Solved

Task Manager, MSCONFIG, or REGEDIT disappear while opening?

Posted on 2004-09-22
16
4,552 Views
Last Modified: 2013-12-03
All I hope you can help.

I have a pc with problem.

it a windows 2000 sp4 will all updates installed up to the 22/09/2004.

The problem is that the Task Manager, MSCONFIG, or REGEDIT disappear while opening?

It also stops my Anti virus from running.

however, when I rename the taskmgr.exe to taskmgrnew.exe for example it the task manger works ok. I also rename the exe for my anti virus and it works to. I updated the anti virus and ran a scan and it did not find any virus.
I have also ran skyhunter without finding anything.
So I ran symantec and Panda anti-virus online scan and still it does not find any virus.

Has any one see this issue before? and do you know how to solved it?

Thanks
0
Comment
Question by:intouchsystems
  • 4
  • 3
  • 3
  • +3
16 Comments
 
LVL 67

Expert Comment

by:sirbounty
Comment Utility
Hi intouchsystems,
Yep - look here:

w32.spybot worm disables NAV, Msconfig, Regedit and Task Manager: http://www.bitdefender.com/bd/site/...u_id=1&v_id=114

And: http://securityresponse.symantec.co...pybot.worm.html
0
 
LVL 67

Expert Comment

by:sirbounty
Comment Utility
0
 

Author Comment

by:intouchsystems
Comment Utility
I have had a look at that worm however, I have had a look at the register on all verisons of the worm

W32.Spybot.CYM
W32.Spybot.DAZ
W32.Spybot.DHV
W32.Spybot.DNB
W32.Spybot.DNC
W32.Spybot.dr
W32.Spybot.Worm

and none have any refernece to the worm.

I dont understand want my anti-virus software (office scan dont pick up the virus)

Any other ideas?
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi

It definitely sounds like classic viral activity - new variant maybe? Try a scan from safe mode using Trend - this appears better than most at picking up viruses (Symantec recently has been useless)
Trend
http://housecall.trendmicro.com/

Also maybe run hijackthis, (from safe mode if necessary) - make sure that your folder settings enable hidden and system folders to be viewed. Also have a look at the run keys listed from the registry to see if you can identify any rogue services or processes,

HijackThis 1.98.2
http://www.majorgeeks.com/download3155.html
Download it, run it, save your log file - maybe also try post it into the link below for analysis,
HijackThis log file analysis
http://www.hijackthis.de/index.php?langselect=english


Deb :))

0
 
LVL 2

Expert Comment

by:visualcoat
Comment Utility
goto www.download.com and download "adware SE", Spybot" and "Avast Home Edition" make sure you update adware befor runing it.

after you install all three run them in this order adware, sypbot twice, and avast home edition on bootup twice.

0
 
LVL 21

Expert Comment

by:jvuz
Comment Utility
Check also with Stinger:

http://vil.nai.com/vil/stinger/
0
 
LVL 21

Expert Comment

by:jvuz
Comment Utility
0
 

Author Comment

by:intouchsystems
Comment Utility
I have tried all the above....with no luck.

it just does not find any virus on the system

Any more ideas?
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 2

Expert Comment

by:visualcoat
Comment Utility
what virus scan did you use??
0
 

Author Comment

by:intouchsystems
Comment Utility
trendmicro officescan is installed on the system. I have ran it in safemode as it will not start in normal mode and it did not find any virus etc.

I have ran norton antivirus, and online scan from symantec, Panda and trendmirco all with no luck in finding any virus.

Task Manager, MSCONFIG, or REGEDIT all runs ok in safe mode, but not in normal mode.

The HijackThis log is below.

What does anyone make of it?

Logfile of HijackThis v1.98.2
Scan saved at 18:35:12, on 22/09/04
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
c:\program files\timbuktu pro\tb2launch.exe
c:\program files\timbuktu pro\tb2pro.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
c:\program files\timbuktu pro\TNOTIFY.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINNT\system32\PRPCUI.exe
C:\program files\timbuktu pro\tb2logon.exe
C:\WINNT\system32\ICONSPY.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\javaw.exe
C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\WINNT\system32\msconf.exe
C:\WINNT\system32\internat.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Genovation\Numlock Commander\NumLcmdr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\craig.pinder\Desktop\HijackThisee.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.intouchplc.com:8000
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TLogonPath] "c:\program files\timbuktu pro\tb2logon.exe"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICONSPY.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Java Virtual Machine] javaw.exe
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [Microsoft Config] msconf.exe
O4 - HKLM\..\RunServices: [Java Virtual Machine] javaw.exe
O4 - HKLM\..\RunServices: [Microsoft Config] msconf.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Microsoft Config] msconf.exe
O4 - HKCU\..\RunServices: [Microsoft Config] msconf.exe
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Global Startup: Shortcut to Numlock Commander.lnk = C:\Program Files\Genovation\Numlock Commander\NumLcmdr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .aif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://systems-nt3.intouchplc.com/officescan/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://systems-nt3.intouchplc.com/officescan/clientinstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://systems-nt3.intouchplc.com/officescan/clientinstall/setup.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://systems-nt3.intouchplc.com/officescan/clientinstall/RemoveCtrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intouchplc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BA6C523-877D-4C41-9D52-B8ED12FE0D98}: NameServer = 192.168.2.9
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = main.intouchgroup.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intouchplc.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{1BA6C523-877D-4C41-9D52-B8ED12FE0D98}: NameServer = 192.168.2.9
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = intouchplc.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{1BA6C523-877D-4C41-9D52-B8ED12FE0D98}: NameServer = 192.168.2.9

0
 
LVL 2

Expert Comment

by:visualcoat
Comment Utility
just for fun please try Avast home addition, you can download it for avast.com or download.com
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility

Have a look at this - download the removal tool and run it
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.adx.html

Deb :))
0
 
LVL 20

Accepted Solution

by:
Debsyl99 earned 500 total points
Comment Utility
Note the presence of this baby - msconf.exe, this is the one you need to get rid of. Post if the removal tools doesn't work:
0
 
LVL 21

Expert Comment

by:jvuz
Comment Utility
You can post that log into this site:

http://www.hijackthis.de/index.php

and it ill analyze it for you.
0
 

Author Comment

by:intouchsystems
Comment Utility
Delete the msconf.exe and it worked.

YES

Funny that the removal tools doesnt work.

Thanks for all you help
0
 

Expert Comment

by:juank03
Comment Utility

 The only think that u need to do is rename the msconfig, and the taskmgr to msconfig1 and taskmgr1 and thats it!!!!

 Thanks


 JC
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

As the title indicates, I have done this before. It chills me everytime I update the OS on my phone, (http://www.experts-exchange.com/articles/18084/Upgrading-to-Android-5-0-Lollipop.html) because one time I did this and I essentially had a bricked …
In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now