TUTORIAL: Task Manager, Regedit, etc won't open (Part 1)

(This is part one of a multi part tutorial.)

Having problems with Task Manager, Regedit, Msconfig, etc not opening? Can't run a virus scan or update your .dat files? Seems to be a fairly common problem these days. There could be a variety of explanations, but most likely you have a virus / trojan infecting your machine. Many viruses / trojans / malware attempt to circumvent the tools to find and remove them. This is now your problem.


(*note – Before proceeding (provided you are not reading this from the infected computer), disconnect all internet connections, particularly if you are on broadband or DSL. An active connection may allow a malicious user to do additional damage to your machine while you are reading. Reconnect only when instructed to do so. In fact it is a best practice, to immediately disconnect your computer from the internet any time you suspect or determine that you have a virus until you can get it cleaned or get advice from an expert.)

_________________________________
How can I avoid this? (Top dozen)

Let me start with some best practices:
1. If you don't have one already, install and religiously use a good Anti-Virus program such as Symantec's Norton http://symantec.com/ or McAfee http://mcafee.com/us/ . Religiously update the dat files and run scheduled weekly (or daily) scans.
2. Make sure Realtime scanning is enabled. A Firewall is a definite plus.
3. If you can't afford a cost effective virus protection then use some free online tools like TrendMicro http://www.trendmicro.com/en/home/us/enterprise.htm or Grisoft http://www.grisoft.com/doc/1 on a regular basis.
4. Don't trust pop-ups that tell you that you may have spyware on your machine. Most of these are money making schemes designed to get you to buy their removal product, which in some cases also contain adware and spyware. For a list of those to avoid see here: http://www.spywarewarrior.com/rogue_anti-spyware.htm
5. Make back-ups of your most essential files frequently by whatever means you have available, i.e. Tape, CD, DVD, USB Drives, Ghost programs, etc. You never know when you'll have to reformat and start from scratch and without current backups of your essential files, you're basically screwed. You can always reformat and reinstall programs, but you cannot replace your data if you haven't made backups.
6. Be careful where you "surf". If you know you are going to click a site that is questionable, then at least be intelligent enough to disable javascript, java, ActiveX installations, etc... You "surf" these sites at your own risk and don't come crying to mama when you get burned.
7. Uninstall and quit using P2P networking proggies like Kazaa and Limewire. These are your most likely weakest links if you're using them. Primarily most stuff transferred is illegally obtained and if you won't give it up -- suck it up and pay the consequences.
8. Install and regularly use anti-spyware removal tools such as Adaware and Spybot S&D
9. Don't give access to your computer to friends / family who appear to be clueless about what they are doing. Otherwise you'll come home from school / work one day and your computer will be trashed.
10. Many "free" online games come bundled with adware / spyware and simply won't work without them. If you have Wild Tangent installed on your computer you are already a victim.
11. Don't install Weather Bug. If you want a free weather service install the Weather Channel version instead.
12. When in doubt -- don't download it and don't install it until you've researched it. You are always welcome to ask OZZU about questionable programs for advice.

Back to the topic at hand.
_____________________________________
I can't run Virus scans or do Updates

Chances are your hosts file has been hijacked and modified. Your host file is used to tell your browser where it should find files/sites -- normally it's never used except by experienced users. By default, the only thing that comes with a clean Windows install in your host file is 127.0.0.1 Localhost. In essence what that means is that anything that has the 127.0.0.1 address in your hosts file redirects to your computer, hence making the webpage undisplayable (for example if you included 127.0.0.1 http://www.google.com in your hosts file you would get a page not found error, because your browser would be looking for google on your machine). What many new viruses / trojans attempt to do is edit your hosts file to essentially make most recognized antivirus proggies unusable, or disallow access to definition updates. This file is located in c:\WINDOWS\system32\drivers\etc. or c:\WINNT\system32\drivers\etc (depending on what version of Windows you use) and does not include a file extension. In order to open and edit it, you can use Notepad, but to see it, you must select "all files" from the dropdown menu instead of text .txt files. If this file contains anything other than 127.0.0.1 Localhost that you didn't add there yourself, then delete the additional entries and save the file (be sure to scroll all the way down as some viruses add their entries with many spaces below the valid ones.) When you save, select File and Save. Do not select "Save As" as this will by default add a .txt file extension and will make the file unusable. *note the host file in system32 is not the same as hosts.ics or lmhosts.sam. Do not confuse them.

By editing this file (without rebooting - rebooting may cause the file to be overwritten again by the virus), there is a possibility that you could now update your virus protection files or at least run online scans. It doesn't completely fix the problem but at least it's a start. Your best practice is to attempt to get a dat update for your Virus protection and then reboot to safemode and run your virus protection in safemode. If you have configuration options available, configure your virus protection to first "clean" infected files, and as a second option "delete". In my opinion Quarantine is useless. Why would you want to leave a virus on your machine? Get rid of it from the start. Your virus protection may or may not find anything, depending on how current the virus is, and how up-to-date your anti-virus definition files are.


_____________________________
I’ve edited my Hosts file, but my virus protection still won’t run.

Many users today are running their computers on a home network. If your computer is networked with others, then you may have some easier solutions than others. One of the benefits of being networked is that you can connect to your problem machine from another unaffected computer on the network and run virus scans via the clean machine. For those of you who are experienced with networking, simply map a drive to the administrative share (c$) on the infected computer and use your virus scanner to scan the mapped drive. If you already know how to do this, then skip the next part of these instructions. If you are clueless about what I just said, read on.

Being networked allows you to share files and view files and directories between machines. Windows NT, Windows 2000 and Windows XP come with a built in “Administrative Share” for each drive you have on the machine. Here’s how to connect from one machine to another if you don’t know how. Make sure both machines are booted to Windows and you are logged in as Administrator. You will need to know the Computer Name of the infected computer. If you don’t know the name, right click My Computer and select Properties. Go to the Computer Name tab and note the Full Computer Name.

If you have disconnected your network from internet access as previously instructed, temporarily reconnect and update the virus definition files on the uninfected machine you are going to use. Then disconnect from the internet again.

Open Windows Explorer and Select Tools | Map Network Drive. In the dialog box, uncheck reconnect at next logon. Choose whatever drive letter you would like to use and in the folder section type \\machinename\c$ (Replace “machinename” with the name of your infected computer. Select the link “Connect using a different user name”. In the username box type in machinename\username (Replace “machinename” with the name of the infected computer and replace “username” with an administrative user on the infected computer). For password type in the password of the administrative user. Click OK. Click Connect. This should open an Explorer Window showing the contents of the C drive on the infected computer.

Open your virus scan program on the clean computer and run a full scan on the drive letter you chose for the mapped drive. Run the scan (if possible) choosing the option to delete infected files. This will scan the infected computer and work just as if you were running the virus scan on the machine itself. This should find any existing viruses just as if you were running it on the machine itself. Delete any virus files the scan detects.

Reboot the infected machine. Hopefully this has solved the bulk of your problems. If not (or if you are not networked and can't follow these steps) head on to part two.


_____________________________
This concludes part one of this tutorial. You’ll have to forgive me, but given time constraints it may take me a few days before I can finish part two. Hopefully this section will be enough to at least get you closer to having a working computer again. If you need additional assistance please post for help in this board.

Please feel welcome to reply with feedback on this tutorial or questions if something is not clear, and I’ll do my best to update it accordingly. Please do not post your problems in this thread. Create a new top level post to describe your problems.

Hey ATNO,

I really appreciate you doing things. These questions were getting out of hand.

Thanks, again.

Thanks a lot for the guide ATNO

One thing I experienced but that is not answered by Symantec Knowledgebase and also by this forum.
I had some malware installed few months ago.It not only disabled but damaged my taskmgr.exe file.
Task Manager would not run and the icon of the file became like that of MS-DOS application(COM) files.

I just left no popular antispy or antivirus(Norton,MSAntiSpy,CWShredder,Spybot,Ad-Aware,Sysclean), online security checks to scan both normally and in safe mode the whole system.
I posted HijackThis to 5 forums and expert sites but none found to be something running in background.

When the suspected malware was opened it disabled Norton AntiVirus and did something more. After scanning by AVG right then nothing was found and Norton repeatedly raised "internal program error" message and asked to reinstall. After a restart all got back properly but not the task manager.

Well, this is a strange incident I have ever heard. All is now normal after a clean reinstallation of XP.
But there may be something against it. Is there?

Well, on two occasions now, I have had to reinstall Symantec afterwards in order to get it to run correctly. I have yet heard of any virus or trojan actually damaging Task Manager to where it wouldn't run because of being damaged or corrupt.

I have since writing this portion of the tute learned the registry key which controls whether task manager is enabled or disabled.

User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
System]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
System]
Value Name: DisableTaskMgr
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = default, 1 = disable Task Manager)

If the value is set to 1 Task Manager will be disabled. By returning it to it's default value of 0 it can be re-enabled (although doesn't "fix" the root cause, i.e. trojan removal). If regedit is also not working, you can make a copy of regedit.exe and rename the copy regedit.com and at a run command prompt you can type in regedit.com instead of plain old regedit and it should work.

If taskmgr.exe is damaged you should be able to simple copy it over from a good machine and replace the damaged file with a good copy.

I knew those and did that too. Some registry entries are available at

Kelly's Korner

But could not do anything. May I had at that time something very much unknown .

I changed the name of taskmgr.exe to taskmgr.com but nothing new happened, I used to get a cmd window perhaps was going to show the task list but disappeared instantly. I copied that infected file to another directory but the same incident there.Though the idea of replacing a good copy did not come to my mind at that embarassed situation. Now I have made the back up of taskmgr,msconfig and regedit.

Something that could be handy for not so experianced users is the xp_taskmgrenab utility by Doug Knox.

It does what ATNO was saying about altering the registry value to enable the task manager, but it does it for you at the click of a button.
Handy if you are not to comfortable about going into the registry and changing values.

Well, handy too and I am quite comfortable to go to the regedit and do that manually. I did that too and theres not much difference in that, but the event was that it did not work.

Ladies and Gentz,

Seems like a very comprehensive forum here--glad to have joined up; found this stickie searching for answers to my problem. In my case, regedit won't run from the run dialog box, but if I type in "regedit.exe" it will open the editor. Furthermore, both taskmanager and msconfig do work. I did have some trojans I believe, but I modified registry as I always do to monitor startup programs and keep the startup list clean. Anybody have an idea why the prototypical regedit won't work? I have cleaned everything, run a few online scans--nothing more...like I said, msconfig and taskmanager both are operable--no other symptomatology at this time.


-V

Right click My Computer and select Properties. Click the Advanced Tab and at the bottom of the Dialog box Select Environment Variables. Scroll down and find the variable PATHEXT. Ensure that .EXE is included, if not add it via the edit option. The default variable value should look roughly like this (give or take):


I can almost be certain the reason you have to type the regedit.exe is because .exe is not included in the PATHEXT environment variable.

edit//you may need to reboot for the change to take affect.

ATNO/TW,

Thanks man, I did check that, but no dice; .exe is in there.....I'm open to anything and everything. As mentioned here and on other boards, the symptom is as follows:

when I type "regedit" in the run dialog box, I get the quick popup and nothing more. However, if I type "regedit.exe" the editor does appear. As with before, both task manager and msconfig are fine; additionally, dxdiag is; as are other 'run' commands.........


Perhaps a file is corrupt? I don't sense anything else is amiss with my system at this point, although this little issue will drive me up a wall.......I think this trojan? came vis a vis a Bearshare dl, but not sure; at any rate, I'll await further commentary......thanks again.

V-

Hi vain68, the reason you canopen regedit by typing "regedit.exe" and not regedit alone, is because some worms create a new file called "regedt.com" in your system (this will execute first than the .exe). Follow this instructions to remove all this files.

- Click Here to download Killbox by Option^Explicit.
- Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
- In the killbox program, select the Delete on Reboot option.
- Copy the file names below to the clipboard by highlighting them and pressing Control-C:

- Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
- Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

After the reboot regedit should work again.

Labrego,
This took care of business, I can't thank you enough; I got a few general questions as I am always trying to acquire new knowledge about all aspects of XP based systems and vulnerabilities.

1) After I got rid of the programs that loaded on startup by editing the registry, did these .com files remain as orphans left behind? The reason I ask is b/c a general windows search would not reveal these files? Also, I noted that when I pasted these files into Killbox, not every single one was in there (perhaps I could manually do one at time---but my issues is solved, I just want to be sure no traces of any of these .com files are left on board). Or on the other hand, does Killbox automatically detect which ones the system needs to delete?

2) In my search on the web, I found the worm to be one of the following (perhaps):
w32.Spybot
w32.HLLW.Cydog@mm
W32.HLLW.Kefy
Worm/Klez.h
W32.Erkez.B@mm
Worm_Mugly.I

However, aside from "moderate" threat, I couldn't get much more information....are these worms, in fact, serious problems?

Thanks again man, a pleasure to learn new things from thick brains.

Vv

I am having trouble with this procedure. Will Killbox only let you do one file at a time. I can only paste one file in the box. Will it delete the file if it is marked archived?

Mortek

Ok I got rid of those files and regedit works for me now. However, I have several dos based or windows based programs that access dos and they give me the same message system not suitable for running msdos or window applications. Any more ideas.

mortek