Link to home
Start Free TrialLog in
Avatar of patmoli
patmoli

asked on

Even after virus/maiware removal taskmgr.exe still not working.

I recently fixed an infected laptop.  I have experience doing this and "think" that I have cleaned it out, but ctrl-alt-del is still not working.  Now, I should point out that at some point during the process, it did work.  Taskmgr.exe resides in c:\windows\system32, c:\i386, & c:\windows\system32\dllcache.  If I rename it to taskmgr2.exe, it works.  I have killed every process I could think of and tested - still not working.  All new airus/spyware/rootkit scans coming up clean.  Alerter service is running.  Now at wits end and repeating tasks.  Looks like a virus, but not able to find it.  Not corrupt, because it works when renamed.  File locations are ok, and file sizes good.  Registry looks fine.  Ideas?
hijackthis.txt
SOLUTION
Avatar of younghv
younghv
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of patmoli
patmoli

ASKER

Oh boy...  Here comes the list :-)

All done in safemode.


Online Scans
Panda
Trend-Micro
Symantec
Kaspersky Labs

Inhouse
Command AV (F-prot)

Spyware
Spybot
Adaware
Hijack this

Rootkit
Sophos
sysinternals anti-rootkit
Hi,

you seem to be suffering from a CWS infection. Please download and run CWShredder:
http://www.greyknight17.com/spy/CWShredder.exe

Good luck.
Avatar of patmoli

ASKER

Wish it were that easy.  I forgot about CWS.  Scanned, and not found.  Thanks though... that goes back on my usb key.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of patmoli

ASKER

This is odd.  I never tried taskmgr.exe after running CWS...  I just posted here. (my last post)  I tried it again after downloading the above scanners(and not running yet), and it worked!  CWS found nothing.  This makes no sense to me.  No changes were made....    Ideas?  
Even though CWS did not find anything, you have a real bunch(!) of suspicious files being loaded on boot time via Appinit. Check the entry O20 in your HJT logfile.

Did you reboot after running CWShredder?
Please run another HJT scan to make sure these suspicious entries still exist.
In case these entries still exist, it will be a bit tricky getting rid of them without CWShredder.

I suggest the following course of action:

- download EruNT from here: http://www.larshederer.homepage.t-online.de/erunt and run it once, storing a backup of your present registry underneath the windows directory. Print out the readme/manual.
(This is just in case something might go wrong and leave your OS unbootable.)

- download Autoruns from Sysinternals: http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx. Run it and select the 'Appinit' tab.

- untag all entries that are not Microsoft or come from a publisher you know and trust.

- write down the disabled entries' names, then cross-check them with these databases:
http://www.castlecops.com/O20.html
http://www.bleepingcomputer.com/startups/
If they don't appear as 'good' in there, they will be safe to disable.

-Safe and reboot.

-Search for the files now disabled and delete them.

Good luck.
Avatar of patmoli

ASKER

OK.  This is going to take me a bit, so I'll get on it tomorrow.  You get the points, but I'll leave this open to post results first.  Thanks for the help, and the tools. Attached is a new HJT log.  
IgnoreahpaadatashaanamaxQA
hijackthis.txt
Those suspicious filenames still exist.

From looking at them again, I don't think there is a single one among them that belongs there. So in order to safe time, you might as well try to use HJT for fixing all the O20 entries.

Please don't forget to make a registry backup with EruNT beforehand, then write down/print the O20 filenames from your HJT logfile, let HJT perform the fix, boot into safe mode and delete those files.

Good luck.
Avatar of patmoli

ASKER

That's what I get for posting with RTF..

Ok, I'll do it in the AM and advise.

Thanks very much.
Avatar of patmoli

ASKER

Curious....  Why use EruNT?  I normally use Export to a .reg file using regedit.
Have you ever managed to successfully restore a corrupted registry on a malfunctioning or even unbootable Windows by using an exported global .reg file?

If you have, please ignore my suggestion and proceed as you normally would. But you must be considered one of the lucky few. Let me quote the coder of EruNT: "The 'Export registry' function in Regedit is USELESS (!) for
making a complete backup of the registry. Neither does it export the
whole registry (for example, no information from the "SECURITY" hive
is saved), nor can the exported file be used later to replace the
current registry with the old one. Instead, if you re-import the file,
it is merged with the current registry without deleting anything that
has been added since the export, leaving you with an absolute mess of
old and new entries."

Personally, I have been taught - by almost 20 years of painful experience - to not rely on any solutions offered by MS because they are all but failsafe. Take System Restore for instance: it usually only works when I test it, so far it always failed me when I really needed it.

That's why I tend to heavily rely on third party products which are mainly free, highly failsafe and still -quite often- far better supported than MS products.
Hi,
Thanks for the heads up younghv.

This is another one of those chinese based malware, hard to remove.
Note: This infection is an info and password stealer.

Hijackthis won't be able to remove all those baddies because they are already active very early at bootup.

Please run combofix as already suggested and whatever is left we can remove using a script.

Avenger can probably kill these too, but try combofix anyway.

From the run box type the following:

"%userprofile%\desktop\ComboFix.exe" /KillAll
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of patmoli

ASKER

Alrighty, folks....  Here we go.

torimar- Point taken...  I've always used BartPE to merge .reg files.  I like EruNT though.

rpggamergirl - This laptop recently came back from China, so that makes sense.  I guess there's no way to find out what, if anything was captured by this malware?  I was really surprised with the tenacity of this one, by far the most labor intensive removal I have done to date.  I'm glad I chose to clean it rather than format, this was a great refresher course for me and I learned a bunch!  This one was fun, and I'd like to thank you guys again.  One quick question....  There were no processes running  that I could find that were stopping taskmgr.exe.  What could have been that was hooking it?

Anyhoo, attached are the results.  I guess one of the previous scans removed the .dlls already, and HJT looks better.  Care to advise on these results?  Have not run Combofix yet.



avenger.txt
hijackthis.txt
patmoli - just so you know, rpg is way around the world from most of us and probably won't be on for another 8-10 hours time from this post.
patmoli,

the HJT log is clean.

I imagined that a few or even most of those files would no longer exist physically (this explains why some process kept recreating them), but it is amazing to see that Avenger didn't find a single one of them.
Who knows, maybe CWShredder did its job after all.

Avatar of patmoli

ASKER

Yes, this one was weird.  Attached is the Panda online scan log with the original infected files for anyone else interested.  I'll wait for rpg to comment then award points.  You two mind a 50/50 split?
scanresults.txt
Avatar of patmoli

ASKER

Ok.  I'll give some more info then for reference.  

The original symptoms that got the user to report it was the system bogging right down.  On initial inspection, the CPU was pegged at 100%.  There were 34 instances of SoundMan.exe running.  I used pskill to kill the SoundMan.exe processes, and the CPU usage dropped back down.  Approximately 1 minute later, they started to come back, 2-3 at a time.  They never went over 34 instances of SoundMan.exe total.  I created a batch to kill the process and ran it every 5 min while I was working on it to keep the laptop usable.   BsHelpD.exe, interne.exe, notepde.exe, qoq.exe, & vcc.exe were a bit tricky to delete, and kept coming back until I hit it with a magic combo of local and online scans, followed by BartPE and manual deletion.  (sorry, can't provide much in the way of accurate descriptions here, I was swinging in all directions at this point)  By the time I decided to post here all the exe's were gone and the laptop was behaving normally except for the taskmgr.exe.

**possibly noteworthy**

There was also an exe called mann.exe, believe it was in system32 dir.  It ran at startup as well, just not reflected in a logfile that I retained.

every time a new instance of soundman.exe started, cpu would increase by approx 20%

every time I tried to run taskmgr.exe, cpu would increase from 1% idle to 16% every time for 1/2 a second then drop back to 1%.

Not sure if anything here helps, and I'm sorry for a lack of logs, but I wasn't expecting to post it here.  If I can be of any assistance, please let me know.  I can make email available on request.  


How is this infection generally propagated?  Are the symptoms the same for every infection? This laptop was up on our network while infected.  What concerns should I have? (Already changed administrator & user's passwords and vpn encrption keys)
Avatar of patmoli

ASKER

I'm really surprised it's still running as well as it is.  Most of the bad infections I've dealt with have left the pc in a clean-but-now-unstable state.  Glad I can be involved with this one.
patmoli,

Avenger didn't find those files so what's showing in the 020 entry must just be the remnant values.

Chinese-based malware changes often that's why they're harder to remove. The tools I'd suggest for this kind of nasties is Combofix as originally combofix was created for chinese infections.

It patches legit files it seems, as I've one thread that looks like a patched explorer.exe,  in your case would've been the "soundman.exe"
Seems to also come with rootkit-like files too.

So, I assume all bad files has been deleted? you did a good job there!

If problem still persists, I would suggest running combofix still.


Vee_Mod,
Thanks for joining us, nice to have a Mod around looking after things, :)
Avatar of patmoli

ASKER

Thanks!  The laptop is coming up clean, and running well.  I'm concerned about what the keylogger might have gotten, but I guess I'll never know.
Thanks to all of you for the help.  This was actually my 1st time posting a HJT log for analysis, and I found the experience to be rather exciting.  I like this kind of work.

So who do I give points to?  Something tells me that none of you really care... Split?
patmoli,
Points are just an added bonus, we like helping and the challenge, also learning along the way.
This is what I call a team effort, so you can awards points to everyone.
I would like my(share of points) also be shared with younghv because if he didn't alert me to this question I most probably won't see it, thanks.


@younghv,
Sorry didn't see your other post, thanks for that.
Avatar of patmoli

ASKER

Thanks to you all, I learned a lot from this one, and got some new tools to boot. I've been doing this for quite some time now, I never discount the value of a 2nd opinion.  If I can ever be of assistance, please let me know.
Hi,

nice to see it's all up to normal again. You did a great job at cleaning, patmoli, basically leaving to the rest of us the mere confirmation that all seemed clean.

Pity there isn't more information available about this peculiar infection which deserves to be called 'multiple-polymorphic'. At least three distinguishable sources appear to have played a part in it, and although CWS left the biggest fingerprint I'm not quite convinced that it was actually the main culprit.

Anyway, I have a feeling that this wasn't the last time we've heard of "soundman.exe" and "interne.exe".

Regards and thanks for the points.
Avatar of patmoli

ASKER

Are you guys interested in the exe's themselves for forensics?