Solved

Task Manager, MSCONFIG, or REGEDIT disappear while opening?

Posted on 2004-09-22
16
4,579 Views
Last Modified: 2013-12-03
All I hope you can help.

I have a pc with problem.

it a windows 2000 sp4 will all updates installed up to the 22/09/2004.

The problem is that the Task Manager, MSCONFIG, or REGEDIT disappear while opening?

It also stops my Anti virus from running.

however, when I rename the taskmgr.exe to taskmgrnew.exe for example it the task manger works ok. I also rename the exe for my anti virus and it works to. I updated the anti virus and ran a scan and it did not find any virus.
I have also ran skyhunter without finding anything.
So I ran symantec and Panda anti-virus online scan and still it does not find any virus.

Has any one see this issue before? and do you know how to solved it?

Thanks
0
Comment
Question by:intouchsystems
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +3
16 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 12121473
Hi intouchsystems,
Yep - look here:

w32.spybot worm disables NAV, Msconfig, Regedit and Task Manager: http://www.bitdefender.com/bd/site/...u_id=1&v_id=114

And: http://securityresponse.symantec.co...pybot.worm.html
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 12121485
0
 

Author Comment

by:intouchsystems
ID: 12121918
I have had a look at that worm however, I have had a look at the register on all verisons of the worm

W32.Spybot.CYM
W32.Spybot.DAZ
W32.Spybot.DHV
W32.Spybot.DNB
W32.Spybot.DNC
W32.Spybot.dr
W32.Spybot.Worm

and none have any refernece to the worm.

I dont understand want my anti-virus software (office scan dont pick up the virus)

Any other ideas?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 20

Expert Comment

by:Debsyl99
ID: 12122088
Hi

It definitely sounds like classic viral activity - new variant maybe? Try a scan from safe mode using Trend - this appears better than most at picking up viruses (Symantec recently has been useless)
Trend
http://housecall.trendmicro.com/

Also maybe run hijackthis, (from safe mode if necessary) - make sure that your folder settings enable hidden and system folders to be viewed. Also have a look at the run keys listed from the registry to see if you can identify any rogue services or processes,

HijackThis 1.98.2
http://www.majorgeeks.com/download3155.html
Download it, run it, save your log file - maybe also try post it into the link below for analysis,
HijackThis log file analysis
http://www.hijackthis.de/index.php?langselect=english


Deb :))

0
 
LVL 2

Expert Comment

by:visualcoat
ID: 12122137
goto www.download.com and download "adware SE", Spybot" and "Avast Home Edition" make sure you update adware befor runing it.

after you install all three run them in this order adware, sypbot twice, and avast home edition on bootup twice.

0
 
LVL 21

Expert Comment

by:jvuz
ID: 12122625
Check also with Stinger:

http://vil.nai.com/vil/stinger/
0
 
LVL 21

Expert Comment

by:jvuz
ID: 12122633
0
 

Author Comment

by:intouchsystems
ID: 12125102
I have tried all the above....with no luck.

it just does not find any virus on the system

Any more ideas?
0
 
LVL 2

Expert Comment

by:visualcoat
ID: 12125470
what virus scan did you use??
0
 

Author Comment

by:intouchsystems
ID: 12125569
trendmicro officescan is installed on the system. I have ran it in safemode as it will not start in normal mode and it did not find any virus etc.

I have ran norton antivirus, and online scan from symantec, Panda and trendmirco all with no luck in finding any virus.

Task Manager, MSCONFIG, or REGEDIT all runs ok in safe mode, but not in normal mode.

The HijackThis log is below.

What does anyone make of it?

Logfile of HijackThis v1.98.2
Scan saved at 18:35:12, on 22/09/04
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
c:\program files\timbuktu pro\tb2launch.exe
c:\program files\timbuktu pro\tb2pro.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
c:\program files\timbuktu pro\TNOTIFY.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINNT\system32\PRPCUI.exe
C:\program files\timbuktu pro\tb2logon.exe
C:\WINNT\system32\ICONSPY.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\javaw.exe
C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\WINNT\system32\msconf.exe
C:\WINNT\system32\internat.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Genovation\Numlock Commander\NumLcmdr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\craig.pinder\Desktop\HijackThisee.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.intouchplc.com:8000
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TLogonPath] "c:\program files\timbuktu pro\tb2logon.exe"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICONSPY.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Java Virtual Machine] javaw.exe
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [Microsoft Config] msconf.exe
O4 - HKLM\..\RunServices: [Java Virtual Machine] javaw.exe
O4 - HKLM\..\RunServices: [Microsoft Config] msconf.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Microsoft Config] msconf.exe
O4 - HKCU\..\RunServices: [Microsoft Config] msconf.exe
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Global Startup: Shortcut to Numlock Commander.lnk = C:\Program Files\Genovation\Numlock Commander\NumLcmdr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .aif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://systems-nt3.intouchplc.com/officescan/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://systems-nt3.intouchplc.com/officescan/clientinstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://systems-nt3.intouchplc.com/officescan/clientinstall/setup.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://systems-nt3.intouchplc.com/officescan/clientinstall/RemoveCtrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intouchplc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BA6C523-877D-4C41-9D52-B8ED12FE0D98}: NameServer = 192.168.2.9
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = main.intouchgroup.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intouchplc.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{1BA6C523-877D-4C41-9D52-B8ED12FE0D98}: NameServer = 192.168.2.9
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = intouchplc.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{1BA6C523-877D-4C41-9D52-B8ED12FE0D98}: NameServer = 192.168.2.9

0
 
LVL 2

Expert Comment

by:visualcoat
ID: 12125621
just for fun please try Avast home addition, you can download it for avast.com or download.com
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12125672

Have a look at this - download the removal tool and run it
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.adx.html

Deb :))
0
 
LVL 20

Accepted Solution

by:
Debsyl99 earned 500 total points
ID: 12125739
Note the presence of this baby - msconf.exe, this is the one you need to get rid of. Post if the removal tools doesn't work:
0
 
LVL 21

Expert Comment

by:jvuz
ID: 12130499
You can post that log into this site:

http://www.hijackthis.de/index.php

and it ill analyze it for you.
0
 

Author Comment

by:intouchsystems
ID: 12131196
Delete the msconf.exe and it worked.

YES

Funny that the removal tools doesnt work.

Thanks for all you help
0
 

Expert Comment

by:juank03
ID: 12282814

 The only think that u need to do is rename the msconfig, and the taskmgr to msconfig1 and taskmgr1 and thats it!!!!

 Thanks


 JC
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question