1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] task manger disabled

Discussion in 'Virus & Other Malware Removal' started by sgeva2001, Oct 14, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. sgeva2001

    sgeva2001 Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    238
    I have XP PRO and I a user with full permission.
    I remove BPROTECED 2003 .
    After that action I get the massage task manger disabled when I try to see the tasks which run and also I can not run the coomand promot.
    both problems i am sure (because when it was working it create the same action) are from BPROTECED 2003 which I removed.
     

    Attached Files:

  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,196
    First Name:
    Derek
    go to http://www.spywareinfo.com/~merijn/files/hijackthis.zip , and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please copy & paste its contents to the forum.

    It will possibly show issues deserving our attention, but most of what it lists will be harmless or

    even required, so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  3. sgeva2001

    sgeva2001 Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    238
    I want to add that 2 super user are defined in this computer but only one has this problem.

    Logfile of HijackThis v1.97.2
    Scan saved at 07:32:48, on 15/10/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    F:\Programs\Ghost\GHOSTS~2.EXE
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    F:\Programs\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\tcpsvcs.exe
    F:\Programs\SPEEDD~1\nopdb.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\StartupMonitor.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\WINDOWS\System32\MSSVC.EXE
    C:\WINDOWS\System32\ctfmon.exe
    F:\Programs\ZoneAlarm\zapro.exe
    F:\Programs\Norton CleanSweep\csinsmnt.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\eMule\emule.exe
    F:\Programs\YahooPOPs_05\YahooPOPs.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    F:\Download\UNZIP\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uzit.co.il/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Adobe\Acrobat Reader 5\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - G:\PROGRA~1\FLASHGET\jccatch.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - G:\PROGRA~1\FLASHGET\fgiebar.dll
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [SysPool] C:\WINDOWS\System32\MSSVC.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = F:\Programs\ZoneAlarm\zapro.exe
    O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.LNK = F:\Programs\Norton CleanSweep\csinsmnt.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: AccountLogon - C:\WINDOWS\al-popup-shaul.html
    O8 - Extra context menu item: Handle with &Hot Keyboard - F:\Programs\Hot Keyboard Pro\IEScript.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: Omniquad MyPrivacy (HKLM)
    O9 - Extra 'Tools' menuitem: Omniquad MyPrivacy (HKLM)
    O9 - Extra button: AccountLogon (HKCU)
    O9 - Extra 'Tools' menuitem: AccountLogon (HKCU)
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: Broadbase E-Service LiveA - https://help1.bankleumi.co.il/EU_bashan/eu1.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {763C10EE-E4C6-49AA-9325-F15ABF1C52B0} (X1 DownloadControl Class) - http://www.x1.com/products/X1WebInstall.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37726.9084837963
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.nana.co.il/Cabs/launcher.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6CAEC055-86FD-4C1F-BFB7-304744F17A25}: NameServer = 192.116.202.222 192.116.192.9
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,196
    First Name:
    Derek
    I assume bprotected is some sort of net nanny type tool preventing access to either parts of the net or to stop a lot of fidddling with system files in the computer

    The way to overcome problems with it is to reinstall it, then if you are an authorised user, you will have the passwords and in it's menu will be whatever options are set.

    Use the correct options to put everything back to normal then if you don't like the program uninstall it properly with it's own uninstaler.

    most of these programs make changes to the registry to disable various functions and when the program is removed the changes are left.

    the only way to reverse the changes is from inside the programe, for obvious reasons passwords are normally needed
     
  5. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You have a version of the "spybot" worm/trojan. Some of these can be very difficult and require reinstalls to reset administrative priveleges. Perhaps we will be more lucky with this as it seems to have a conventional startup.

    First, since you cannot use Task Manager (c:\windows\system32\taskmgr.exe), try one of two things:

    > copy it to another folder such as My Documents and rename it: taskmgr.com

    Does it run? If so, terminate the process

    MSSVC.EXE

    And then go to the c:\windows\system32 folder and delete the file.

    Use HijackThis to check and fix:

    O4 - HKLM\..\Run: [SysPool] C:\WINDOWS\System32\MSSVC.EXE

    If that does not work, try rebooting in Safe Mode: either press the f8 key promptly on rebooting and select it from the Boot Menu, or run msconfig and select the /safeboot option under the boot.ini tab. If msconfig does not run, find that and temporarily rename it msconfig.com and run it.

    In Safe Mode delete the mssvc.exe file and use HijackThis to clean the registry entry.


    For your next log, we need to see a STARTUPLIST, emphasized because this is different from the Scanlog. Post the Startuplist this way: In HijackThis, Click Config > Misc Tools, put a check in "display minor sections" and then click Generate Startulist and copy/paste that here.
     
  6. sgeva2001

    sgeva2001 Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    238
    thank you

    1. I copid task manger to another place but it keeps to be disabled.
    2. the other user does not have this problem, so I stop THE PROCESS MSSVC. but when I log in my user account I still cannot operate tha task manger.
    3. I am sure the problem comes from BPROTECED which normally protec files and dir from other user.
    4. what about "system restore"
    or to delate all the key which I can find in the registry through the other user
    or to reinsatall the program again?

    which one of the 3 possiblity are better?

    thanks
     
  7. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You didn't post the startuplist as suggested, but if you are getting a "message" that taskmanager is disabled by the "system administrator" then there should be a registry setting for it.


    Can you run regedit ?

    If so, collapse the registry file tree completely and click Edit > Find.

    Enter:

    DisableTaskMgr

    and hit Find Next.

    Right click on and delete all hits you get. Press f3 to continue the search through the entire registry. This can be found in more than one place.

    http://www.winguides.com/registry/display.php/163/

    I believe System Restore should also work to reset settings as well, as long as you have administrative priveleges.

    By the way, mssvc.exe is also associated with something called "Stealth Disk"; this is not viral, but has also caused some problems.
     
  8. sgeva2001

    sgeva2001 Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    238
    thank you

    1. I found in REGEDIT of the other user DisableTaskMgr with value 1 . I change it to 0 and it solved the problem of taskmgr.
    2. but still I can not run "comand prompt" and "regedit" from the user with the problem.

    her ia startuplist::

    StartupList report, 16/10/2003, 07:58:16
    StartupList version: 1.52
    Started from : F:\Download\UNZIP\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    F:\Programs\Ghost\GHOSTS~2.EXE
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    F:\Programs\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\tcpsvcs.exe
    F:\Programs\SPEEDD~1\nopdb.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\StartupMonitor.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\WINDOWS\System32\MSSVC.EXE
    C:\WINDOWS\System32\ctfmon.exe
    F:\Programs\ZoneAlarm\zapro.exe
    F:\Programs\Norton CleanSweep\csinsmnt.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\mspaint.exe
    C:\WINDOWS\System32\svchost.exe
    F:\Programs\Babylon\Babylon.exe
    F:\Download\UNZIP\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    ZoneAlarm Pro.lnk = F:\Programs\ZoneAlarm\zapro.exe
    CleanSweep Smart Sweep-Internet Sweep.LNK = F:\Programs\Norton CleanSweep\csinsmnt.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
    Run StartupMonitor = StartupMonitor.exe
    CoolSwitch = C:\WINDOWS\System32\taskswitch.exe
    SysPool = C:\WINDOWS\System32\MSSVC.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=apitrap.dll

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - c:\program files\Adobe\Acrobat Reader 5\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    CCHelper - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll - {0CF0B8EE-6596-11D5-A98E-0003470BB48E}
    (no name) - G:\PROGRA~1\FLASHGET\jccatch.dll - {A5366673-E8CA-11D3-9CD9-0090271D075B}
    (no name) - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Norton SystemWorks One Button Checkup.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [YInstStarter Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
    CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

    [Office Update Installation Engine]
    InProcServer32 = C:\WINDOWS\opuc.dll
    CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

    [X1 DownloadControl Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\X1WebInstall.ocx
    CODEBASE = http://www.x1.com/products/X1WebInstall.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37726.9084837963

    [YahooYMailTo Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ymmapi.dll
    CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi.dll

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [LauncherV1 Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\launcher.ocx
    CODEBASE = http://irc.nana.co.il/Cabs/launcher.cab

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    GhostStartService: F:\Programs\Ghost\GHOSTS~2.EXE (autostart)
    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    IIS Admin: C:\WINDOWS\System32\inetsrv\inetinfo.exe (autostart)
    Intel(R) Active Monitor: C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe (autostart)
    RIP Listener: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    iSMBIOS: \??\C:\WINDOWS\System32\drivers\iSMBIOS.SYS (autostart)
    Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    LicCtrl Service: C:\WINDOWS\runservice.exe (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Norton AntiVirus Auto Protect Service: C:\Program Files\Norton AntiVirus\navapsvc.exe (autostart)
    Norton Unerase Protection: F:\Programs\Norton Utilities\NPROTECT.EXE (autostart)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Secdrv: System32\DRIVERS\secdrv.sys (autostart)
    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Simple TCP/IP Services: %SystemRoot%\System32\tcpsvcs.exe (autostart)
    SIODRV: \??\C:\WINDOWS\System32\drivers\SIODRV.SYS (autostart)
    Simple Mail Transfer Protocol (SMTP): C:\WINDOWS\System32\inetsrv\inetinfo.exe (autostart)
    Speed Disk service: F:\Programs\SPEEDD~1\nopdb.exe (autostart)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    SYMTDI: \??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS (autostart)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    vsdatant: \??\C:\WINDOWS\System32\vsdatant.sys (autostart)
    TrueVector Internet Monitor: C:\WINDOWS\system32\ZONELABS\vsmon.exe -service (autostart)
    Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    World Wide Web Publishing: %SystemRoot%\System32\inetsrv\inetinfo.exe (autostart)
    WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll
    UPnPMonitor: C:\WINDOWS\System32\upnpui.dll

    --------------------------------------------------
    End of report, 13,311 bytes
    Report generated in 0.266 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    The restriction commands for regedit and cmd are as follows:

    DisableRegistryTools
    DisableCMD


    I'm a little fuzzy as to whether we are talking about two machines here or one. How did you search the registry without being able to open regedit?

    HijackThis will allow you to restore regedit; somehow I missed this in the first Scanlog:

    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


    Just check and "fix" that.

    I also strongly advise checking and fixing:

    O4 - HKLM\..\Run: [SysPool] C:\WINDOWS\System32\MSSVC.EXE

    and deleting the mssvc.exe file itself, if you don't know what it is.

    Be sure to terminate the process before doing the "fix" and then delete the actual file entry or you may get an "access denied" message.
     
  10. sgeva2001

    sgeva2001 Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    238
    thank you very much.
    you help me.
    simply great.

    1. we are 2 user in this one computer and the other user does not have this problems and I enter to regedit through his account.
    2. you are absolutly right about MSSVC.EXE -- it is a Backdoor.IRC.PSK is a Trojan Horse that gives its author unauthorized access to a compromised computer

    I repair it by hand in regedit because it stop to appear in HijackThis and also delete the program.
    Ii is starnge that NORTON ANTIVIRUS fail to discover and repair it

    3. I did not understand your saying "You have a version of the "spybot" worm/trojan. Some of these can be very difficult and require reinstalls to reset administrative priveleges"
    You mean my version of SPYBOT is not good and not to use it?
    to replace it with something else?

    thank you again
     
  11. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You're welcome.

    Just to clear up the confusion about "spybot". I'm not referring to the adware cleaning program (Search and Destroy), but the "spybot" worm. Mssvc.exe has been used with that as well. It is not, in and of itself, a malicious file from what I can learn, but is also used with a "legitimate" program called "stealthdisk", which is probably why it is not being detected by antivirus programs. That's unfortunate, because it is often the only obvious sign of infection other than the symptoms itself, which include loss of administrative priveleges.

    Some of the mssvc.exe infections have permanently corrupted administrative priveleges. That does not appear to be the case with yours, but you should check that out thoroughly on the affected machine.
     
  12. sgeva2001

    sgeva2001 Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    238
    thank you again

    How I can check thoroughly that administrative priveleges have not corrupted ?
     
  13. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    As I remember when this problem has plagued some they were unable to open the Services profile in Administrative tools, and view or change properties settings. It may also not be possible to create or modify new or existing profiles.

    Also trying to run certain programs such as cmd.exe continued to give administrative access errors even after the typical registry disable entries were removed or were not present to begin with.

    In any case you will continue to encounter "administrative restrictions"

    Assuming this is not the case now, I will "tentatively" mark this "resolved". Let me know if it isn't.
     
  14. Pleazin4u

    Pleazin4u

    Joined:
    Oct 19, 2003
    Messages:
    224
    HELP!!! A few months back I got some "free on-line help" from the company I bought the computer from... They had me disable my task manager. I want to re-enable it... I tried to run regedit, it is also diable by the administrator.
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/171936

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice