Task Manager Problems

By Izopyn ยท 52 replies
Jun 22, 2005
  1. Izopyn

    Izopyn TS Rookie Topic Starter Posts: 22

    Cannot delete ntuser, access is denied... any way around it?
  2. IronDuke

    IronDuke TS Rookie Posts: 856

    You need to stop the service first. If you can now use taskmgr you can stop it there. If not in the 'Run' box type services.msc . Stop the service and set it to disabled. You should then be able to delete it with HJT.
  3. Izopyn

    Izopyn TS Rookie Topic Starter Posts: 22

    Ok, ntuser is taken care of. Thanks :)

    Now, I've just realized that I can't run regedit... is this likely connected?

    Error message: C:\WINDOWS\system32\regedit.com
    C:\WINDOWS\SYSTEM32\AUTOEXEC.NET. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application.
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes this is connected.

    Regedit.com is not a valid Windows application.

    If you click start, run and type regedit.exe, it should work.

    The reason you get the error message when you just type regedit, is because Windows looks for the first instance of regedit. In this case regedit.com.

    If you can get the regedit programme to work, once you have finished, Post a fresh HJT log.

    Regards Howard :)
  5. Izopyn

    Izopyn TS Rookie Topic Starter Posts: 22

    Tried it, no dice :(

    Exact same error message from trying to run regedit.exe.

    Also tried going into system32 and running regedit.exe directly from the folder, but received the same error message again.
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I was just looking at your last HJT log, and noticed a few entries that need fixing.

    O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by13fd.bay13.hotmail.msn.com/resources/MsnPUpld.cab

    O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)

    Try fixing those and see if that helps.

    Regards Howard :)
  7. Izopyn

    Izopyn TS Rookie Topic Starter Posts: 22

    Ok, I fixed those three entries... but still no regedit.

    Though, taskmgr has been working fine since I deleted winupdates.exe.

    I've now noticed a suspicious process simply called System on taskmgr.

    Also, regedit.exe would not work in safe mode either.
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please post a fresh HJT log.

    The process you refer to is valid if it`s under the image name and user name, both of which should be called system. I have it on my computer and it uses approx 240k

    Regards Howard :)
  9. Izopyn

    Izopyn TS Rookie Topic Starter Posts: 22

    It's just that I don't recognize it... and I have a pretty good memory. It uses 44k, and I'd bet $10 that it wasn't on there before my problems began. So I'm about 60% sure that it's fishy.

    I tried downloading RegistryFix, and noticed that every time it fixed something, regedit started to flip out, and hit me with a bunch of error windows. RF detected 460 problems with the registry.

    I've enclosed a new HJT log, after the scan I removed the Windows Genuine-thingy and the MSN photo upload, and I tried 3 times to remove the NTBootmgr one, but no dice on that.
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

  11. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    I see you guys have been busy!
    My post is only about WINUPDATES, the rest are unnecessary cosmetics, that waste CPU-time.

    Boot in Safe Mode.
    Make sure you can see ALL hidden and System files!
    Switch System restore OFF.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:


    Next, UNinstall (not delete yet) anything to do with:
    C:\Program Files\winupdates\winupdates.exe
    Check Control Panel/Add-Remove Programs, or if there is an uninstall in the Programs list.

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by13fd.bay13.hotmail.msn.com/resources/MsnPUpld.cab
    O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
    Now click on the Fix Checked button in HJT.

    When done, from between the dotted lines, delete the two highlighted bold directories with everything in it, including that directory itself. (if you can find them).

    Delete all entries from your Prefetch-area (I am not familiar with XP, so don't know exactly how).

    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Boot normal. When all OK, switch System Restore back on.
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    So it would seem mate lol.

    You get into the prefetch folder by opening my computer, and clicking on your c-drive, then the windows folder, then the prefetch folder.

    Regards Howard :)
  13. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    If you still get an error about autoexec.nt, that is not going to fix itself. Again, this "problem" is an "effect", not a "cause". But you can fix the autoexec.nt and also likely config.nt by actually creating these files in your system32 folder.

    Create a new file called "autoexec.nt" in the system32 folder. Put this in it and save it:

    @echo off
    lh %SystemRoot%\system32\mscdexnt.exe
    lh %SystemRoot%\system32\redir
    lh %SystemRoot%\system32\dosx

    Once that is done, create another file and call it "config.nt" and put this in it:

    dos=high, umb

    Then save.
    If these files already exist, just check them to make sure they only say something to this effect.
    Also note that it is your virus problem that is likely killing these *.NT files. So you may have to create them again if you restart.

    Once those files are created, try your regedit again. You shouldn't have to do anything except click start-run and type "regedit" and go.

    Also guys, it doesn't matter AT ALL if regedit has an EXE extension or a COM extension, as long as it's the real, non-infected file. I know this because I get PCs sometimes with EXE file associations messed up. I just rename regedit.exe to regedit.com and it opens fine so I can fix the EXE association. Then rename it back again.

    Izopyn, please just stay in Safe Mode with Networking (assuming XP). If you restart before it's clean, you WILL be reinfected upon startup until those startups, AND files, are gone for good.
    Please run the autoruns program and tell us what is in the various tabs. I suspect you have a WininitDLLs or Notify entry that is reinfecting you with winupdates. Possibly a service as well. Which autoruns also lists.

    We may have to employ more tools then just HJT, as the virus obviously puts itself back in immediately after killing the entries.

    One thing I will say is that the virus, or whatever it is, is likely attached to explorer itself. To check that theory, while in safe mode, open up task manager (ctrl-alt-del) and CLOSE "explorer" and anything that says "explorer" in the name. This will make your icons and start bar and all, disappear.
    Now, with task manager still open, close your "bad" processes. Right-click the name and select "end process tree".
    Once your bad entries are gone, and they are NOT spawning back in. Click "File-new task" and browse to your Hijackthis program and open it. Do a scan and remove all the sticky ones again. Scan again and make sure they stay gone.
    Then do new task again and run the "autoruns" program I told you about. Remove the bad service or whatever is causing this. Possibly in the "Notify" registry key. Once those startups are removed, and STAY removed, click new task again and run "explorer". This will bring back your icons and start bar.
    Continue to watch the task manager and make sure your bad processes don't come back. Watch HJT and make sure those don't come back.

    Next search for any noted "bad" files and delete the files. Go into your System32 folder. Click View-details. Then click to sort by date. Look for any files that were created TODAY, as in, the day your are looking. If they look funky, delete them. There really shouldn't be any brand new files in this folder (except autoexec.nt and config.nt that you made earlier).

    Now that the startups are gone, the HJT entries are gone, and the files are gone; you may want to run a better registry cleaner. I suggest downloading RegSupreme 1.3 from http://www.macecraft.com/downloads/
    Install that and open it. Click OK to optimize the registry. Then do a Normal scan. Clean all it finds.
    The purpose of this scan is that, if the files on your hard drive are deleted, ANY entries in the registry that still point to them will be found and removed because the file is missing. Doing a registry scan like this will remove entries of missing files. That's the most important. If you like, once it finishes scanning, look through the "Problem" column and anything that says such and such file is missing. Look at those file names, you may see your bad files in there.
    So clean all it finds.

    Once you've ran all this stuff, check them all AGAIN, to make sure it's still gone. If the bad process starts up again, you may have to start over. It is important to do everything in the right order. The processes MUST be closed before removing startups or the entries will be put back in. You MUST delete files before cleaning the registry or the entries in the registry will still be there. Etc...

    I hope this isn't information overload, but this is going in circles, you remove it, it comes right back, time for some higher-caliber guns.

    Hope you can get rid of it!
  14. Bighead6365

    Bighead6365 TS Rookie

    Alright I have this same exact virus from Lime Wire. I posted a thread about this eariler today. I was given a way to open up my task manager lets see if it works for you

    Boot in Safe Mode

    click Start/Run and type services.msc and click OK. Look for the service:
    Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

    this allowed mine to work but this same virus is based off of the
    W32.PicrateA@mm virus.
  15. Izopyn

    Izopyn TS Rookie Topic Starter Posts: 22

    hmmm... okay, I'd already deleted winupdates before you posted RBS, (unrelated: I share your love, I'm getting the harp tattoo'd on my chest this July), but it isn't showing up on HJT anymore, so huzzah.

    Also got rid of everything except the NTBOOTMGR because HJT just doesn't seem to be able to delete that mother.

    I found that I was able to open regedit.exe by opening it from the WINDOWS folder, and in there I manually deleted all the crap that looked out of place (Viewpoint, MediaAccess, etc.).

    I did all this yesterday, I'll probably wait until tomorrow to get back at 'er as all this teching has seriously exhausted the generally unused left side of my brain. Can't wait for my mandatory computer science classes next semester!

    Thanks for all your help, everyone, it's inspiring to see that for all the douchebags out there that use their tech-power to cause grief for others, there are also those that use it for good. I'll update tomorrow, toodles!
  16. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    To remove your NTBOOTMGR, do this:

    Note the file name, likely c:\windows\system32\drivers\ntuser.exe or whatever.

    Go to Safe Mode Command Prompt.

    ctrl-alt-del into Task Manager and do file-new task. Open REGEDIT.

    Go to HKEY_LOCAL_MACHINE\System\Current Control Set\Services
    Look down the left side until you find this service. Then delete it.

    An easier way may be to just search the registry for the ntuser.exe file name and analyse for yourself if it's the bad entry.
    It must be removed from services. Then the file should be deleted that you noted down.

    If this service runs even in Safe Mode Command Prompt then you have to go to recovery console to change the startup type to disable. Then follow these steps again.

    The basic troubleshooting steps are quite simple. The bad program must NOT be running so you can delete it. Hopefully Safe Mode Command will cause the service not to start, and then you can erase it's entry in the registry and delete the file.

    While in the services key, look for services called "vdmt16", "winlow", and "procsvc". Remove those as well. Matter of fact, it's better to just search the whole registry and remove any links to these. If found, they may also have entries called "LEGACY_WINLOW" or "LEGACY_VDMT16". Something like these. To delete those you have to right-click the key and give yourself permissions to do so.

    Lastly, search the registry, as well as your hard drive, for a file called "nail.exe". Remove any traces to that. As well as search for any bad files you've found thus far.

    To check if the service is gone, in Task Manager start a new task called "services.msc" and look for you bad one. If it's not there, you're good.

    After removing those service entries, in Task Manager, start a new task "explorer". Once explorer is open go into System32 and sort by date. Analyse any files created or modified on "today's" date. If any look bad, wacky names, random names, expecially if they are EXE or COM or BAT files, or even OCX files, you may want to move them to a quarantine directory.

    Then restart into Normal mode again and see.

    This process goes for any nasty service you have to remove, but maybe these steps will help get rid of NTBOOTMGR for you.

    Good luck!
  17. Izopyn

    Izopyn TS Rookie Topic Starter Posts: 22

  18. Joshs Name

    Joshs Name TS Rookie

    Would you mind telling me exactly what helped you get rid of this problem? There are many different solutions and I don't have enough time.
  19. Izopyn

    Izopyn TS Rookie Topic Starter Posts: 22


    To fix the game thing?

  20. Joshs Name

    Joshs Name TS Rookie

    nah, it's fine. During all this time, I also figured out how to get rid of the problem.
  21. xxtruexoutlawxx

    xxtruexoutlawxx TS Rookie


    hey um i have a problem when i try to open the manager it says is diabled from the admistor which is me (when i tried in a new acount it worked)so pls help me :confused:
  22. fatfingers

    fatfingers TS Rookie

    To all of you that helped on this issue, I sincerely thank you. I had the EXACT same symptoms, and luckily ( crossing fingers) seemed to have remedied my issues with no task manager. Personally for my case the CCLEANER worked like a charm. I am stoked that this forum actually helped me on this issue and did it really fast, saved me A LOT of down time. Much love people.... :)
  23. fooksman

    fooksman TS Rookie

    IronDuke, this completely worked. In fact, I'm amazed at how much better my computer is running! Thank you very much for taking to the time post this helpful advice.

    For others reading that have had similar problems after installing LimeWire, AVG was able to solve the problem. (AVG is a free virus scan available at www.download.com) Make sure to download updated definition files. Next, restart your computer in safe mode by hitting F8 (sometimes u have to hit it a bunch to get it at the right time) during the boot process. You'll find that in safe mode, you should be able to hit ctrl-alt-del and the taskmgr will open.

    Run AVG full scan -- I found tons of viruses in a hidden folder in my documents and settings/username/Completed. It was not visible even when I selected view hidden files/folder under Tools > Folder Options.

    After it's deleted everything, restart and you're golden.

    Thanks again to everyone who submits postings!

  24. cycofoo831

    cycofoo831 TS Rookie

    same problem but worse

    I do also have this problem on my old computer and I think its probably ****d. and because of spyware and my fault for lookin at porn and downloading unfamiliar spyware removers, I result in- Run doesnt work so I cant access registry, Taskmanager x's itself off everytime I push the combination keys ctrl alt del from there I cant stop the overflowing processes

    someone mind helping?

    also my admin options dont work either
  25. cycofoo831

    cycofoo831 TS Rookie

    oh ya and my safe mode freeze's up before it boots
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...