Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4597
  • Last Modified:

Task Manager, MSCONFIG, or REGEDIT disappear while opening?

All I hope you can help.

I have a pc with problem.

it a windows 2000 sp4 will all updates installed up to the 22/09/2004.

The problem is that the Task Manager, MSCONFIG, or REGEDIT disappear while opening?

It also stops my Anti virus from running.

however, when I rename the taskmgr.exe to taskmgrnew.exe for example it the task manger works ok. I also rename the exe for my anti virus and it works to. I updated the anti virus and ran a scan and it did not find any virus.
I have also ran skyhunter without finding anything.
So I ran symantec and Panda anti-virus online scan and still it does not find any virus.

Has any one see this issue before? and do you know how to solved it?

Thanks
0
intouchsystems
Asked:
intouchsystems
  • 4
  • 3
  • 3
  • +3
1 Solution
 
sirbountyCommented:
Hi intouchsystems,
Yep - look here:

w32.spybot worm disables NAV, Msconfig, Regedit and Task Manager: http://www.bitdefender.com/bd/site/...u_id=1&v_id=114

And: http://securityresponse.symantec.co...pybot.worm.html
0
 
sirbountyCommented:
0
 
intouchsystemsAuthor Commented:
I have had a look at that worm however, I have had a look at the register on all verisons of the worm

W32.Spybot.CYM
W32.Spybot.DAZ
W32.Spybot.DHV
W32.Spybot.DNB
W32.Spybot.DNC
W32.Spybot.dr
W32.Spybot.Worm

and none have any refernece to the worm.

I dont understand want my anti-virus software (office scan dont pick up the virus)

Any other ideas?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Debsyl99Commented:
Hi

It definitely sounds like classic viral activity - new variant maybe? Try a scan from safe mode using Trend - this appears better than most at picking up viruses (Symantec recently has been useless)
Trend
http://housecall.trendmicro.com/

Also maybe run hijackthis, (from safe mode if necessary) - make sure that your folder settings enable hidden and system folders to be viewed. Also have a look at the run keys listed from the registry to see if you can identify any rogue services or processes,

HijackThis 1.98.2
http://www.majorgeeks.com/download3155.html
Download it, run it, save your log file - maybe also try post it into the link below for analysis,
HijackThis log file analysis
http://www.hijackthis.de/index.php?langselect=english


Deb :))

0
 
visualcoatCommented:
goto www.download.com and download "adware SE", Spybot" and "Avast Home Edition" make sure you update adware befor runing it.

after you install all three run them in this order adware, sypbot twice, and avast home edition on bootup twice.

0
 
jvuzCommented:
Check also with Stinger:

http://vil.nai.com/vil/stinger/
0
 
jvuzCommented:
0
 
intouchsystemsAuthor Commented:
I have tried all the above....with no luck.

it just does not find any virus on the system

Any more ideas?
0
 
visualcoatCommented:
what virus scan did you use??
0
 
intouchsystemsAuthor Commented:
trendmicro officescan is installed on the system. I have ran it in safemode as it will not start in normal mode and it did not find any virus etc.

I have ran norton antivirus, and online scan from symantec, Panda and trendmirco all with no luck in finding any virus.

Task Manager, MSCONFIG, or REGEDIT all runs ok in safe mode, but not in normal mode.

The HijackThis log is below.

What does anyone make of it?

Logfile of HijackThis v1.98.2
Scan saved at 18:35:12, on 22/09/04
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
c:\program files\timbuktu pro\tb2launch.exe
c:\program files\timbuktu pro\tb2pro.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
c:\program files\timbuktu pro\TNOTIFY.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINNT\system32\PRPCUI.exe
C:\program files\timbuktu pro\tb2logon.exe
C:\WINNT\system32\ICONSPY.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\javaw.exe
C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\WINNT\system32\msconf.exe
C:\WINNT\system32\internat.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Genovation\Numlock Commander\NumLcmdr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\craig.pinder\Desktop\HijackThisee.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.intouchplc.com:8000
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TLogonPath] "c:\program files\timbuktu pro\tb2logon.exe"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICONSPY.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Java Virtual Machine] javaw.exe
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [Microsoft Config] msconf.exe
O4 - HKLM\..\RunServices: [Java Virtual Machine] javaw.exe
O4 - HKLM\..\RunServices: [Microsoft Config] msconf.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Microsoft Config] msconf.exe
O4 - HKCU\..\RunServices: [Microsoft Config] msconf.exe
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Global Startup: Shortcut to Numlock Commander.lnk = C:\Program Files\Genovation\Numlock Commander\NumLcmdr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .aif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://systems-nt3.intouchplc.com/officescan/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://systems-nt3.intouchplc.com/officescan/clientinstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://systems-nt3.intouchplc.com/officescan/clientinstall/setup.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://systems-nt3.intouchplc.com/officescan/clientinstall/RemoveCtrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intouchplc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BA6C523-877D-4C41-9D52-B8ED12FE0D98}: NameServer = 192.168.2.9
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = main.intouchgroup.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intouchplc.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{1BA6C523-877D-4C41-9D52-B8ED12FE0D98}: NameServer = 192.168.2.9
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = intouchplc.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{1BA6C523-877D-4C41-9D52-B8ED12FE0D98}: NameServer = 192.168.2.9

0
 
visualcoatCommented:
just for fun please try Avast home addition, you can download it for avast.com or download.com
0
 
Debsyl99Commented:

Have a look at this - download the removal tool and run it
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.adx.html

Deb :))
0
 
Debsyl99Commented:
Note the presence of this baby - msconf.exe, this is the one you need to get rid of. Post if the removal tools doesn't work:
0
 
jvuzCommented:
You can post that log into this site:

http://www.hijackthis.de/index.php

and it ill analyze it for you.
0
 
intouchsystemsAuthor Commented:
Delete the msconf.exe and it worked.

YES

Funny that the removal tools doesnt work.

Thanks for all you help
0
 
juank03Commented:

 The only think that u need to do is rename the msconfig, and the taskmgr to msconfig1 and taskmgr1 and thats it!!!!

 Thanks


 JC
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 4
  • 3
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now