.dll
    Description: Part of Comodo Firewall

    Filename: avgrsstx.dll
    Description: Related to the AVG Free antivirus software.

    Filename: cssdll32.dll
    Description: Haxdoor (Please follow Blind Dragon's advice above)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.