Task Manager will not open

[Smirnoff]

The "problem" is the executable named taskmgr.exe is not allowed to be
a running task. It is intercepted by the malware (and it's residue)
based on the name alone. You do not seem to have the permissions
issue, which is also an easy fix.

It is unlikely that the malware will intercept smirnoff.exe, so it is
a test to see if TM will launch under another name (or another
problem). I would say smirnoff.exe will launch TM and it will run as
smirnoff.exe - not taskmgr.exe. If the copy runs, the rest is easy.
Of course, you would have to try it.

You can certainly reinstall.

Here is info from the Malwarebytes CEO:

MBAM loses some effectiveness for detection & removal when used in
safe mode because the program includes a special driver which does not
work in safe mode. Further, scanning in safe mode prevents some types
of malware from running so it may be missed during the detection
process. Additionally, there are various types of malware infections
which target the safeboot keyset so booting into safe mode is not
always possible. For optimal removal, normal mode is recommended so it
does not limit the abilities of MBAM but in some cases, there is no
alternative but to do a safe mode scan.

Quick scan in Normal Mode, that is the best for detection rates.

Understood, thanks.

 

[Smirnoff]

If there were *hundreds* of nasties, I'll not only agree with you,
I'll suggest that a clean installation is likely the *only* solution
(unless those "nasties" were just cookies). Although you say "appears
to be working OK (with the exception of Task Manager)," there may well
be remaining problems you are not yet aware of.

Yes, the majority could well have been tracking cookies. I should have
checked more closely. When I saw the amount of detections my instinct was to
get rid of the buggers as soon as possible.

I will put this thread to bed now.

Thanks to all.

 

[Cisco]

Okay all -

When Taskmgr was disable, did we also get the "Access denied to change of
services" associated with that?

For me, it is. I am unable to use Taskmgr from the run (all I see is a
brief hourglass) AND, I am unable to change the Startup. Diagnostc is
unselectable. AND I did try to make the change from a safe boot - did the
scans (Norton 2010), did the MSRT, Set al.

History: Don't know how or why as my youngest hit a site that contained the
malware. I used Cntl-Alt-Del to quickly find the exe and renamed it. That's
how I gained access. Yes, I did have anti-virus, but my youngest click on
the pop up - which was just like inviting the vampire in. (It was a
psuedo-defender). Since that time, I think I located CTHelper on the
machine, which by web accounts may be associated with malware.

Keypoints: be able to get startup (msconfig) to accept changes - already
used services.msc to no avail);

be able to use cntl-alt-del once again (taskmg.exe not working)

Yes, I have been reading. I did the rename of Taskmgr to Cisco.exe and it
states that "Taskmgr has been disabled by your Administrator". I am the
administrator and this is a stand-alone workstation. Using Windows XP and
Office 2003 (tested and true no need to change - waiting for all bugs to be
fixed between Vista and 7)

Mucho appreciated for any assistance.

 

[Jose]

Okay all -

When Taskmgr was disable, did we also get the "Access denied to change of
services" associated with that?

For me, it is.    I am unable to use Taskmgr from the run (all I see is a
brief hourglass) AND, I am unable to change the Startup.  Diagnostc is
unselectable.  AND I did try to make the change from a safe boot - did the
scans (Norton 2010), did the MSRT, Set al.

History:  Don't know how or why as my youngest hit a site that contained the
malware.  I used Cntl-Alt-Del to quickly find the exe and renamed it.  That's
how I gained access.  Yes, I did have anti-virus, but my youngest clickon
the pop up - which was just like inviting the vampire in. (It was a
psuedo-defender).   Since that time, I think I located CTHelper on the
machine, which by web accounts may be associated with malware.

Keypoints:  be able to get startup (msconfig) to accept changes - already
used services.msc to no avail);

be able to use cntl-alt-del once again (taskmg.exe not working)

Yes, I have been reading.  I did the rename of Taskmgr to Cisco.exe andit
states that "Taskmgr has been disabled by your Administrator".  I am the
administrator and this is a stand-alone workstation.  Using Windows XP and
Office 2003 (tested and true no need to change - waiting for all bugs to be
fixed between Vista and 7)

Mucho appreciated for any assistance.

I have a similar issue.

User had a pc that was infected with rogue anti-spyware and it listed
over 700 objects that were bad, I suspected the list was inflated as to
scare the user into purchasing to steal credit card info.

I removed the rogue anti-spyware through a combination of malwarebytes,
hijackthis and some registry editing.

However malwarebytes quaruantiened many files.   I wasn't sure whether
it was safe to delete the files that were under quaruantine.

Now the system seems to come up clean under scans, there was corrupted
hosts file, that I couldn't delete, so I ended up renaming it recreated
a typical host file.

Anyway, task manager wouldn't open, so I tried what was suggested in
this thread and renamed the file to smirnoff.exe and it will launch now..

Should I just back up all the users data and re-install or is there
something else that may work, and require less time?

I can provide more information if it will help resolve the issue or
inform your answer.

Click Start, Run and in the box type:

regedit.exe

Click OK.

Navigate to the following location:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
\System

In the right-pane, delete the value named DisableTaskMgr

Close regedit.exe

What happens when you run cisco.exe now?
What happens when you run taskmgr.exe now?

 

[Cisco]

Yes, I had already done the 1 to 0 routine under that registry when I got the
message. What I got was what I identified above: "Taskmgr has been disabled
by your Administrator".

Wife sez it's time to call Geeks as this is getting above my level - and I
spent all weekend researching, checking registry for UI keywords, etc. Cam
across one that I do not find in the web: Kdynedud - it is a folder and
directs to regsvr32 /u "C:\Documents and Settings\All Users\Application
Data\kdynedud.dll"
and it is in the startup, which, of course I can not change due to the
Access Denied of Services error.

Note: Now the system is rebooting (by itself) - meaning when the system is
left inactive for a while it reboots and I need to sign in.

Okay all -

When Taskmgr was disable, did we also get the "Access denied to change of
services" associated with that?

For me, it is. I am unable to use Taskmgr from the run (all I see is a
brief hourglass) AND, I am unable to change the Startup. Diagnostc is
unselectable. AND I did try to make the change from a safe boot - did the
scans (Norton 2010), did the MSRT, Set al.

History: Don't know how or why as my youngest hit a site that contained the
malware. I used Cntl-Alt-Del to quickly find the exe and renamed it. That's
how I gained access. Yes, I did have anti-virus, but my youngest click on
the pop up - which was just like inviting the vampire in. (It was a
psuedo-defender). Since that time, I think I located CTHelper on the
machine, which by web accounts may be associated with malware.

Keypoints: be able to get startup (msconfig) to accept changes - already
used services.msc to no avail);

be able to use cntl-alt-del once again (taskmg.exe not working)

Yes, I have been reading. I did the rename of Taskmgr to Cisco.exe and it
states that "Taskmgr has been disabled by your Administrator". I am the
administrator and this is a stand-alone workstation. Using Windows XP and
Office 2003 (tested and true no need to change - waiting for all bugs to be
fixed between Vista and 7)

Mucho appreciated for any assistance.

I have a similar issue.

User had a pc that was infected with rogue anti-spyware and it listed
over 700 objects that were bad, I suspected the list was inflated as to
scare the user into purchasing to steal credit card info.

I removed the rogue anti-spyware through a combination of malwarebytes,
hijackthis and some registry editing.

However malwarebytes quaruantiened many files. I wasn't sure whether
it was safe to delete the files that were under quaruantine.

Now the system seems to come up clean under scans, there was corrupted
hosts file, that I couldn't delete, so I ended up renaming it recreated
a typical host file.

Anyway, task manager wouldn't open, so I tried what was suggested in
this thread and renamed the file to smirnoff.exe and it will launch now..

Should I just back up all the users data and re-install or is there
something else that may work, and require less time?

I can provide more information if it will help resolve the issue or
inform your answer.

Click Start, Run and in the box type:

regedit.exe

Click OK.

Navigate to the following location:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
\System

In the right-pane, delete the value named DisableTaskMgr

Close regedit.exe

What happens when you run cisco.exe now?
What happens when you run taskmgr.exe now?
.

 

[Cisco]

PS the Kdynedud is located in HKLM\SW\MS\Shared
tools\MSConfig\Startupreq\kdynedud

Okay all -

When Taskmgr was disable, did we also get the "Access denied to change of
services" associated with that?

For me, it is. I am unable to use Taskmgr from the run (all I see is a
brief hourglass) AND, I am unable to change the Startup. Diagnostc is
unselectable. AND I did try to make the change from a safe boot - did the
scans (Norton 2010), did the MSRT, Set al.

History: Don't know how or why as my youngest hit a site that contained the
malware. I used Cntl-Alt-Del to quickly find the exe and renamed it. That's
how I gained access. Yes, I did have anti-virus, but my youngest click on
the pop up - which was just like inviting the vampire in. (It was a
psuedo-defender). Since that time, I think I located CTHelper on the
machine, which by web accounts may be associated with malware.

Keypoints: be able to get startup (msconfig) to accept changes - already
used services.msc to no avail);

be able to use cntl-alt-del once again (taskmg.exe not working)

Yes, I have been reading. I did the rename of Taskmgr to Cisco.exe and it
states that "Taskmgr has been disabled by your Administrator". I am the
administrator and this is a stand-alone workstation. Using Windows XP and
Office 2003 (tested and true no need to change - waiting for all bugs to be
fixed between Vista and 7)

Mucho appreciated for any assistance.

I have a similar issue.

User had a pc that was infected with rogue anti-spyware and it listed
over 700 objects that were bad, I suspected the list was inflated as to
scare the user into purchasing to steal credit card info.

I removed the rogue anti-spyware through a combination of malwarebytes,
hijackthis and some registry editing.

However malwarebytes quaruantiened many files. I wasn't sure whether
it was safe to delete the files that were under quaruantine.

Now the system seems to come up clean under scans, there was corrupted
hosts file, that I couldn't delete, so I ended up renaming it recreated
a typical host file.

Anyway, task manager wouldn't open, so I tried what was suggested in
this thread and renamed the file to smirnoff.exe and it will launch now..

Should I just back up all the users data and re-install or is there
something else that may work, and require less time?

I can provide more information if it will help resolve the issue or
inform your answer.

Click Start, Run and in the box type:

regedit.exe

Click OK.

Navigate to the following location:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
\System

In the right-pane, delete the value named DisableTaskMgr

Close regedit.exe

What happens when you run cisco.exe now?
What happens when you run taskmgr.exe now?
.

 

[Elmo]

Yes, I had already done the 1 to 0 routine under that registry when I got the
message. What I got was what I identified above: "Taskmgr has been disabled
by your Administrator".

Wife sez it's time to call Geeks as this is getting above my level - and I
spent all weekend researching, checking registry for UI keywords, etc. CamE
across one that I do not find in the web: Kdynedud - it is a folder and
directs to regsvr32 /u "C:\Documents and Settings\All Users\Application
Data\kdynedud.dll"
and it is in the startup, which, of course I can not change due to the
Access Denied of Services error.

Note: Now the system is rebooting (by itself) - meaning when the system is
left inactive for a while it reboots and I need to sign in.

Burn BitDefender, or another program listed at the link below, to a CD
(using a working machine) and test the infected machine with it.
BitDefender also has a Rootkit checker on the Linux Desktop; run it if
you think that's the problem:

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

Download the executable rather than the .iso image, if one is
available.. it prompts you to insert a CD and burns the file, no problem.

Then run these:

Malwarebytes© Corporation
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

SuperAntispyware
http://www.superantispyware.com/superantispywarefreevspro.html

 

[Cisco]

BAM! I'm sucking wind. Here is the litiney of issue MBAM found. Everything
is compromised. Still more to do. It started with the PCDefender. That was
the one that I broke into.

I got Task Mgr back - but still have the "Access Denied to change of
services" message box whenever I do an msconfig.

Don't know if there was a solution to this thread - but MBAM works

This is much more complicated than what I thought - but the data and machine
is still functionable. Again, more to do.

Cut the following down due to the limit, but there were 705 items

Malwarebytes' Anti-Malware 1.41
Database version: 2988
Windows 5.1.2600 Service Pack 3, v.3311

10/19/2009 3:41:27 PM
mbam-log-2009-10-19 (15-41-27).txt

Registry Keys Infected: 682
Registry Values Infected: 10
Registry Data Items Infected: 7
Folders Infected: 3
Files Infected: 3

Registry Keys Infected:
HKEY_CLASSES_ROOT\WR (Malware.Trace) HKEY_CURRENT_USER\SOFTWARE\xflock
(Malware.Trace) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\_avp32.exe (Security.Hijack)

Break break break (just too much)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\fsav530wtbyb.exe (Security.Hijack)

Break break break -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image Break
break - Over 705 !!!!!

File Execution Options\mcvsrte.exe (Security.Hijack)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\wscfxfw.exe (Security.Hijack)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\pctsTray.exe (Security.Hijack)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\memman.vxd
(Rogue.sysCleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\Arrakis3.exe\debugger (Security.Hijack) -> Quarantined and
deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\bdreinit.exe\debugger (Security.Hijack) -> Quarantined and
deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\bdsubwiz.exe\debugger (Security.Hijack) -> Quarantined and
deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\bdtkexec.exe\debugger (Security.Hijack) -> Quarantined and
deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\bdwizreg.exe\debugger (Security.Hijack) -> Quarantined and
deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\seccenter.exe\debugger (Security.Hijack) -> Quarantined and
deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\uiscan.exe\debugger (Security.Hijack) -> Quarantined and
deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\upgrepl.exe\debugger (Security.Hijack) -> Quarantined and
deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\taskmgr.exe\debugger (Security.Hijack) -> Quarantined and
deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet
Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad:
(http://search-gala.com/?&uid=157&q={searchTerms}) Good:
(http://www.Google.com/) HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet
Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad:
(http://search-gala.com/?&uid=157&q={searchTerms}) Good:
(http://www.Google.com/) HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet
Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad:
(http://search-gala.com/?&uid=157&q={searchTerms}) Good:
(http://www.Google.com/)HKEY_USERS\S-1-5-19\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet
Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad:
(http://search-gala.com/?&uid=157&q={searchTerms}) Good:
(http://www.Google.com/) HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet
Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad:
(http://search-gala.com/?&uid=157&q={searchTerms}) Good:
(http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-20\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet
Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad:
(http://search-gala.com/?&uid=157&q={searchTerms}) Good:
(http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL
(Hijack.SearchPage) -> Bad:
(http://search-gala.com/?&uid=157&q={searchTerms}) Good:
(http://www.Google.com/)

Folders Infected:
C:\Program Files\Temporary (Trojan.Agent) C:\Program Files\WinAble
(Trojan.Adloader)
C:\Documents and Settings\HP_Owner.YOUR-D0F670B45A\Application Data\Windows
PC Defender (Rogue.WindowsPCDefender)

Files Infected:
C:\WINDOWS\system32\memman.vxd (Rogue.sysCleaner) C:\Documents and
Settings\HP_Owner.YOUR-D0F670B45A\Application Data\Windows PC
Defender\Instructions.ini (Rogue.WindowsPCDefender) C:\Documents and
Settings\HP_Owner.YOUR-D0F670B45A\Application Data\Microsoft\Internet
Explorer\Quick Launch\Windows PC Defender.lnk (Rogue.WindowsPCDefender)