1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Regedit & Taskmgr Disabled, NO SAFE MODE!!!

Discussion in 'Virus & Other Malware Removal' started by treverc, Nov 20, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. treverc

    treverc Thread Starter

    Joined:
    Nov 20, 2003
    Messages:
    23
    I am currently running Win 2000 Pro, I am the only user (administrator rights), and I have searched ALL the other postings I could find, with no luck! When I reboot and press F8, the only thing showing is Windows 2000 (I found this out when trying out a possible solution from another posting). CTRL+ALT+DEL, and taskmgr is greyed out. Regedit (and TaskMgr) are disabled by the Administrator (me?) but I swear I didn't do it! Following is my Hijack Log, AND I've used Ad-Aware and Spy-Bot multiple times! PLEASE HELP!

    Logfile of HijackThis v1.97.7
    Scan saved at 8:49:11 PM, on 11/20/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\svchost.exe
    C:\WINNT\System32\cisvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\ofps.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
    C:\winnt\msagent\intl\kb_driver.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\update32.exe
    C:\WINNT\system32\wuauclt.exe
    C:\WINNT\winhlp32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\System32\cidaemon.exe
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\WINNT\explorer.exe
    C:\Documents and Settings\Administrator\Desktop\New Folder (2)\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
    O4 - HKLM\..\Run: [Intl Keys] c:\winnt\msagent\intl\kb_driver.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - Global Startup: update32.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

    :D
     
  2. zephyr

    zephyr

    Joined:
    Nov 5, 2003
    Messages:
    2,324
    treverc, pursue this site re: a Backdoor Trojan until someone shows up with better advice.

    Obviously the last entry in your log is a reg value that will need to be deleted eventually but other things will also need attention.

    Good luck.
     
  3. treverc

    treverc Thread Starter

    Joined:
    Nov 20, 2003
    Messages:
    23
    I've deleted it with HiJack several times, but it immediately pops right back up, sometimes within seconds, and other times about a minute later!
     
  4. zephyr

    zephyr

    Joined:
    Nov 5, 2003
    Messages:
    2,324
    Try it in Safe Mode.
     
  5. treverc

    treverc Thread Starter

    Joined:
    Nov 20, 2003
    Messages:
    23
    I followed the instructions in windows help, which says, "Reboot, then press F8, then choose Safe Mode", Right? But when I reboot, there is no option for safe mode! Windows 2000 is the only option available. Also, I've run Trend Micro's SysClean program with the latest update available, and since that backdoor troj. has been around since Feb, wouldn't it have found it?
     
  6. zephyr

    zephyr

    Joined:
    Nov 5, 2003
    Messages:
    2,324
    Some Trojan mutants become very stealthy and fool AV programs by taking over a ligitimate Windows system file.

    I suggest you get Tauscan and give it a shot at it. There is a free trial version download listed there.

    Beyond that, you could use the Recovery Console to replace the file wuauctl.exe. Before doing so, check it in Windows and report back the properties.

    If you have the FAT32 file system, you can replace the file by booting to a dos session from a boot disk. You're likely NTFS though.
     
  7. zephyr

    zephyr

    Joined:
    Nov 5, 2003
    Messages:
    2,324
    The correct version of wuauclt.exe
    that is in Windows\system32\ is 5.4.3630.1106 (xpsp1.020828-1920) and 136 KB (139,776 bytes).

    If yours is different than that, I would be highly suspicious.

    This Trojan is tough to detect and tough to remove. It disables Regedit so you can't delete the Run Key, as you have found out already. Then it disables Task Manager so you can't end it's process and then delete the file that way since it is always in use.

    Pretty sneaky stuff but you can beat it I'm sure.

    Post back any progress and perhaps someone who has actually had this critter and knows how to defeat it will chime in.
     
  8. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    32,400
    First Name:
    James
    The only thing that I have seen do the same things you've mentioned is the MSBLASTER. You might want to also check for all files with .SCR extension. Some of those files maybe a worm
    Lastly the Highjack log seems alittle small. Please retry with full list and repost.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;826955 is the information on MSBLASTER
     
  9. treverc

    treverc Thread Starter

    Joined:
    Nov 20, 2003
    Messages:
    23
    The closest I have to the file you described is in C:\WINNT\system32 and it is called wuauclt.exe. Is this the right file? Mine has a version 5.4.3630.2554, and is 138k (141,312 bytes). I did run a hotfix from microsoft for the msblaster virus a while back, so is this a bad file?

    I also just downloaded tauscan and ran it twice; the first time it quit responding, same thing the second time. The second time it stopped it was 45% completed, and stopped when it hit C:\WINNT\MSagent\intl\pswdnt.exe

    I will run it a third time right now, but I don't know if this is pertinent or not.

    I am NTFS, but I've never run the Recovery Console before.
    Do I need to locate my Windows 2000 CD before I can replace the file? or can I use a file off the net and use my jumpdrive to do it?

    Thanks for your help so far!
     
  10. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    32,400
    First Name:
    James
    did you look for .SCR files?
     
  11. zephyr

    zephyr

    Joined:
    Nov 5, 2003
    Messages:
    2,324
    I'll have to defer to a Win 2k user to guide you there. I just noticed that you are running 2k and my file reference was to the XP version and location. Sorry if I run you up the wrong path.

    Keep plugging away with Tauscan and in the meantime perhaps a 2k user will drop in and lend a hand.

    Also consider what Tidus4Yuna offered. I don't think your AV would have overlooked the Blaster Worm but it wouldn't hurt to check out the link referenced and see if the files mentioned there are on your drive.

    This seems more like the Backdoor.clt than the Blaster but who can say at this point.
     
  12. treverc

    treverc Thread Starter

    Joined:
    Nov 20, 2003
    Messages:
    23
    Tidus4Yuna

    Okay. First, the Hijack log is all there is, I use my computer mostly for business and don't do a whole lot of surfing on it. I did remove a few things the first time I ran it, and will include the log at the end of this,

    I just saw the link you showed me, and checked. There are no files of the type they said to look for. I did have the MSBLASTER problem at one time, so I'm a little bit familiar with it. This problem, however, didn't crop up until after I fixed the MSBLASTER problem.

    When I ran TAUSCAN the 3rd time, it quit responding at the same spot as the earlier message, exactly.

    Finally, I did a search for *.scr files, and I've got a bunch of them.
    I'm not sure how to tell if they are worms or not.

    Here's my original Hijack log:

    Logfile of HijackThis v1.97.7
    Scan saved at 7:59:31 PM, on 11/20/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\svchost.exe
    C:\WINNT\System32\cisvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\ofps.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\winnt\msagent\intl\kb_driver.exe
    C:\WINNT\system32\mplupdate.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    C:\WINNT\system32\wuauclt.exe
    C:\WINNT\System32\cidaemon.exe
    C:\WINNT\system32\hpoipm07.exe
    C:\WINNT\explorer.exe
    C:\Program Files\ACD Systems\ACDSee\ACDSee.exe
    C:\WINNT\hh.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Administrator\Desktop\New Folder (2)\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pop.popuptoast.com/9885/search/search.html
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Intl Keys] c:\winnt\msagent\intl\kb_driver.exe
    O4 - HKLM\..\Run: [Windows Update] mplupdate.exe
    O4 - HKLM\..\RunServices: [Windows Update] mplupdate.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: update32.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
     
  13. treverc

    treverc Thread Starter

    Joined:
    Nov 20, 2003
    Messages:
    23
    Here's the list of my *.scr files. All of them seem legit, as in duplicate files are there, except for the Channel Screen Saver.scr
    seems a little suspicious.


    logon.scr
    scrnsave.scr Channel Screen Saver.scr
    ss3dfo.scr
    ssbezier.scr
    ssflwbox.scr
    ssmarque.scr
    ssmaze.scr
    ssmyst.scr
    sspipes.scr
    ssstars.scr
    sstext.scr
     
  14. zephyr

    zephyr

    Joined:
    Nov 5, 2003
    Messages:
    2,324
    Try this free online trojan scan since Tauscan is giving you so much trouble. Maybe the trojan has a hand in that as well. Read closely what it says on that page about trojans also.

    ps. I see ofps.exe in your new log and that's suspicious also.
     
  15. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    32,400
    First Name:
    James
    C:\WINNT\hh.exe needs to be deleted.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/181235

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice