Task Manager is disabled(bec of some adware). how to enable it?

[Sukumar]

Hi,
My Windows 2000 Task Manager is disabled(because of some
adware). how to enable it?

accidentally i clicked on one abc.exe link got in the
yahoo messenger. after that my TaskManager, some IE
setting button are disabled. please let me know how to
enable it.
I have removed the adware exe successfully. it no more
runs in my PC. but still the buttons are disabled. i am
not able to run the c:\winnt\taskman.exe (if i click on,
nothing comes up) also.
In IE Internet Options Home page settings buttons are
disabled.

Any help to solve this problem is appreciated.

Thanks,
Sukumar

 

[Mikolaj]

Hi,

My Windows 2000 Task Manager is disabled(because of some
adware). how to enable it?

accidentally i clicked on one abc.exe link got in the
yahoo messenger. after that my TaskManager, some IE
setting button are disabled. please let me know how to
enable it.
I have removed the adware exe successfully. it no more
runs in my PC. but still the buttons are disabled. i am
not able to run the c:\winnt\taskman.exe (if i click on,
nothing comes up) also.
In IE Internet Options Home page settings buttons are
disabled.

Any help to solve this problem is appreciated.

Thanks,
Sukumar

Please take a look here:

http://www.microsoft.com/resources/...s/2000/server/reskit/en-us/regentry/93504.asp

 

[AndyManchesta]

Download Ewido Security Suite and update it in normal
mode and run this with MSAS in safe mode

http://www.ewido.net/en/download/

Reboot and keep tapping F8 then choose safe mode from the
list) This is very important !!

You said this is adware but we need to know the name of
this Adware, I had the exact named file on my system a
while ago when testing and it related to a
keylogger/password stealer. Im sure this filename has
more than one meaning and could be included in other
malware but as soon as I deleted the abc.exe file I
noticed alot of ports open and it sent alot of details to
a gmail address,

It might also be this backdoor trojan:

http://securityresponse.symantec.com/avcenter/venc/data/ba
ckdoor.irc.cloner.html

Im just checking my system to see if I recorded the other
names. If you have just got this using system restore may
be your best move to take you back to when you know the
system was clean also it will repair task manager and
your home page fault.

We need to make sure your system is clean first then we
can deal with taskmanager if its not repaired or if
system restore isnt available to you.

Run some of these virus scanners:

Kaspersky

http://www.kaspersky.com/virusscanner

Trend Micro

http://housecall.antivirus.com/

Panda

http://www.pandasoftware.com/activescan/


This was the files from the keylogger/password stealer:

C:\WINDOWS\System32\abc.exe
c:\windows\vr_sys.dll
C:\WINDOWS\System32\cssrs.exe
c:\documents and settings\andy manchesta\local
settings\temporary internet files\content\0bb7otyu\abc
[1].exe

Plus all these were on the system as well:

TrojanDownloader.Small.xk
TrojanDropper.Agent.qb :
TrojanDownloader.Small.avt
TrojanDownloader.Agent.e
Trojan.Crypt.c
Trojan.P2E.cb
Spyware.Hijacker.Generic
Trojan.Crypt.c
Backdoor.Agent.bc

Ewido took care of all them and MS antispy detected the
password stealer !

If its not the keylogger then its maybe the backdoor
trojan which then makes things very difficult if someone
has had control on your pc because they could of deleted
anything and replaced them with bogus files , Dropped
files in various area's and changed alot of registry
settings.

What Adware did you think this was related to ?

Can you run Ewido and MSAS in safe mode and when Ewido
finishes choose the save report option at the bottom of
the screen and save it to your desktop then post that
back, Also run the antivirus scanners and post the
results of them and I will try help out more on this,

Regards Andy

 

[Guest]

Hi,

The exe which got in to WINNT dir is SVOHOST.exe and there
were two other files in system32(one is command.exe and i
don't remember the other). after deleting those, i was
able to delte SVOHOST.exe.
Finally cleaned up after deleting those.

In IE, it defaulted the home page to joyiex.com and
disabled the button. MS anti spyware helpted to reset to
other web but the home button is still disabled.

I don't know the name of the adware.

My system is clean. but still the taskmanager is disabled.

Thanks,
Sukumar

-----Original Message-----

Download Ewido Security Suite and update it in normal
mode and run this with MSAS in safe mode

http://www.ewido.net/en/download/

Reboot and keep tapping F8 then choose safe mode from the
list) This is very important !!

You said this is adware but we need to know the name of
this Adware, I had the exact named file on my system a
while ago when testing and it related to a
keylogger/password stealer. Im sure this filename has
more than one meaning and could be included in other
malware but as soon as I deleted the abc.exe file I
noticed alot of ports open and it sent alot of details to
a gmail address,

It might also be this backdoor trojan:

http://securityresponse.symantec.com/avcenter/venc/data/ba
ckdoor.irc.cloner.html

Im just checking my system to see if I recorded the other
names. If you have just got this using system restore may
be your best move to take you back to when you know the
system was clean also it will repair task manager and
your home page fault.

We need to make sure your system is clean first then we
can deal with taskmanager if its not repaired or if
system restore isnt available to you.

Run some of these virus scanners:

Kaspersky

http://www.kaspersky.com/virusscanner

Trend Micro

http://housecall.antivirus.com/

Panda

http://www.pandasoftware.com/activescan/


This was the files from the keylogger/password stealer:

C:\WINDOWS\System32\abc.exe
c:\windows\vr_sys.dll
C:\WINDOWS\System32\cssrs.exe
c:\documents and settings\andy manchesta\local
settings\temporary internet files\content\0bb7otyu\abc
[1].exe

Plus all these were on the system as well:

TrojanDownloader.Small.xk
TrojanDropper.Agent.qb :
TrojanDownloader.Small.avt
TrojanDownloader.Agent.e
Trojan.Crypt.c
Trojan.P2E.cb
Spyware.Hijacker.Generic
Trojan.Crypt.c
Backdoor.Agent.bc

Ewido took care of all them and MS antispy detected the
password stealer !

If its not the keylogger then its maybe the backdoor
trojan which then makes things very difficult if someone
has had control on your pc because they could of deleted
anything and replaced them with bogus files , Dropped
files in various area's and changed alot of registry
settings.

What Adware did you think this was related to ?

Can you run Ewido and MSAS in safe mode and when Ewido
finishes choose the save report option at the bottom of
the screen and save it to your desktop then post that
back, Also run the antivirus scanners and post the
results of them and I will try help out more on this,

Regards Andy
.

 

[AndyManchesta]

Hi Again

This would be a Trojan then and thanks for the info so
now I know exactly what this is

The file's except for svohost.exe would be commamd.exe &
lsasa.exe it also injects into explorer.exe to run
everytime widows starts so you use Hijack This and post
the log it produces so we can then fix that part if its
still present or edit that area using Regedit.

Download Hijack This if needed:

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Choose to run a scan and save the logfile and post that
back,

You will have to edit the registry for the other area's
that have been changed by this trojan or use the system
restore if its available:

For regedit take your time and only delete what I list,
For a example with the entry below goto start run and
type regedit. Goto HKEY_CURRENT_USER then click the +
(plus) beside it then find Software and click the +
(plus) then Microsoft and the +Plus and so on to you get
to system area.

This is the way it will look on yours:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio
n\Policies\system

"DisableTaskMgr" = "1"

This is the way it should look to get Task manager back:


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio
n\Policies\system

"DisableTaskMgr" = "0"

Right click DisableTaskMgr and choose Modify then change
the 1 to a 0 then press ok.

I Assume this is the same as the link Mikolaj has
provided.



For the internet setting's check for this subkey.

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet
Explorer\Control Panel

If the "ResetWebSettings" value or the "HomePage" value
exists in this key, right-click the values, and then
click Delete and exit regedit.

Reboot the pc

Goto Control Panel then to Internet Options and then the
Programs Tab press "Reset Web Settings" Make sure the
Also reset my home page check box is selected, and then
click YES. Then go back to the general tab and enter the
homepage you wish to use into the space provided then
press apply.

While on the general tab press Delete files and include
all offline content then press delete cookies and Delete
History to remove any traces of the trojan code.


For the Winlogon line if you didnt want to use Hijack
This then find this area of the registry :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon

left click winlogon and in the right pane find

"Shell" = "Explorer.exe commamd.exe"

right click this and press modify and change it to read

Explorer.exe

then press ok



It also add's this entry :

HKEY_CLASSES_ROOT\txtfile\shell\open

"command" = "%System%\lsasa.exe "%1""

so the trojan starts when any text files are open


You will need to change it to this, Find this subkey:

HKEY_CLASSES_ROOT\txtfile\shell\open\command

left click command and in the right pane click

"%System%\lsasa.exe "%1""

and change this to

%System%\NOTEPAD.EXE %1

then press ok.


and finally the run command for this will look like this:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio
n\Run

"ctfnom.exe" = "%Windir%\SVOHOST.exe"

if it still exists find :

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio
n\Run

left click run and in the right pane right click

ctfnom.exe and press delete

It may be easier to do this in safe mode incase the
trojan is still running but if you are sure its gone
normal mode should be fine , Let us know if you have
problems or cannot find the entries in regedit.


Regards Andy

 

[Sukumar]

Hi Andy,

Thanks for all the messages. Even after doing this also,
my task manager is still disabled.

please help.

Here is the output from hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 4:52:41 PM, on 8/31/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Sygate\SSA\syg_internal.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Rational\ClearCase\bin\cccredmgr.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Internal\PC COE\IDA.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft
AntiSpyware\GIANTAntiSpywareMain.exe
C:\Documents and Settings\ssukumar\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = file:///C:/welcome.htm
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://local.india.internal.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window
Title = Microsoft Internet Explorer provided by internal
local
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = web-proxy.cup.internal.com:8080
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride =
*.know.internal.com;localhost;*.india.internal.com;<local>
F2 - REG:system.ini: Shell=Explorer.exe commamd.exe
O1 - Hosts: 16.138.126.29 sp2w50.india.internal.com
O1 - Hosts: 15.76.122.123 sespccoe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program
Files\Adobe\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager]
mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [IDA] C:\Program Files\internal\PC
COE\IDA.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1
\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program
Files\Google\Google Desktop
Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!
\Messenger\ypager.exe" -quiet
O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-
4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-
3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-
B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-
7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1
\YPager.exe
O14 - IERESET.INF:
START_PAGE_URL=http://local.india.internal.com
O15 - Trusted Zone: http://ie.config.asia.localhost.com
O15 - Trusted Zone: http://ie.config.eur.localhost.com
O15 - Trusted Zone: http://ie.config.im.hou.localhost.com
O15 - Trusted Zone: http://ie.config.jp.localhost.com
O15 - Trusted Zone: http://ie.config.ecom.localhost.com
O15 - Trusted Zone: http://ie.config.asia.localhost.com
(HKLM)
O15 - Trusted Zone: http://ie.config.eur.localhost.com
(HKLM)
O15 - Trusted Zone: http://ie.config.im.hou.localhost.com
(HKLM)
O15 - Trusted Zone: http://ie.config.jp.localhost.com
(HKLM)
O15 - Trusted Zone: http://ie.config.ecom.localhost.com
(HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
(WUWebControl Class) -
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/
x86/client/wuweb_site.cab?1125313275122
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
localhost.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
localhost.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
localhost.net
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32
\NavLogon.dll
O23 - Service: Atria Cred Manager (cccredmgr) - Unknown
owner - C:\Program
Files\Rational\ClearCase\bin\cccredmgr.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher
(DefWatch) - Symantec Corporation - C:\Program
Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service
(dmadmin) - VERITAS Software Corp. - C:\WINNT\System32
\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) -
DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: internal Sygate Icon Control
(internalSygControl) - internal Company - C:\PROGRA~1
\Sygate\SSA\syg_internal.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner -
C:\oracle\ora90\BIN\ONRSD.EXE
O23 - Service: PictureTaker - LANovation -
C:\WINNT\system32\PCTKRNT.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program
Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate
Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation -
C:\Program Files\Symantec AntiVirus\Rtvscan.exe



Thanks,
Sukumar

 

[AndyManchesta]

Hi Again

Can you give me abit more info, Did you manage to find
this in the registry.
----------------------------------------------------------
This is the way it will look on yours:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio
n\Policies\system "DisableTaskMgr" = "1"

This is the way it should look to get Task manager back:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio
n\Policies\system "DisableTaskMgr" = "0"

Right click DisableTaskMgr and choose Modify then change
the 1 to a 0 then press ok.
----------------------------------------------------------

Also did you manage to run some Antivirus scanners like
the ones I posted in my first reply here, This is a
Trojan so running at least one Antivirus scanner is a
good idea and have you got the Internet home page
settings back to the way they should be ?

Can you also tell me about these?

file:///C:/welcome.htm which is your start page

http://local.india.internal.com which is your default
page ??


And these lines , Do you know what they all are

These are added to your hosts file:

O1 - Hosts: 16.138.126.29 sp2w50.india.internal.com
O1 - Hosts: 15.76.122.123 sespccoe

These are added to your Trusted Zone :

O15 - Trusted Zone: http://ie.config.asia.localhost.com
O15 - Trusted Zone: http://ie.config.eur.localhost.com
O15 - Trusted Zone: http://ie.config.im.hou.localhost.com
O15 - Trusted Zone: http://ie.config.jp.localhost.com
O15 - Trusted Zone: http://ie.config.ecom.localhost.com
O15 - Trusted Zone: http://ie.config.asia.localhost.com
O15 - Trusted Zone: http://ie.config.eur.localhost.com
O15 - Trusted Zone: http://ie.config.im.hou.localhost.com
O15 - Trusted Zone: http://ie.config.jp.localhost.com
O15 - Trusted Zone: http://ie.config.ecom.localhost.com

As I am in the United Kingdom I am not aware of these
sites so it would help if you can confirm you know about
them and can say if these are genuine and are sites you
use.

I will check the log in detail now but just wanted to
post about these entries to save me abit of time

I will repost soon but try answer these questions first
if you can even if its just to say you are not sure.

Andy

 

[AndyManchesta]

Hi There

If you can answer about the localhost.com & localhost.net
lines that would be helpfull, I see you still have
restrictions set in IE which is probably due to this
trojan also its still hooked into explorer.

Im working on a regfix that you can download and merge
into the registry to repair the damage but It would help
if you can tell me abit about these 01 and 015 entries in
your log so I know if they are genuine or Malicious.

I'll post the fix soon but let me know about them other
entries if you can ?

Regards Andy

 

[AndyManchesta]

Hi Sukumar


Download this fix I made :

http://andymanchesta.com/DL/TrojanFix.reg

Save it to your desktop then double click this and allow
it to be merged into the registry,

This will repair Notepad, explorer.exe, IE Restrictions &
Task manager

Then run Hijack This again and choose to run a system
scan and place a check next to these entries if they
still exist:

F2 - REG:system.ini: Shell=Explorer.exe commamd.exe

O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Control Panel present

Close all open browser windows except Hijack This and
press "Fixed Checked"

Then reboot (Dont worry if these entries do not show in
the Hijack scan, they should be removed with the reg fix)

When you reboot then try task manager again and it should
work,

Let me know if you have any problems

All the best Andy

 

[AndyManc]

I made a change to the regfix yesterday after noticing a
problem restoring the notepad line so after running the
regfix to repair the other problems then use regedit and
restore the notepad part manually:

Navigate to :

HKEY_CLASSES_ROOT\txtfile\shell\open\command

Right click default and enter this

%SystemRoot%\system32\NOTEPAD.EXE %1

Then press Ok

All the best

Andy

 

[Guest]

Hi Andy,

Sorry, I forgot to mention that i have replaced my company
information in Hijackthis output. I replaced my company
name to localhost. Those were valid & truted site name
before i replace.

After I merged http://andymanchesta.com/DL/TrojanFix.reg,
my taks manager is enabled.
Thanks a lot for you help.

The only issue pending now is the IE home page settings. i
will rerun, restart Hijack this and see it is enabled or not.

I have set my home page to a dummy html called welcome.htm,
which i have created. i was able to change to this from the
hijacked entry through the Microsoft spyware.

Thanks,
Sukumar

 

[Guest]

Thanks Andy,

All my problems are fixed. Thanks a lot(including IE settings).

 

[AndyManchesta]

Hi Sukumar

Thanks for letting me know it's repaired the problem

The regfix should of repaired the restrictions in IE by
removing the Homepage and Reset Web Settings restrictions
as well as Task Manager and explorer but its good to hear
you was able to retry this and get that working.

All the best

Andy

 

[AndyManchesta]

Hi Sukumar

Thanks for letting me know it's repaired the problem

The regfix should of repaired the restrictions in IE by
removing the Homepage and Reset Web Settings restrictions
as well as Task Manager and explorer but its good to hear
you was able to retry this and get that working.

All the best

Andy