Taskmgr, Regedit, and Cmd won't open: Logs Attached

By bend.your.mind
Mar 7, 2007
Topic Status:
Not open for further replies.
  1. Hi! I noticed about two days ago that my task manager would not come up when I typed cntrl alt delete. I looked around the web and tried other various methods like typing taskmgr into the Run box. When I entered that into the Run box the message "another program is currently using this" popped up. I searched around some more and found a way to locate taskmanager in the windows folder. When double clicking on this I relieved the same message. I found out that this might be able to be fixed by using regedit or cmd but when typing those into the Run box I received the same notation "another program is currently using this".

    I came across your forum and went though the "Viruses/Spyware/Malware, preliminary removal instructions" completing them as best I could and read through the "What to do about Task Manager problems". By going through all the steps various problems were deleted but none seemed to fix my problem.

    Also, my virus program eTrust ezAntivirus popped up a few times telling me that two files were infected. These could very well be what are causing the problems but for some reason my virus program won't delete them and no other programs have detected them. The infections are called "Win 32/Clspring.GN" and "Win32/Clspring.GK". I will attach my log files for HijackThis and AVG Antispyware. Thank you for your time!
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Hello and welcome to Techspot.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Delete all files in AVG Antispyware quarantine.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    AWS
    WeatherBug

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    Weather.exe
    dllhost.exe
    ALCMTR.EXE
    logonui.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {94397232-EEFE-9821-A4DB-C7DEB4C058BF} - C:\WINDOWS\system32\vte.dll (file missing)

    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

    O4 - HKCU\..\Run: [Lhti] "C:\WINDOWS\system32\YSTEM3~1\logonui.exe" -vt yazb

    O4 - Global Startup: dllhost.exe

    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZSzeb008ADUS_blank

    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe
    C:\Program Files\AWS<Delete the entrire folder.
    C:\WINDOWS\system32\YSTEM3~1<Delete the entire folder.
    C:\windows\ALCMTR.EXE

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let me know if you`re still having problems.

    Regards Howard :wave: :wave:

    This thread is for the use of bend.your.mind only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. bend.your.mind

    bend.your.mind Newcomer, in training Topic Starter

    Fixed!

    Thank you so much! I followed your steps and now everything is working! Attached is my new HJT log. Thank you again! :giddy:
  4. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Your HJT log is now clean.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of bend.your.mind only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. bend.your.mind

    bend.your.mind Newcomer, in training Topic Starter

    Just did that!

    Ok, I just did that! Thanks so much for your help!
  6. maness112002

    maness112002 Newcomer, in training Posts: 24

    What does HJT stand for
  7. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Hello and welcome to Techspot.

    HJT=HijackThis.

    See HERE for more info.

    If you have a virus/spyware problem, you should open a new thread in this forum. As stated in the red text at the bottom of this post.

    Regards Howard :wave: :wave:

    This thread is for the use of bend.your.mind only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  8. bend.your.mind

    bend.your.mind Newcomer, in training Topic Starter

    New Problems...

    Hi! The same thing happened to me (regedit and taskmgr not opening) so I went into safe mode and checked to see if any of the files I had deleted the last time had reappeared. The file C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe had reappeared so I promptly deleted it. I then ran a AVG AntiSpyware and a Hijack this.

    When I rebooted into normal mode I checked to see if the taskmgr, regedit, and cmd were working again. They were. It seems deleting the C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe did the trick.

    My question was if there are any further problems with my HJ report and if there are further steps I should take.

    Thank you for your time and help!
  9. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Your HJT log is clean.

    However, AVG Antispyware has picked up a Trojan on your system, so let`s get rid of it.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    wcpsvsu.exe

    Close task manager.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\wcpsvsu.exe

    Reboot into normal mode and rehide your protected OS files.

    Run the Ccleaner programme as per the instructions in step9 of this thread HERE.

    Run a fresh AVG Antispyware scan and post the log, if it finds anything.

    Regards Howard :)

    This thread is for the use of bend.your.mind only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  10. bend.your.mind

    bend.your.mind Newcomer, in training Topic Starter

    I followed the instructions, deleting the file, and reran the AVG scan. It found a few things so I attached it. Thanks!
  11. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    All it`s found is a few tracking cookies and a trojan in a system restore point.

    Ccleaner should get rid of the tracking cookies.

    In order to get rid of the restore point trojan, do the following.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of bend.your.mind only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. bend.your.mind

    bend.your.mind Newcomer, in training Topic Starter

  13. bend.your.mind

    bend.your.mind Newcomer, in training Topic Starter

    Computer running slowly

    Hi. I don't have a major problem but I was just curious if I had any bugs because in the past week my computer has been running slower. I ran Anti-spyware and HJT. The logs are attached.

    Thanks again!
  14. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Your system is infected with a variety of malware and you`re running an outdated version of HijackThis.

    All items in your AVG Antispyware log say "No Action Taken". That`s because you haven`t told AVG Antispyware to quarantine it`s results as per the instructions. See this pictorial guide.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Mywebsearch.

    Close control pane.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :)

    This thread is for the use of bend.your.mind only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  15. bend.your.mind

    bend.your.mind Newcomer, in training Topic Starter

    Completed Removal Process- Logs attached

    I completed the virus removal process and have attached the combofix, HJT, and AVG Antispyware logs. I ran the AVG antirootkit scan and have not root kits.

    Thanks!
  16. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Delete all files in AVG Antispyware quarantine.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as fresh HJT and Combofix logs.

    Regards Howard :)

    This thread is for the use of bend.your.mind only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  17. bend.your.mind

    bend.your.mind Newcomer, in training Topic Starter

    Thanks! I attached the three logs.
  18. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Instead of attaching the Avenger log, you`ve attached the Avenger script file that I gave you lol. I have therefore removed your logfiles so that you can reattach them. This is the Avenger log I need to see c:\avenger.txt.

    Regards Howard :)

    This thread is for the use of bend.your.mind only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  19. bend.your.mind

    bend.your.mind Newcomer, in training Topic Starter

    Whoops! I guess I wasn't paying too much attention when I attached it. xD :haha: Here are the real logs.
  20. bend.your.mind

    bend.your.mind Newcomer, in training Topic Starter

    Did you get my logs?
  21. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Sorry for the delay in getting back to you. To be honest, I`d completely forgotten about this thread. ;)

    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZS

    O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab

    Click on the fix checked button.

    Close HJT and reboot your system.

    Post a fresh HJT log and let me know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of bend.your.mind only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  22. bend.your.mind

    bend.your.mind Newcomer, in training Topic Starter

    I followed those instructions. I'm posting my HJT again because my monitoring virus scanner picked this up: c:\avenger\backup.zip <avenger/uy.exe> Win32/Malum.CZAK.

    Thanks!
  23. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Your HJT log is clean.

    You can safely delete the Avenger backups.

    Locate and delete the following bold files and/or directories(if there).

    c:\avenger\backup.zip<There are infected files in the .zip file, but they are completely harmless as long as ther stay zipped up. That`s just the Avenger programme doing it`s job and is nothing to worry about.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of bend.your.mind only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  24. bend.your.mind

    bend.your.mind Newcomer, in training Topic Starter

    Thanks for your help! :D
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.