Task Manager won't run (Jose?)

L

Lushington

My earlier thread under "Security Center shows wrong a/v" seems to have
scrolled off the radar.

Issue #2 was: Task Manager won't run. There are no warning messages about
being disabled by Administrator.

MBAM shows no problem.
SAS showed some cookies and one Adware.IEPlugin problem (fixed by SAS)

Dealing with the following registry keys doesn't help:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
HKCU\Software\Microsoft\Windows NT\CurrentVersion\TaskManager

Renaming taskmgr.exe WORKED.

msinfo32 report:

OS Name Microsoft Windows XP Home Edition
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Name DELL
System Manufacturer Dell Computer Corporation
System Model Dimension 2400
System Type X86-based PC
Processor x86 Family 15 Model 2 Stepping 9 GenuineIntel ~2657 Mhz
BIOS Version/Date Dell Computer Corporation A05, 12/2/2003
SMBIOS Version 2.3
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume2
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.080413-2111)"
User Name DELL\Terry
Time Zone Eastern Daylight Time
Total Physical Memory 512.00 MB
Available Physical Memory 285.60 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB
Page File Space 1.22 GB
Page File C:\pagefile.sys
 
L

Lushington

My radar's just fine, thanks.

Until about an hour ago, the last helpful message in that thread was from
Jose on 9/30 at about 10 pm Eastern. I responded with the information he had
asked for on 10/2, and there has been no response to that information, which
is why I reposted under this new subject.

About an hour ago, there was a response from Daave, which actually was
helpful.
 
J

Jose

My radar's just fine, thanks.

Until about an hour ago, the last helpful message in that thread was from
Jose on 9/30 at about 10 pm Eastern. I responded with the information he had
asked for on 10/2, and there has been no response to that information, which
is why I reposted under this new subject.

About an hour ago, there was a response from Daave, which actually was
helpful.

Silly radar. My problem is usually with my crystal ball, which is why
I try to ask the specific questions and not guess. Thanks for the
msinfo32 info - that saved a lot of questions.

I suspect the problem is a leftover in the registry and since
lushing.exe works okay (as I suspected it would), we can take a look.
The malware may be gone, but it left behind remnants.

Backup your registry first:

http://www.larshederer.homepage.t-online.de/erunt/

My plan A copy/paste instructions are for guidance and site a specific
example, yours may vary, so I would read them first, then see what you
find. If you can't figure it out, post back here for help or plan B.

From regedit (that may not work either but a copy with a different
name will, so make a copy of regedit.exe now that you are familiar
with that process!) navigate to:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32

Highlight the Drivers32 folder on the left and observe the contents in
the right hand pane. Then, for safety, export the Drivers32 folder
by choosing File, Export.

Name the export file something like drivers32 and save the file to the
desktop or someplace you can find it. It will have the default .reg
extension for registry files.

Depending on your experience, you may be able to spot the problem in
the list of Drivers32 entries right away and fix it.

Even if you do something wrong, you just exported the key so you can
always import the original if you need to restore it to the original
state.

Look for entries in the right hand pane where the Value column has
double backslashes and\or especially double dot (..) notations and
paths to filenames that do not exist or just don't make sense. Double
backslashes may be okay - if the referenced file really exists and you
can tell what it is.

An example of a problem entry looks like:

The Name aux may have a Data value of C:\\WINDOWS\\system32\\..\
\jwmrus.yds

"aux" is a valid Name, but the Data value "jwmrus.yds" makes no sense,
was removed by the malware scan so the file doesn't even exist
anymore, and has the suspicious double dots.

These are the remnants of your trojan that your scan does not know
enough about to delete. The scan may have deleted the referenced
file, but not the registry entry.

In the example above, "aux" should just be "wdmaud.drv". You tell
that by looking at other examples and figure it out.

There are probably some other entries that have wdmaud.drv with no
path with backslashes in them for reference.

Fix the Data part of the entry by double clicking it, set the value to
wdmaud.drv (the most common thing needing replacement) and then click
OK to save it. If something goes wrong, you have a registry backup
already.

Eliminate the potential "Did you reboot?" question before it happens
by rebooting anyway, then test your afflicted files using their real
names.

If you can't spot the problem or it doesn't work out, then you need to
post the registry export results by opening the exported file in a
text editor, copying all the text and pasting it back here.

Don't try to open the exported file by double clicking it, or choosing
to Open it. Use a text editor, not Open.

Specifically open the exported file with a text editor. Right click
the exported file, choose Open With and use notepad or wordpad to open
the file. There should not be much in the file.

In the text editor, type Ctrl A to select all, Ctrl C to copy and then
post back here and type Ctrl V to paste the results into the post.

If you end up changing the registry or deleting something to get this
to work, I would like to know exactly what you found and what you did
so I can update my notes. Posting your before and after Drivers32
would be great.

Everybody seems to have a slightly different bogus entry, so I am
trying to collect more examples.
 
J

Jose

My radar's just fine, thanks.

Until about an hour ago, the last helpful message in that thread was from
Jose on 9/30 at about 10 pm Eastern. I responded with the information he had
asked for on 10/2, and there has been no response to that information, which
is why I reposted under this new subject.

About an hour ago, there was a response from Daave, which actually was
helpful.

Forgot to mention that, as you can see, there is nothing wrong with
your executable since an exact copy with a different name works. That
is the key.

It it the process name of tools (taskmgr.exe, regedit.exe, cmd,exe,
etc.) used to remove the malware that are not allowed to run, so you
scan (my best luck with this one is usually MBAM and SAS), outsmart
it, then fix it.
 
J

Jim

You are running X-Newsreader: Microsoft CDO for Windows 2000
which doesn`t always pick up the messages .
 
L

Lushington

Thanks, Jose. It may be another day or two before I get back to the problem
computer ... but I'll post back with results positive or negative.
 
J

Jose

Thanks, Jose. It may be another day or two before I get back to the problem
computer ... but I'll post back with results positive or negative.

Okay - I updated my notes a bit:

Look for entries in the right hand pane where the Value column has
double
backslahes and double dot (..) notations and/or filenames that do not
exist,
just don't seem to make much sense.

Here are some examples of valid entries and both of the driver files
do
exist in the c:\windows\system32 folder:

"msacm.l3acm" "C:\\WINDOWS\\system32\\l3codeca.acm"
"wave" "wdmaud.drv"

An example of a problem entry looks like:

"aux" C:\\WINDOWS\\system32\\..\\jwmrus.yds

"aux" is a valid Name, but the Data containing "jwmrus.yds" makes no
sense
and the file itself was removed by the scanning software and does not
even exist
anywhere on the system, so it should be deleted.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Top