TUTORIAL: Task Manager, Regedit, etc won't open (Part 1)

Hi vain68, yes, those files were left orphans in your system but don't worry, if you had one of these worms it doesn't mean you have all the files there. These worms are not a "serious" problem, it'll only give you some headaches if your system starts to fail, I have seen people with this worms who never noticed them until their systems started to slow down.


Hi Mortek, it seems your problem is related with your Autoexec.net file, check this post to see if it helps:
http://www.ozzu.com/ftopic33891.html&hi ... utoexec+nt

I found that info on microsofts site. I followed their instructions and all my programs are working again. My only though was that even though you can use regedit, you probably lost the autoexec.nt file also which will prevent you from using dos files. Back up and running again and happy about it.

Thanks for the help

Regedit, msconfig & task manager wont open

I also found that I was unable to update my NAV definitions or even uninstall/reinstall NAV.

This is how I resolved it.

1. Bought a new HDD for £30
2. After installing windows, I installed NAV 2004 Pro, Spybot & Adaware.
3. Ran live update and updated all definitions for all programs.
4. Slaved the problem drive
5. Scanned the drive with NAV, Spybot & Adaware.
6. NAV found & removed the following viruses:
---w32.Netsky.P@mm
---w32.Mydoom.BU@mm
I can now open & use regedit, msconfig & task manager

Also I now have a spare backup drive!

Took about 3 hours in total - and most of that was installing windows & running the scans!

Hope this is some help,

Cheers,
Stu

Oh, and I could now update my definitions too!

Hello everyone,

After a big headache and many hours of not sleeping, I found out that the problem resides on a worm virus called W32/Rbot-ANK.

It places a file on C:\Windows\System named mswinsck.exe and it is hidden.

What I did, (And really worked) was:

1.- Created a Restore Point
2.-Downloaded PROCESS EXPLORER freeware to see what processes were running
(http://www.sysinternals.com/Utilities/P ... lorer.html)
3.- Found the process “mswinsck.exe”
4.- Killed the process and immediately was able to use Task Manager, cmd, Msconfig, regedit, etc.
5.-I deleted the file “mswinsck.exe” located in C:\Windows\System (Remember, it is a hidden file, so set up your windows explorer)
6.- The following registry entries are modified by the worm to execute the file at logon, so I had to delete them.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Winsock
mswinsck.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Winsock
mswinsck.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Winsock
mswinsck.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Winsock
mswinsck.exe

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Winsock
mswinsck.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Winsock
mswinsck.exe

HKCU\Software\Microsoft\OLE
Microsoft Winsock
mswinsck.exe

HKLM\SOFTWARE\Microsoft\Ole
Microsoft Winsock

8.- I rebooted and my computer seems to work fine.

9.- Scanned the computer, no virus or spyware found

I hope this information is useful for you

Take care

ZsaZsa

Hello again,

I forgot to tell you that the worm modifies your HOSTS file and you won't be able to access some webpages related to security (i.e. symantec, panda, f-serve, trend micro, etc.)

To resolve this issue do the following:

1.- Open your windows explorer and go to c:\windows\system32\drivers\etc
2.- Backup the file "hosts" it does not have an extention
3.- Open the file hosts with your notepad
4.- Don't delete the line 127.0.0.1 localhost
5.- Delete every line after the 127.0.0.1 (including the 127.0.0.1) that has addresses you want to access.

That's it

Hope you find it useful

ZsaZsa

It is also suggested to introduce entries after 127.0.0.1 but that is to get rid of web ads so I don't find that necessary to post in this topic.

http://www.mvps.org/winhelp2002/hosts.htm

Hosts file will be like this
http://www.mvps.org/winhelp2002/hosts.txt

http://www.everythingisnt.com/hosts.html

someone tell me how to use the killbox because i press paste from clipboard and nothing happen...someone can explain me here how you got it.



sorry for my bad english xD

thanks

What do you try to paste there? You can't copy a file and paste in the box. You have to give the full file path there. Like if you have a file file.txt in C:\folder1\folder2 directory you have to type there C:\folder1\folder2\file.txt. You can copy-paste only when you have this file-path written anywhere.
After giving the file path press the red button that looks like 'stop' in the browser, to delete that file. If Killbox is not able to kill that at that instant it will ask whether to delete the file at next reboot during startup so that the process that is blocking that to be deleted cannot start before deletion attempt.

KILLDISK?

If I kill my regedit, does windows autimatically repair or rebuild it?

Do I paste the list of files from the previous posts >>> as follows, do I need to kill all these files if I am only having trouble with regedit?

C:\Program Files\MsConfigs\MsConfigs.exe
C:\WINDOWS\system32\p2pnetwork.exe
C:\WINDOWS\system32\CMD.COM
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\tracert.com

NOVIce here with the regedit won't start problem. virus. Now cleaned. 2 x full scan came clean. but damage to registry done.

question I download Killbox and kill the list you sent

C:\Program Files\MsConfigs\MsConfigs.exe
C:\WINDOWS\system32\p2pnetwork.exe
C:\WINDOWS\system32\CMD.COM
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\tracert.com

..... does windows reinstall or repair those files when I reboot.
I appreciate the help. ty.

thanks mate

What damage has been done to your registry? If your registry is that damaged you will probably be better off formatting and re-installing Windows. Windows, to my knowledge, does not repair the registry automatically.

I hope this is the right place to post this question - please jump over it if it isn't. I was reading that bit about Norton up there, so...
I've had something messing up my computer, which was stopping me accessing merchant sites. I downloaded spybot to clear it, but it made me realise I don't understand my security systems (windows and Norton). Now, when I go online, windows security pops up and tells me Norton's switched off - which it doesn't appear to be, or sometimes windows pops up with its own firewall or virus detection switched off. I goes to switch them on again, but in the panel, they say they are on. What's 'appening?

I am not able to run the task manager.NAV says i have no virus please help !