Task Manager and regedit not working

Status
Not open for further replies.
T

Thatone

Posts: 19   +0
I cannot access the task manager or regedit
i have just reformated my pc as it had the xp 2008 antivirus on.
Have tried taskmanager v.2 opens then closes
any help on this would be greatly appreciated.

have included hijackthis log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:45:40, on 10/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winwqov.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\wineobsrj.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
have downloaded ATF Cleaner by Atribune
as soon as it opens it shuts down straight away
unable to check any boxes
 
Did you follow the early steps about shutting down any Real Time monitoring programs? If you cannot run ATF, go on to Step 4 for now. Was there a particular reason for the shortened HijackThis log you pasted in? Was that all that ran?

There isn't enough to check for malware yet.
 
Have installed comod firewall
cannot install virus checker, have tried 4 different ones and none will install


cannot access regedit
cannot access task manager

keep getting error windows popping up ( with big red circle white x)
saying:- please insert disk into drive\device\hardisk1\dr3

e,g dmascheduler.exe - no disk although comes up with a few more different one aswell
 

Attachments

  • hijackthis 8-11-2008.txt
    7.1 KB · Views: 6
Okay, mbam found the disabled Task Manager and fixed it, but missed the disabled regedit so we'll fix it here. (07)

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
Click to expand...
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot. Run a new HijackThis log and post it here.

Have Superantispyware remove all of the Tracking Cookies.
 
When switching on pc today this msg come up

Data Execution Prevention - Microsoft Windows

To help protect your computer, windows has closed this program

Name: Generic Host Process for win32 services
publisher: Microsoft Corporation


have included new hijack log
 

Attachments

  • hijackthis 8-12-2008.txt
    5 KB · Views: 6
Couple of questions:
1. Are you the only user on this system?
2. Are you using the Administrative Account?
3. Did you or the Administrator (if another user) set policies to disable the Task Manager and Regedit?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
4. Did you remove the items I listed?
5. I see you got an AV program on- but I'm not sure it's running correctly as it shows 'file missing' in Services:
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - Unknown owner - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe (file missing)
6. See the following for handling the DEP problem:
You receive a "Data Execution Prevention" error message in Windows XP Service Pack 2:
http://support.microsoft.com/kb/875351
--
 
1. Yes
2. Yes
3. No
4. Yes
5. i have managed to install avg as the other would not work


a msg box comes up now
c\hp\tmp\src\setup\destinations\

looking to install
 
Destinations is a part of HP Digital Imaging - HP Precisionscan Scanning software. It should not be running now.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
Click to expand...
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.
Go to Start> Run> type in 'msconfig; without quotes> enter> Selective Startup> Startup tab> UNCHECK these two processes:
DMAScheduler.exe
HPwuSchd2.exe
Click to expand...
Click on Apply> OK.
If you show any other HP files checked to start at boot, uncheck them.
Go to Control Panel> Administrative Tools> Services> look for PCTAVSvc). Right click> Properties> set startup mode to Disabled> Stop the Service. If you have any problem handling that Service, make sure it's not running on the Startup Menu.
Do a serch for tmp files and delete them all.
Reboot into Normal Mode. Close the nag message that comes up about Selective Startup being 'diagnostic' after checking 'don't show this message again.' Stay in Selective Startup.
Run another scan with HijackThis and post a new log.

For your information, this is what those processes are for. They are valid programs but they do not need to start on boot:
C:\Program Files\HP DigitalMedia Archive\DMAScheduler
Filename: DMAScheduler.exe
Command: c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
Description: Associated with the HP DigitalMedia Archive product that comes bundled with many computers.
File Location: c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.
HijackThis Category: O4 Entry

Filename: HPWuSchd2.exe
Command: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
Description: HP software updates. If a shortcut doesn't exist, create your own and run it manually
File Location: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.
HijackThis Category: O4 Entry
Click to expand...
What is the status of the Data Execution problem?
 
1.hpwuschd2.exe was not in the hijack scan.

2.cannot boot into safe mode, pc starts to then crashes and restarts

3.still went into msconfig niether was there.

4.have run another hijack scan and attached
 
@ Bobbye

You could do this a number of ways - I am including entries for task manager, command prompt, and registrytools - so you can see different possibilities

1) Here is a VBScript you could run - you could have them save this in notepad to their desktop as fixreg.vbs - then doulbe click it

Code: 
Set WshShell = WScript.CreateObject("WScript.Shell")
With WScript.CreateObject("WScript.Shell")

On Error Resume Next

.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
.RegDelete "HKCU\Software\Policies\Microsoft\Windows\System\DisableCMD"
.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
.RegDelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr"

End With

Mybox = MsgBox(jobfunc & enab & vbCR & "Finished!", 4096, t)

------------------------------------

2) You could use a .reg file

Backup your regsitry
First, we need to backup your registry:
Please go to Start > Run
Paste in the following line:
  • regedit /e c:\registrybackup.reg
Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.


Making a .reg file
Open notepad and copy and paste the text in the quotebox below in it:

Code: 
[b]REGEDIT4

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000

[HKCU\Software\Policies\Microsoft\Windows\System]
"DisableCMD"=dword:00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableTaskMgr"=dword:00000000
[/b]

Name the file as Fix.reg

Change the "Save As" type to "All Files" and save it on the desktop.

It should look like this:
reggif.jpg


Double-click on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
-------------------------------------------------------

Or the easiest way for you for now - use Bill Castners program - which will solve it most of the time

3) Download to your Desktop this self-extracting ZIP archive FixPolicies.exe

• Double-click FixPolicies.exe
• Click the Install button on the bottom toolbar of the box that will open.
• The program will create a new Folder called FixPolicies
• Double-click to Open the new Folder, and then double-click the file named Fix_Policies.cmd
• A black box will briefly appear and then close. This will enable your Control Panel, Task Manager and stop any Administrative warnings.
 
Thank you Blind Dragon. I have also saved this for reference.

Thatone, since BD has done such an excellent job for setting this up, I suggest you try #3 and see if that will handle the policy problems for you. Follow the instructions for:
3) Download to your Desktop this self-extracting ZIP archive FixPolicies.exe
Click to expand...
 
have done .3 can access task manager although still cannot access regedit


where do i go next, have included a new hijack log
 
Do you know what this is, because I can't ID it?

C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\winfhao.exe
Click to expand...

If you do not specifically know what this is for or that it is necessary, please remove it- both this entry and the document itself. Follow by deleting the temp files. I'm wondering if an HP update caused this problem.

Reboot after the removals. Run Hijack and see if the 07 entry is gone.
 
ok pc went funny, (possessed even) and kept rebooting just to before the splash screen came up

have done a complete system restore.
i have installed comodo, marlwarye, antispware and avg also hijack
it has not been connected to the internet yet but have done a hijack scan which is attached.

at present i can access regedit and task manager
 
You should not have used System Restore. You put files back on that had been removed. When malware cleaning has been completed, System Restore is turned off to drop old, infected restore points, then turned back on. You do NOT want your browser pages being redirected!
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PAVILION&pf=desktop
Click to expand...

These Java files need to be removed:
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
Click to expand...
Then download and install the current version which is v6u7:
https://www.techspot.com/downloads/6463-java-se.html

Then go to Add/Remove Programs in the Control Panel and uninstall all earlier Javas version.
 
You have a Trojan: cssdll32.dll
This quote by xxdanielxx should help
xxdanielxx said:
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    [b] C:\Windows\system32\cssdll32.dll [/b]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Click to expand...
 
kimsland, maybe we can figure this out:

First & Second HijackThis log:
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
Click to expand...
Mbam and SuperAntispyware run at same time so not show infection

Third log still shows only the guard32.dll entry as above.

Next log, after user adds AVG:
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll,avgrsstx.dll
Click to expand...
Next log after fixing policy:
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll,avgrsstx.dll
Click to expand...
Here's where it got picked up: "have done a complete system restore."
O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
Click to expand...
User reinfected himself using an infected restore point! I missed it! Thank you for pointing it out.
 
Not yet - this may need special treatment

Download haxfix.exe
and save it to your desktop. Double click on haxfix.exe. A "dos window" (dos box) will open with options:

  • [*]1. Make Logfile
    [*]U. Uninstall Haxfix
    [*]E. Exit Haxfix​
  • Select option 1. Make logfile by typing 1 and then pressing Enter
  • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
  • Copy the contents of that logfile and paste it into this thread
 
Filename: guard32.dll
Description: Part of Comodo Firewall

Filename: avgrsstx.dll
Description: Related to the AVG Free antivirus software.

Filename: cssdll32.dll
Description: Haxdoor (Please follow Blind Dragon's advice above)
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
797
uber_beetle
uber_beetle
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
S
  • Locked
Inactive Am I infected?
Replies
8
Views
3K
Broni
Broni

Latest posts

Back