Task Manager, Regedit, MSConfig wont work

[ArtG]

Taskmanager,Regedit problem

I experienced same problem with my pc running winxp-task manager, regedit,msconfig would not open. I tried numerous programs-norton, spybot, adaware, etc. The only thing that worked (as WINEJAB mentioned) was Panda
Titanium Antivirus 2005 trial version. Panda found and deleted the problem virus and my pc is working fine.
If anyone has this problem I would recommend going to Panda website and downloading trial version of their AV software.

 

[sabina]

well i ran all of those programs, and i went into system32 and tried to delete winmx, which i was told to delete, but it wont delete, but when i run my computer in safe mode, the winmx is gone

 

[kbenda]

Another trick that sometimes helps to overcome this kind of problem is to make a copy of the programs that won't work (msconfig.exe, regedit.exe, etc.) and GIVE THE COPY A NEW NAME. For example, change the EXE extension to COM. If there is a virus that is watching for these files, the virus might miss them if they have a new name. This technique worked for me on numerous occasions when I worked Tech Support and our customers had a particular kind of virus.

This won't necessarily help you get rid of the virus, but it might at least give you access to regedit, msconfig, etc. until you figure out what the problem is.

If your AV and anti-spyware programs come up with nothing, and you don't want to reformat, here are some sleuthing/troubleshooting steps to take that might help:

Start with the System Information utility, which you can run by typing in MSINFO32 at Start | Run (if it doesn't work, you might need to change the extension to COM first, as suggested above). You might also be able to find it under Start | Programs | Administrative Tools or Start | Programs | Accessories | System Tools. Click on "Software Environment" and then "Loaded Modules", and wait a bit for it to put together all the info. The list of exe's and dll's running is far more extensive than in Task Manager. Sort all the entries by manufacturer by clicking on the word "Manufacuturer" at the top of that column. Examine the list and be suspicious of any company name that is not known to be related to your programs (e.g., ignore "Microsoft", "Symantec" if you use Norton Anti-virus, "Adobe" if you use Acrobat, etc.).

Once you find some suspicious-looking files, find them on your hard drive using Explorer's standard search utility. (Make sure that Explorer's "Folder Options" are set to "show hidden files".) Right-click on the files and choose "Properties". Write down the Created and Modified dates shown on the "general" tab, then click on the "version" tab to get more details about the file, it's name, it's purpose, etc.

Next, use the standard Search feature to find other files created or modified on the same date(s) as the suspicious file(s).

Also, go into the registry and search for the suspicious files. When you find them, write down any new information, such as related files, folder locations, and especially GUIDs. (A GUID is the long, cryptic, serial-number type ID that the registry uses to organize things. The output from HyjackThis in previous posts shows a bunch of GUIDS.) Search the registry for any instances of the new file names or GUIDs.

As you do this, you hopefully will start to build a picture of what's going on, what files are related to each other, how they are starting up, and how the whole thing might be related to something you did (e.g., you downloaded a picture from the Web on that day around that time).

Once you have a decent idea what files are the culprit, try to delete them. If you can't delete the files because they are currently in use, start in Safe Mode to delete. Also delete the related registry info as well, but make sure to "Export" the info first -- just in case you made a mistake and the thing you are deleting isn't actually bad, you'll be able to add the info back into the registry later.

Then reboot into normal mode and run MSINFO32 again. If the files have mysteriously returned (don't be surprised), that means there is something else going on, usually a service or some other low-level O/S kind of activity.

If that's the case, you'll have to experiment with turning services on and off (BE CAREFUL: some services, like Remote Procedure Call, are required for other things to work, and if you turn them off, you'll seriously handicap your ability to fix things later).

Strange as it sounds, Device Manager can also help solve malware issues. I recently had a malware problem that wouldn't go away, and I finally figured out that the thing had installed itself in the hardware section of the registry. I couldn't remove it directly from the registry because the "hardware" was in use, but I was able to remove the "device" using the Device Manager, and the problem finally went away. NOTE: you might need to check "hidden devices" in the View menu in order to see the bad guys.

I know that's a lot, and it might take all day or all weekend to go through all this. But reformatting takes a while too, and if you don't want to lose all your files and settings, you'll also have to spend time backing things up before reformatting. Either way, it'll take time.

 

[Paul]

I have a problem with msconfig, and task manager closing immediately after opening. original problem was Norton Antivirus as part of Systemworks, being disabled and email scanning turned off and i was unable to change. I am attaching the HijackThis log from the merijn.org website.
Logfile of HijackThis v1.98.2
Scan saved at 10:46:13 PM, on 11/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\QTIMER.EXE
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brad\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50168
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.usachoice.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usachoice.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50168
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50168
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.usachoice.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8083
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program Files\Toolbar\toolbar.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000002230} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O2 - BHO: (no name) - {18AC375C-E214-77C2-8052-64550DF12B1F} - (no file)
O2 - BHO: SDWin32 Class - {22DFB4D1-4521-4193-8494-F6B022C72B0A} - C:\WINDOWS\System32\vferf.dll
O2 - BHO: InstaFinder - {4E7BD74F-2B8D-469E-DCF7-F96DA086B434} - (no file)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program Files\Toolbar\toolbar.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O2 - BHO: FavoriteMan Class - {EBBD88E5-C372-469D-B4C5-1FE00352AB9B} - (no file)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: (no name) - {55910916-8B4E-4C1E-9253-CCE296EA71EB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Quicktime Runtime] QTIMER.EXE
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EZNXP] C:\PROGRA~1\EZN\EASYIN~1\eznorun.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\RunOnce: [Quicktime Runtime] QTIMER.EXE
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Web Savings - file://C:\Program

I couldn't post it all at once but will post the remainder on request.
Thanks for any and all help. I also have the startup list from merijn.org and the results from running Panda but too many characters for one post.

You have spyware on your system the string HKCU\..\Run: [EZNXP] C:\PROGRA~1\EZN\EASYIN~1\eznorun.exe ,This is run by either i mesh or kazza that tells me it is installed on your system,this operates from easy internet software that thses companys use,This code 07B18EA9-A523-4961-B6BB-170DE4475CCA tells me you have a free tool bar,This is activated from web search.

 

[crazyforbball31]

help please

I ran hijack this and this is what my hijackthis log reported

 

[RealBlackStuff]

crazyforbball31
Your log is clean.

 

[PuposkyMN]

Win98se - msconfig & System Configuration Utility will not work any mode.

My neighbor is experiencing many of the problems described in this thread. Computer freezes on startup with a wintask error. She has a Win98se system and most of the posts here deal with XP...

System Configuration Utility & msconfig will NOT run in SafeMode.

Thinking this was a simple case of adware/spyware...

I ran AdAware full scan which only found abt 500 entries (a lot but have seen more).

I ran Scandisc & defrag.

Still won't start in regular mode & msconfig will not run.

Cannot get on the internet there either.

My goal is to get online there so that I can run Trend Micro's Housecall.

She has an old version of Norton which I will remove using the program from Norton - downloaded here to install there. Have already lectured her about this & will (hopefully) talk her into PC-cillin (which I love).

Will try to download the Panda software for installation there...

Now that I think about it - it was probably an old version AdAware - will rerun once I can get online there. She had "alot" of toolbars I have never heard of...

What else can I do to get msconfig back & get online there...

Thanks so much for your help!

 

[RealBlackStuff]

Go to this post here first, and follow the instructions EXACTLY, especially about UPDATING and HJT-location.
How to remove Begin2Search/Coolwebsearch and Other Nasties

Copy the file at the bottom of that post onto your PC, download all those programs, and burn the lot on a CD. Take that to your neighbour.

Then see How to post your Hijackthis log-files as an attachment.

 

[kbenda]

> What else can I do to get msconfig back

To get msconfig working, first see if the file is there (it may have been deleted or moved or something). Look in the Windows/system directory.

If it is there but won't run, try renaming the file -- either change the "exe" to "com", or change "msconfig" to "myconfig" or "mscfg" or anything else unique (the malware might be looking for the exact file "msconfig.exe", so if you name the file to msconfig.com or something, you might be able to fly under the radar).

If you get msconfig to work, you should concentrate on the "win.ini" and "system.ini" tabs -- the other tabs (autoexec.bat, config.sys, and startup) are completely disabled in Safe Mode, so if you're having trouble in Safe Mode, the problem is not located on any of these disabled tabs. Win.ini and system.ini are mostly disabled in Safe Mode, but a few lines stay enabled. These lines are described a few paragraphs below.

If you don't get msconfig to work, try the "sysedit" program. It opens several configuration files, including win.ini and system.ini. Assuming the malware doesn't prevent you, you'll be able to edit these file directly.

If you don't get sysedit to work, try to edit win.ini and system.ini directly. The files should be located in the Windows directory.

If you can't edit the files directly (the malware might prevent this also), or if you edit them and the malware undoes your edits moments later, boot to a floppy disk (or restart in MS-DOS mode, but I'm not sure if the malware can run if you do this -- the floppy might be safer). Change to the Windows directory (cd c:\windows), and then use the EDIT program to edit win.ini and system.ini (e.g., EDIT win.ini).

Once you're in win.ini, go to the [boot] section and look for any lines beginning with "LOAD=" or "RUN=". Place a semicolon ( ; ) in front of anything that looks suspicious (or in front of all such lines if you're not sure what suspicious looks like). Save and close the file (Alt-F for file menu, then S for save or X for save & exit).

Next, open system.ini and go to the [386enh] section. Place a semicolon in front of any lines that start with "DEVICE=" and end with ".386". Save and close the file, then start in Safe Mode and try msconfig. If it works, you should be home free.

If msconfig *still* won't work, even after disabling the lines in win.ini and system.ini, there's one more possibility that I can think of.

Background: When Windows 95 first came out, there were 20 or so .VXDs (a filetype similar to the ".386" mentioned in the previous paragraph) that all started up separately when Windows started. In some later version of Windows, these files were combined into one big file (VMM32.vxd) that started much more quickly than the 20 separate ones. That is, there is now one big file that contains about 20 smaller "sub-files".

However, if there is a separate file in the Windows (or Windows\System) folder that has the same name as one of the "sub-files", Windows will use the separate file rather than the "sub-file" version of it. For example, MTRR.VXD was one of the original separate Win95 VXDs. MTRR is no longer a separate file but is now included as part of VMM32.VXD. But if your PC has a file called MTRR.VXD, Windows will used that file instead of the MTRR that is buried inside VMM32.

That means that a malware could disguise itself using the name of one of the original Windows VXDs (e.g., MTRR.VXD), thereby taking the place of the real Windows code that is inside VMM32. As far as I know, there is no utility that detects and/or corrects this. You must do this by hand.

I cannot find a web site that lists the "sub-files" in the Win98SE VMM32, so you'll have to look on your neighbor's PC (or another 98SE). To get the list, open the registry and search (Edit-Find) for "StaticVXD". Make sure that "Values" and "Data" are checked in the "Find" dialog box. When it finds one, look in the right pane of the regedit window. You'll see "StaticVxd" highlighted in the "Name" column, and in the "Data" column will be one of several possibilities. Anything starting with an asterisk is part of VMM32. For example, MTRR will be listed as "*MTRR". Make a list of anything that starts with an asterisk. Hit the F3 key to find the next instance of "StaticVxd" and add any asterisks to the list.

Once you have a list of the "sub-files" of VMM32, look through the Windows and Windows\System folders for VXDs with any of these names. Move or rename any that you find (the malware may prevent this, so you may have to move/rename the files in DOS mode).

Hopefully, the above advice works. Good luck.

Mike

 

[shevus]

Fix task manager taskmgr.exe regedit.exe and msconfig.exe closed by winhost32.exe

I fixed this problem in this way: (There are many viruses that do these things, but winhost32.exe is probably the most common)

1. Start up your computer in safemode and log in as your username NOT administrator.

1a. Open my computer and navigate to c:\windows\system32

1b. Find taskmgr.exe and rename it to taskmgr.com. Do the same with regedit.exe (in your c:\windows) folder and msconfig.exe (in your c:\windows folder). If you do not find these files then search for them.

2. Open taskmanager (START-RUN...-"taskmgr.com"-OK) and close winhost32.exe if it is running

3. End all processes EXCEPT explorer.exe, services.exe, svchost.exe(there may be more than one), taskmgr.exe, system idle process, and system.exe.

4. Close taskmanager and open regedit (START-RUN...-"regedit.com"-OK)

5. Click on the top of the registry tree (my computer) and press ctrl-f.

6. Type in "command service" and press search

7. Delete all keys (folders) and values with the name "microsoft command service". You will find LEGACY_ something and you will not be able to delete it so right-click the kay (folder) and select "permissions" then click "full control" and press ok. You can now delete this key.

8. Close regedit and open msconfig (START-RUN...-"msconfig.com"-OK)

9. Go to the "startup" tab and uncheck everything there. Go to the services tab and check the "Hide all microsoft services" checkbox.

10. If "Microsoft Command Service" is still there then go back to step 6

11. Next, open "My Computer" and click on "search"

12. Click on "advanced settings on the left window panel and make sure the "Search in hidden Files/Folders" is selected.

14. Click on the "tools" menu and select "folder options".

15. Go to the "view" tab and UNCHECK "hide protected operating system files", CHECK "Display the contents of system folders", and select "Show Hidden Files and Folders" and press OK

16. Search for winhost32.exe (it should come up as a hidden system file in c:\windows\) and delete it.

optional steps (may make your success rate much higher)

17. Now uninstall any antivirus program you have running but DO NOT RESTART YOUR COMPUTER.

18. Install another antivirus (other than the one you were using) like AVG (http://free.grisoft.com/doc/1)

END of optional steps

19. Restart your computer into your regular desktop and everything should be working

NOW DO THE OPPOSITE OF STEPS 1a, 1b, 9 and 15 so your computer is back to normal!

20. Download Adaware, Spybot S&D, AVG, Hijack This, and LSP Fix and do a complete cleaning on your OS!

Have fun!

Brian

Fix task manager taskmgr.exe regedit.exe and msconfig.exe closed by winhost32.exe

 

[bhups]

have a look at:
hxxp://74.55.96.66/vb/showthread.php?p=625527#post625527

it fixed my problem

 

[Misty]

Dear Shevus,

Thanks a bunch for your help! Now my taskmanager is working fine again. :wave: