1. you open regedit, the regedit window flickers and closes again,
2. you open taskmanager, window opens and immediately closes.
3. you try to open msconfig, window closes the moment it opens.
What might be happening?
My thinking is that some rouge process is running that is scanning for these applications and the moment they open, it closes them.
Our Aim : to identify and kill
so what we need to do is, identify these rouge programs and destroy them by first killing the running process and then deleting the actual application from the system. We need to do this to prevent them from running again.
So first let’s try this solution,
1. Create the copy of regedit.exe file and put it in another directory.
1. you can do this by selecting the regedit.exe file(located in c:\windows directory) and pressing crtl+c and then crtl+v
2. move this copied file to another new directory say c:\eme_utils
2. Similarly create the copy of task manager located at (C:\WINDOWS\system32\taskmgr.exe) and system configuration utility aka msconfig located at (C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe)
3. Now run these copies by clicking them, to see if you can access the respective applications.
if you don’t want to do this manually you may want to download the xp_emergency tool which does this for you in Windows XP OS.
With this hopefully we may have bypassed the restrictions imposed by the virus or worm or any rouge application, we still need to identify and kill them so that we can leave in peace instead of using alternative solutions.
So let’s start the identification process,
just a warning, this is a repetitive and frustrating process but if you really want to use the taskmanger, regedit or msconfig then you will have to find the process and kill it, so let’s start the journey.
you will need to download Process Explorer from system internals, so that we can identify the culprit process.
once you have downloaded it, extract the zip file and run the procexp.exe file by double clicking it. This will show you all the processes running right now.
Process Explorer
From here onwards you are almost on your own, you will have to trust your own knowledge of your system and your intuition. What we now need to do is to kill the processes that you can’t identify.
Note : before making any changes please keep a screen shot or write down the changes that you are doing.
1. Look for any process that you can’t identify the source. as you can see from this image
2. Once you think a process as rouge, note down the path of that application(this will help you delete the file later) by right clicking the name and clicking on properties window in the pop up.
3. pop up option properties window of process explorer
4. Now kill the process tree by right clicking and choosing the kill process tree option
5. It is the time now to check if we have killed the right process or not, do find that out simply run the regedit or taskmanger or msconfig and see if they stay opened. if they do, move on to next step otherwise get back to step 1.
Worst that can happen at this stage is that you might kill some important process, in that case you have to just restart the system and you will be back from where you started.
6. Once you have identified the process, we will now rename this application by changing the extension to something like *.fix or any thing you like by going to the path that we noted above. We did not delete the file at this stage because we want to be sure that this is the culprit file and not some other file.
7. To verify this just restart you system and see if you can still access the regedit, task manger or msconfig, if you can then you want to delete the file that we renamed above.
8. If not then we will have to start the identification process again, so start from step 1.
Here are some of the known rouge process that are know to do such things
* WebRebates0.exe
* WebRebates1.exe
* msconfig35.exe
* msconfig45.exe
* funny ust scandal.avi.exe,
* SMSS.exe ( an important windows process, Session Manager Subsystem, of same name also exists so be very careful before killing it.)
* Killer.exe