Since i published my “How to remove new folder exe or regsvr exe or autorun inf virus” article many readers have asked me about how to prevent regedit, taskmanger, msconfig etc from closing withing second of it’s opening.
Now i have to say as i have yet to face this issue personally myself, i am not really able to suggest anything but to recommend people to do a boot time scan from avast, and hope that fixes their problem.
But after receiving a repeated request to fix this issue, i decided to write about the approach that i would take if i face this problem and to collaborate with you to solve your problem and in the process create a workable solution to fix this problem, once and for all.
Symptoms of the problem that we are tying to solve,
- you open regedit, the regedit window flickers and closes again,
- you open taskmanager, window opens and immediately closes.
- you try to open msconfig, window closes the moment it opens.
What might be happening?
My thinking is that some rouge process is running that is scanning for these applications and the moment they open, it closes them.
Our Aim : to identify and kill
so what we need to do is, identify these rouge programs and destroy them by first killing the running process and then deleting the actual application from the system. We need to do this to prevent them from running again.
So first let’s try this solution,
- Create the copy of regedit.exe file and put it in another directory.
- you can do this by selecting the regedit.exe file(located in c:windows directory) and pressing crtl+c and then crtl+v
- move this copied file to another new directory say c:eme_utils
- Similarly create the copy of task manager located at (C:WINDOWSsystem32taskmgr.exe) and system configuration utility aka msconfig located at (C:WINDOWSPCHealthHelpCtrBinariesMSConfig.exe)
- Now run these copies by clicking them, to see if you can access the respective applications.
if you don’t want to do this manually you may want to download the [download#3#nohits]
which does this for you in Windows XP OS.
With this hopefully we may have bypassed the restrictions imposed by the virus or worm or any rouge application, we still need to identify and kill them so that we can leave in peace instead of using alternative solutions.
So let’s start the identification process,
just a warning, this is a repetitive and frustrating process but if you really want to use the taskmanger, regedit or msconfig then you will have to find the process and kill it, so let’s start the journey.
you will need to download [download#4#nohits]
from system internals, so that we can identify the culprit process.
once you have downloaded it, extract the zip file and run the procexp.exe file by double clicking it. This will show you all the processes running right now.
From here onwards you are almost on your own, you will have to trust your own knowledge of your system and your intuition. What we now need to do is to kill the processes that you can’t identify.
Note : before making any changes please keep a screen shot or write down the changes that you are doing.
- Look for any process that you can’t identify the source. as you can see from this image<image above> process explorer gives the description and company name of all the process that are running. so the first targets would be the application that you can’t identify the company name or application that you might not have installed.
- Once you think a process as rouge, note down the path of that application(this will help you delete the file later) by right clicking the name and clicking on properties window in the pop up.
- Now kill the process tree by right clicking and choosing the kill process tree option <image>
- It is the time now to check if we have killed the right process or not, do find that out simply run the regedit or taskmanger or msconfig and see if they stay opened. if they do, move on to next step otherwise get back to step 1.
Worst that can happen at this stage is that you might kill some important process, in that case you have to just restart the system and you will be back from where you started.
- Once you have identified the process, we will now rename this application by changing the extension to something like *.fix or any thing you like by going to the path that we noted above. We did not delete the file at this stage because we want to be sure that this is the culprit file and not some other file.
- To verify this just restart you system and see if you can still access the regedit, task manger or msconfig, if you can then you want to delete the file that we renamed above.
- If not then we will have to start the identification process again, so start from step 1.
Here are some of the known rouge process that are know to do such things
- WebRebates0.exe
- WebRebates1.exe
- msconfig35.exe
- msconfig45.exe
- funny ust scandal.avi.exe,
- SMSS.exe ( an important windows process, Session Manager Subsystem, of same name also exists so be very careful before killing it.)
- Killer.exe
If you fear, or, are not able to identify the process in that case you may want to save the process explorer output in a text file by hitting crtl+s and post the output in comment below so that I or others who have faced the problem will try to help you identify the rouge process to kill.
I am interested in knowing if this process helped you or not, It will be really good if you can participate in this process and leave a note below about all the rouge process or application that you identified.
This will help others to solve their problem as you might have already noticed their is very little help out their regarding this problem.
Thank you,
Because of some viruses I couldn’t access taskmanager, regedit, msconfig. As you know without accessing these we can’t do anything against viruses.
It should help to fix viruses.,
@karthik you are welcome, it would be nice if you can share your experience.
Hi da..
It really worked..thks a lot
Pingback: How To Remove Antivirus XP 2008 | am i works?
Hi there! I am encountering the same problem stated here. I’m not sure if you will think of this as weird but after downloading and running process explorer, it also closes automatically after a few sec. Hope you could help me find another work around on this.. 🙂 Appreciate the help.
Hi, the virus i have is antivirus xp 2008, and I am not able to copy regedit.exe to another folder, i tried ctrl+c and right clicking to copy but nothing is working, if you have any suggestions that would be great.
Thanks
dear
pls tell me about how to remove fun.exe and dc.exe also
Hello Friend,
The culprit process was regsvr.exe, in the process explorer, i found it running twise and consuming lot of memory. once I killed these processes, the CPU usage less, however when I changed the name of this file from the folder it was located, when I press F5 being in the same folder, it automatically creating a file (regsvr.exe), dont know why ? the msconfig window will stay open only if i kill this process, in msconfig, I disabled the process regsvr.exe, after restarting the system this process is found again running (twise) in process manager !! but in the msconfig the changes are saved.
I dont know what to do next.
any way I should thank you, you know, before killing this process, my CPU fan use to make terrible sound, and the CPU usage was always above 60%, I was worried a lot, now it’s cool…
Once again thanks a lottt.
OK take a tip from an old DOS guy .. and it still works for me today..
the virus is looking for specific EXE files running a kills them.
you can try chnaging the name and that doesn’t always work ..
what I did was change the .exe to .com
so like this
from a command propt
Copy c:windowssystem32taskmgr.exe c:windowssystem32jefftaskmgr.com
and then run it..
c:windowssystem32jefftaskmgr.com
it should work and stay open same can be done with with regedit and processexpoorer and msconfig.. then you can begin looking for the actual piece of scumware which is a whole other cat and mouse game.
JC
Hi,
When U run MSCONFIG and it vanishes, ie. automatically closes and your sytem is too… slow and not able to open any thing, then your system is running the REGSVR.EXE which is occupying the CPU usage 99%.
Here is what U can do, temporarily before removing REGSVR.EXE.
Click RUN and Then Enter TARSMGR.EXE , this will also get automatically closed like MSCONFIG.
At this stage, Just Press CTRL+ALT+DEL, Now U can see the task manager
stays without closing and U can watch REGSVR.EXE running and using CPU Process shouwing Higher Percentages. Which Process is showing Higher Percentage is the Culprit. Right Click and Stop the Process. Again it will appear running another Instance, Again Select it and Right Click and stop the process. After 2 or 3 attempts, it will stop its process .
U Can now notice that CPU IDLE Usage is showing 98%.
Now U can close the TASKMGR and open Your other Application.
TRY IT WORKS!!!
sir, mysystem is infected with regsvr virus once i had formatted system then ok but after using my pendrive again it occured wat can i doo???
check out my article on removing regsvr.exe virus
Hola amigo?Beaunàs dias/noches?Luv your site.Its very helpful.Myt sound crazy, but I love workin’ wit viruses i.e removing them & explorin’ their codes.Ive read books about viruses, its helpful if u understand da internal structure ‘code’ of a virus as this will guide in viral removal.I’l try create my blog based on this hypothesis.
My computer got affected with regsvr.exe and regedit and msconfig is not working???
how to get rid of this???
thanks,
Subho
hi.. friend. after downloading and running process explorer. so please help me.
sorry actually after downloading and opening process explorer,it is closing in few secs.
@veena i suggest do a full virus scan using avast and also a scan for malware using system doctor.
that will solve lot of your issues.
Your definetly infected .. I posted a trick to copy the .exe files taskmgr and regedit and process explorer, etc. to .com files.
Look for my post a few posts up. It will help you get your diagnostic tools back in play so you can start the seek and destroy mission.
i am actually not able to run any antivirus program(avast,norton,kaspersky)
As u suggested i downloaded xp_emergencytools.After wat am i suppose to do.
Hi
I tried to copy and run the copy version of ms config but still the virus close it the moment it appears.
wat should i do.. i need to run the safe mode..
I tried all the above but no luck. I found killer.exe is running as a process and couldnt do anything within seconds.
@shiyaz try using some antivirus/anti-spyware solutions to remove the killer.exe process
Hi Kumar,
First of all I admired your step by step easy approach.
Hands off.Great job.
I am facing with a w32.sality.AE and w32.Blackmal.E@mm virus identified by symantec antivirus. I also has this virus in another system but i am unable to install any antivirus software (all gets rolled back) .pls let me know any other fix(FixBmalE)by symantec.
Also pls let me know the link or article which you fell the best on how to secure and harden Win 2003 server.In other words how to patch the default installation of Win2003server and Winxp by your step by step easy way of approach.
I will try it at home…ut thanks anyway i’m glad there’s someone as good as you!!!
thanks, from all the comp students
Hi
Its Great I didnt know how to bring back Regedit once i was disabled form administrator which i recieved for the damn virus
Thanks………
Hi
It worked!! Thanks a lot now I can use the Registry again.
Thats a great solution….
it works ….
Hi, It really works!
My problem was solved because,
I deleted the SSCVIHOST.exe in my process
It didn’t work for me 🙁
I had SMSS.exe and Killer.exe running and killed them but it still isn’t working for me 🙁
Process PID CPU Description Company Name
System Idle Process 0 13.43
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4 0.75
smss.exe 540 Windows NT Session Manager Microsoft Corporation
csrss.exe 588 Client Server Runtime Process Microsoft Corporation
winlogon.exe 624 Windows NT Logon Application Microsoft Corporation
services.exe 668 Services and Controller app Microsoft Corporation
ati2evxx.exe 844 ATI External Event Utility EXE Module ATI Technologies Inc.
svchost.exe 856 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 940 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1008 Generic Host Process for Win32 Services Microsoft Corporation
wscntfy.exe 1480 Windows Security Center Notification App Microsoft Corporation
svchost.exe 1080 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1136 Generic Host Process for Win32 Services Microsoft Corporation
ccSetMgr.exe 1288 Symantec Settings Manager Service Symantec Corporation
ccEvtMgr.exe 1560 Symantec Event Manager Service Symantec Corporation
SPBBCSvc.exe 1652 SPBBC Service Symantec Corporation
spoolsv.exe 1700 Spooler SubSystem App Microsoft Corporation
DefWatch.exe 368 Virus Definition Daemon Symantec Corporation
LSSrvc.exe 620 LightScribe Service Hewlett-Packard Company
MDM.EXE 1032 Machine Debug Manager Microsoft Corporation
SavRoam.exe 1356 SAVRoam symantec
Rtvscan.exe 1888 Symantec AntiVirus Symantec Corporation
alg.exe 1372 Application Layer Gateway Service Microsoft Corporation
svchost.exe 3872 Generic Host Process for Win32 Services Microsoft Corporation
lsass.exe 680 LSA Shell (Export Version) Microsoft Corporation
ati2evxx.exe 1376 ATI External Event Utility EXE Module ATI Technologies Inc.
explorer.exe 1460 Windows Explorer Microsoft Corporation
winampa.exe 184
PDVDServ.exe 228 PowerDVD RC Service Cyberlink Corp.
ccApp.exe 1208 Symantec User Session Symantec Corporation
VPTray.exe 1940 Symantec AntiVirus Symantec Corporation
atiptaxx.exe 2052 ATI Desktop Control Panel ATI Technologies, Inc.
RTHDCPL.EXE 2096 Realtek HD Audio Control Panel Realtek Semiconductor Corp.
ctfmon.exe 2236 CTF Loader Microsoft Corporation
GoogleToolbarNotifier.exe 2284 GoogleToolbarNotifier Google Inc.
PowerDVD.exe 244 PowerDVD CyberLink Corp.
licenses.exe 3760 11.19
New Folder.exe 428 14.18
New Folder.exe 3484 9.70
New Folder.exe 1240 5.97
New Folder.exe 1928 11.94
New Folder.exe 740 10.45
iexplore.exe 3492 Internet Explorer Microsoft Corporation
iexplore.exe 2736 22.39 Internet Explorer Microsoft Corporation
procexp.exe 1236 Sysinternals Process Explorer Sysinternals – http://www.sysinternals.com
realsched.exe 3304 RealNetworks Scheduler RealNetworks, In
These are the process i see in process explorer, i cant find the rogue now.. Please could anyone help me so that i can run task manager…
@abi New Folder.exe and maybe licenses.exe
I have tred everything I can think of but still can not open task manager and other programs normally.
here are the current processes running
any help willbe gratly appreciated
Thnx buddy…Really really thnx……
hey dude it works!! : ) tnx a lot..
c:eme_utils
where do i find this?? or i’ll just make a new folder?
Thanks for all…
Hey couldnt execute ur whole process….d firts step to find autorun.inf ….i dunn find ne file which is read only type…..plz help..mee!!!!!..thanx for help…
hi…
when i try to open regedit,task manager,msconfig they just get closed after some time…and i am not able to open cmd window to follow the steps mentioned above…
i found that taskkill.exe is the one which is causing this but i am not able to delete that…it i delete it will again come back by itself…please help me…
hi,
this page was of great help to me. i have a small issue.
i’m able to open the ‘Folder Options’ from ‘Tools’ menu. but the issue is that even if i click ‘View’ and enable the option to ‘Show hidden files and folders’ and save it, still i cant view the hidden files in my explorer window.
And when i go back to ‘Tools->FolderOptions->View’ there i can see that ‘Do not show hidden files and folders’ has been selected.
i had changed it to ‘Show hidden files and folders’ before and clicked ‘Apply’ and ‘Ok’ but its not getting saved. i cannot understand why.
please help me.
thank u so much!
you are infected by more then one virus..
hi,
i use avg antivirus v8.5.329.. i also tried two softwares named ‘autorun eater’ and ‘trojan remover’ wich i downloaded frm sme external sites.. doesnt help 🙁
pls temme wat am i supposed to do? it wud be of great help, thnx!
Hi thanks by posting, the process explorer helps thank you for sharing..
Just remove the viruses by MaCfee Superdat, then run Adawarese Personal…your msconfig or regedit openning problem will be solved.
how to find which process is modifying the exe’s specially those related to .net
How to check which files or processes are currently accessing or modifying a particular exe.
hi all
thanks a lot it worked.
even after coping the files to other folder they(task manager etc.) were not working. but after changing the name to .com they worked.
SPECIAL THANKS TO JEFF HERE !!
except regedit which now on opening says it is disabled by administrator ,,,
but ya it helped me a lot
PLs Help
Process PID CPU Private Bytes Working Set Description Company Name
System Idle Process 0 35.38 0 K 16 K
Interrupts n/a 4.62 0 K 0 K Hardware Interrupts
DPCs n/a 15.38 0 K 0 K Deferred Procedure Calls
System 4 3.85 0 K 236 K
smss.exe 800 168 K 400 K Windows NT Session Manager Microsoft Corporation
csrss.exe 860 1,784 K 5,048 K Client Server Runtime Process Microsoft Corporation
winlogon.exe 896 4,048 K 1,772 K Windows NT Logon Application Microsoft Corporation
services.exe 944 1,948 K 3,924 K Services and Controller app Microsoft Corporation
ati2evxx.exe 1108 2,232 K 3,716 K ATI External Event Utility EXE Module ATI Technologies Inc.
svchost.exe 1136 2,932 K 5,544 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1192 2,076 K 4,780 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1304 24,672 K 35,516 K Generic Host Process for Win32 Services Microsoft Corporation
wuauclt.exe 2276 2,424 K 4,640 K Windows Update Microsoft Corporation
wuauclt.exe 3724 8,028 K 10,944 K Windows Update Microsoft Corporation
svchost.exe 1460 1,856 K 4,356 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1584 1,780 K 4,380 K Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1868 3,376 K 5,176 K Spooler SubSystem App Microsoft Corporation
svchost.exe 340 1,552 K 4,196 K Generic Host Process for Win32 Services Microsoft Corporation
mscorsvw.exe 456 1,468 K 3,704 K .NET Runtime Optimization Service Microsoft Corporation
jqs.exe 640 2,336 K 1,820 K Java(TM) Quick Starter Service Sun Microsystems, Inc.
svchost.exe 692 3,088 K 5,392 K Generic Host Process for Win32 Services Microsoft Corporation
YahooAUService.exe 744 3,820 K 5,536 K AutoUpater Service Module Yahoo! Inc.
alg.exe 3932 1,372 K 4,020 K Application Layer Gateway Service Microsoft Corporation
MsMpEng.exe 1568 4,108 K 6,940 K AntiMalware Service Executable Microsoft Corporation
MpCmdRun.exe 276 4,332 K 6,240 K Microsoft Malware Protection Command Line Utility Microsoft Corporation
lsass.exe 956 4,104 K 1,280 K LSA Shell (Export Version) Microsoft Corporation
ati2evxx.exe 1484 2,420 K 4,200 K ATI External Event Utility EXE Module ATI Technologies Inc.
explorer.exe 2316 15,704 K 24,896 K Windows Explorer Microsoft Corporation
SSVICHOSST.exe 3692 0.77 2,948 K 8,200 K
SGST.exe 2164 51,552 K 34,916 K ScanGear Starter Application CANON INC.
iexplore.exe 4080 7,604 K 17,344 K Internet Explorer Microsoft Corporation
iexplore.exe 2168 45,596 K 55,892 K Internet Explorer Microsoft Corporation
SSVICHOSST.exe 4092 2.31 2,944 K 8,256 K
UnlockerAssistant.exe 2144 848 K 3,012 K
RTHDCPL.exe 2152 22,692 K 22,840 K Realtek HD Audio Control Panel Realtek Semiconductor Corp.
Core.exe 3132 10,956 K 13,728 K EA Download Manager Electronic Arts
ctfmon.exe 3140 1,084 K 4,064 K CTF Loader Microsoft Corporation
IDMan.exe 3168 3,880 K 11,500 K Internet Download Manager (IDM) Tonec Inc.
IEMonitor.exe 3376 1,396 K 4,284 K Internet Download Manager agent for click monitoring in IE-based browsers Tonec Inc.
SSVICHOSST.exe 3192 1.54 2,952 K 8,288 K
OfficeSASScheduler.exe 3200 1,612 K 5,988 K Microsoft Office Send-a-Smile scheduler application Microsoft Corporation
OfficeSAS.exe 3388 936 K 3,300 K Microsoft Office Send-a-Smile main application Microsoft Corporation
chrome.exe 3536 30,456 K 32,280 K Google Chrome Google Inc.
chrome.exe 2740 18,292 K 25,860 K Google Chrome Google Inc.
chrome.exe 496 17,368 K 21,544 K Google Chrome Google Inc.
chrome.exe 1836 26,528 K 34,808 K Google Chrome Google Inc.
msseces.exe 536 1.54 14,364 K 19,116 K Microsoft Security Essentials User Interface Microsoft Corporation
procexp.exe 4044 34.62 14,228 K 19,736 K Sysinternals Process Explorer Sysinternals – http://www.sysinternals.com
It really works in most cases…Thanks
its working with process explorer but how to stop it parmanently????????
ATTENTION ATTENTION ATTENTION!!!!!!!!!!
i was facing this problem since last five days…..
gradually i felt that some infected file is not allowing some .exe files like msconfig , dxdiag , regedit , task manager ….and many more……..
if u have a genuine windows then just download Microsoft system essentials ….
even if u don’t have genuine windows then u can make it genuine by memoving wat….by the REMOVE WAT SOFTWARE 2.2.6 FROM THE LINK GIVEN BELOW……
http://www.4shared.com/rar/-CB8mQxE/RemoveWAT_226.html
THEN DOWNLOAD THE MICROSOFT SYSTEM ESSENTIALS BECAUSE IT CAN ONLY BE DOWNLOADED IN THE GENUINE WINDOWS……..
Hello,
I have windows 8.1 and have the same issue. I found and copied the fist regedit and taskmanager files, but couldn’t find the third one.
Please help me with this.