Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Task Manager woes


  • Please log in to reply
30 replies to this topic

#1 TomfromUofCincy

TomfromUofCincy

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 04 June 2009 - 06:39 PM

Well, I surfed your forums for awhile and tried many of my own fixes to no avail.

I am working on a computer that was brought into me with a malware problem. I am an IT student and find myself pretty coherent on PC issues.

This virus etc did many things to the system:
1) Changed the background screen to look like windows blue screen anti virus dump
a) Disabled the display properties so background could not be changed
2) disabled CMD prompt
3) disabled Task manager
4) DELETED A/V software
5) prevented any A/V software from being loaded and / or run
6) " " Anti spyware (Ad-aware, Spybot SD) "" ""

Not to mention it gave me a huge headache and has brought me to seek help.


I went into msconfig and saw some things that appeared malicious set for startup
This was a .EXE that was doc and settings all users....the name was MC5753.EXE, I have researched MC5753 and have found nothing on it. This was in msconfig twice.

There was some malware program installed by the virus that I went into the hidden folders and deleted, it never showed up on add/remove programs.

I was finally able to run MalwareBytes (love that program btw)
It found a couple things (I still have that log) and fixed them.

After that, I was able to re-install the Mcafee A/V and run a system check.....looks clean no hits detected

upon further inspeaction everything worked great EXCEPT: Task Manager

I cannot open Task manager at all.
I tried right click the tray
I tried CTRL-Alt-Del
I tried the run screen and manually typed in
Nothing works.

So for a fix (Since I do not have a back up image of this computer)
I tried to run a windows xp repair.....Didn't work!
I tried manually taking the task manager files off the windows disk and manually installing them.....didn't work!

I checked google (and tried some things on this site) and went into the registry to look around. I found a task manager disable registry fix that I tried.....that didn't work either.

I am now at a loss.

I have all the MBAM logs, and a hijack this 2.0 log.

please let me know if any of you can give me some insight on what I am missing here. :thumbsup:

Thanks in advance

Tom
"Pull your tank behind me... I'm the 82nd Airborne Division and this is as far as the bastards are going." - PFC Martin "Battle of the Bulge"

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:45 AM

Posted 04 June 2009 - 07:05 PM

Try the fix at Kelly's Korner.

Enable the Task Manager - #113 on the left.

Right click on it and save the .reg file to your desktop. Then, double click on the file icon (on your desktop) to merge it into your registry. You may need to reboot your computer for the changes to take affect.

With any fix like this you should create a new restore point and backup the registry first. For backing up the registry I like to use ERUNT.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 TomfromUofCincy

TomfromUofCincy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 04 June 2009 - 07:23 PM

Downloaded it to desktop, ran it.
Restarted, still no Task Manager.

I can add, what the malicious software that was added was. I promptly deleted it )I know I should of went a little slower)
it was malware catcher 2009.
I am going to do a google search on malware catcher 2009 and see if that helps.

I am really wondering if I have been hit by a virus on day zero?

Thanks for taking a stab at it though, I appreciate it.
"Pull your tank behind me... I'm the 82nd Airborne Division and this is as far as the bastards are going." - PFC Martin "Battle of the Bulge"

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:45 AM

Posted 04 June 2009 - 07:25 PM

Please print out and follow these instructions: "How to use SDFix". This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 TomfromUofCincy

TomfromUofCincy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 04 June 2009 - 07:55 PM

I am running SDFix right now. I noticed as I was on the internet of this "other" computer when i turned back to the broken one the screen was black.....meaning there were no icons, no SDFix blue screen only safe mode written in the corners. Is this normal for SDFix? Or did I miss something inbetween it running and not watching it?

Edited to add:
Since it wasn't in the directions anywhere I figured something malfunctioned.
I restarted the computer again in Safe Mode......Ran the bat file and it came up with the blue screen saying it is running then it just disappeared a couple minutes later.

Somehow SDFix isn't working or is it?

Edited again to add:
I just looked at it again.
It gets to the blue screen where it says "checking programs and services" then it seems to die.

Edited by TomfromUofCincy, 04 June 2009 - 08:23 PM.

"Pull your tank behind me... I'm the 82nd Airborne Division and this is as far as the bastards are going." - PFC Martin "Battle of the Bulge"

#6 TomfromUofCincy

TomfromUofCincy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 04 June 2009 - 09:17 PM

Well it is about time to shut down shop. 6 solid straight hours of working on this thing has made me tired :thumbsup:
Thanks for the help thus far. I am sure we will figure it out eventually.

I will check in on this after my exam tomorrow (XML FTW).

Just a thanks to any and all suggestions upfront.

Tom
"Pull your tank behind me... I'm the 82nd Airborne Division and this is as far as the bastards are going." - PFC Martin "Battle of the Bulge"

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:45 AM

Posted 04 June 2009 - 10:52 PM

You could try #51 on the right at Kelly's Korner.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 joseibarra

joseibarra

  • Members
  • 1,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:03:45 PM

Posted 05 June 2009 - 09:48 AM

Task Manager will not run if it is disabled in the registry.

CTRL+ALT-DEL will not work if it is disabled in the registry.

Both of these are generally controlled though the Group Policy Editor, or by manipluating the registry by hand, or perhaps malicious software had adjusted the registry for you.

The fixes at Kellys Korner will put the registry in such a state to enable CTRL-ALT+DEL and allow the Task Manager to run if (somehow) it was disabled. They are safe to run.

You could search your registry for DisableTaskMgr and DisableCAD to see if those entries exist (they may not) and if they are set to 1 (which means yes). If they are missing, that is fine. If they are set to zero, that is fine.

Another way to invoke TM is to try CTRL+SHIFT+ESC. I don't know if there is a way to turn this off in the registry ,but you can try it.

Manipulate yourself to a command prompt (Start, Run, cmd <enter>) and get into the c:\windows\system32 folder.

There is a taskman.exe and taskmgr.exe. You want to try to run the taskmgr.exe from the command prompt. It may also reveal an error message you might not see from the Windows GUI.

This also eliminates the possibility of any CTRL+ things being disabled in the registry.

The taskman.exe will not do it. Is that what you were trying to run instead of taskmgr?

If taskmgr.exe will not run from the command prompt, copy it to some other name - cincy.exe sounds good :thumbsup:

See if cincy.exe will run and bring up Task Manager.

If cincy.exe runs and taskmgr.exe does not, you probably still have some infection that will not allow taskmgr.exe to appear as a running task just because of the name, or your registry settings will not allow it.

If neither taskmgr.exe or cincy.exe behave, the taskmgr.exe file may be damaged.

There should be another copy on your system in the i386 or servicepackfiles\i386 folder. Try one of those, or search your drive for another taskmgr.exe and try the one you find to see it it works (from the command prompt).

You could use a thumb drive to copy in a taskmgr.exe that you know works from another computer.

You could also extract one from your XP CD, but that is more like work.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#9 TomfromUofCincy

TomfromUofCincy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 05 June 2009 - 10:04 AM

Thanks guys. I just got in this morning.

I am going to try Kellys Korner #51.

Jose:
I already tried to adjust the registry by hand with no results.
I tried the Kellys Korner 131 (i think thats the number)

I also already tried copying over the task manager files from the windows CD.
I also tried to run the task manager (in all forms you suggested) from the command prompt it didn't help.

I have not tried to copy it to another name....That may be a good way to test what may be wrong with it.

Thanks for the suggestions guys.
"Pull your tank behind me... I'm the 82nd Airborne Division and this is as far as the bastards are going." - PFC Martin "Battle of the Bulge"

#10 TomfromUofCincy

TomfromUofCincy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 05 June 2009 - 10:29 AM

Quick update: Tried kellys Korner fix #51
That didn't work either.

The next step may be to rename it but I am not sure that will fix our problem.

Tom
"Pull your tank behind me... I'm the 82nd Airborne Division and this is as far as the bastards are going." - PFC Martin "Battle of the Bulge"

#11 joseibarra

joseibarra

  • Members
  • 1,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:03:45 PM

Posted 05 June 2009 - 10:44 AM

It is unlikely a registry problem unless you have been tinkering with Group Policy editor. Those entries are not in the registry by default. GPEDIT puts them there when you change the options. I suppose a human could put them there by hand if they knew exactly what to put in - the same for malware.

If the DisableTaskMgr option was present and set to 1, you would get a message saying TM was disabled by your administrator.

You cannot (or at least I cannot) just copy the file from your CD. You would have to expand the compressed taskmgr.ex_ file. The taskmgr.exe file does not exist on my CD in executable form - just the compressed one (which will not run). You said you copied the files. Just how did you do that or did you expand them?

You could probably find a copy of taskmgr.exe on your HDD. From the root of the C drive (C:>\) type in: dir taskmgr.exe /s <enter> to search your HDD for files of that name in all subdirectories. From a command prompt of XP Pro SP3, my taskmgr.exe file consumes 135,680 bytes.

If you can't find one, locate the taskmgr.ex_ from your CD i386 folder and copy it into c:\windows\system32

From a command prompt in the c:\windows\system32 folder, enter: expand taskmgr.ex_ taskmgr.exe. Check the size. You can expand the file anywhere you want, so you can do all that in some other folder also.

Edited by joseibarra, 05 June 2009 - 05:53 PM.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#12 TomfromUofCincy

TomfromUofCincy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 06 June 2009 - 08:09 AM

Thanks for the help Jose,
I had one of my counterparts try the decompressing. He too is an IT student and pretty good at it.
After class I checked what he did and confirmed he expanded the file in the System32 folder but TM still would not run.

I am starting to wonder if I should run a Hijack this and put it into the other forum?

I am at a loss on what else could be wrong.

I looked through GP Editor this morning and could not find anything bad related to Task manager.

Tom
"Pull your tank behind me... I'm the 82nd Airborne Division and this is as far as the bastards are going." - PFC Martin "Battle of the Bulge"

#13 joseibarra

joseibarra

  • Members
  • 1,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:03:45 PM

Posted 06 June 2009 - 09:14 AM

From a command prompt:

What happened when you tried CTRL+SHIFT+ESC?

Did I miss the part where you tried to run your copy of taskmgr.exe called cincy.exe?

What is the size of your expanded file? Does it match the taskmgr.exe on a system you know works?

Are you sure your are running taskmgr.exe and not taskman.exe?

Did you find other copies of taskmgr.exe on your system and try to run them?

Search for taskmgr.com (it may be hidden) and if you find it, delete it. I have seen regedit.com as a trojan and when you run just regedit, the .com will play (and do nothing) first before the .exe.

Try running taskmgr.exe WITH the extension to make sure there is no .COM coming into play.

When you type in cincy.exe and/or taskmgr.exe <enter> does it just come back to the command prompt? If you run taskman.exe you will not see anything.

Did you say you tried it in Safe Mode?

Just for the halibut, try these other malware programs (I think you have MBAM):

Download, install, update and do a full scan with these three free malware detection programs:

Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/
AVG (AVG): http://free.avg.com/

One AV program in your arsenal is not enough. One program does not know everything.

My faith in Spybot and Ad-Aware has waned, unless you are hungry for cookies.

If you decide to run HijackThis in the appropriate forum, post back here because I will want to try to follow it.

Edited by joseibarra, 06 June 2009 - 09:21 AM.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#14 TomfromUofCincy

TomfromUofCincy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 06 June 2009 - 09:34 AM


What happened when you tried CTRL+SHIFT+ESC?

The same thing as when i try to launch TM any other way. I get the "hour glass" for 1-2 seconds then nothing.

Did I miss the part where you tried to run your copy of taskmgr.exe called cincy.exe?

Yes. Sorry I did not update on that. It too would not run. ( I know hella strange)

What is the size of your expanded file? Does it match the taskmgr.exe on a system you know works?

Is said it was 136kb looks like a match with a healthy system

Are you sure your are running taskmgr.exe and not taskman.exe?

Yes. Very sure. I honestly tried it multiple ways. Also this made me think of running tasklist in cmd prompt and it really didn't show any unwanted processes. The only thing I was concerned about was the possibility of svchost running a few times could be a mask for something malicious.

Did you find other copies of taskmgr.exe on your system and try to run them?

There are no other copies on there that I could see.

When you type in cincy.exe and/or taskmgr.exe <enter> does it just come back to the command prompt? If you run taskman.exe you will not see anything.

It doesn't do anything except you see the hour glass (meaning the drive is thinking) for a couple of seconds.

Did you say you tried it in Safe Mode?

Tried running it in safe mode and it still would not open. I also tried running SD Fix while in safe mode (as per instructions) and it just sorta died in the analyzing system stages.

Just for the halibut, try these other malware programs (I think you have MBAM):

Download, install, update and do a full scan with these three free malware detection programs

Yes I have MBAM, that is what actually fixed ALL the problems Except Task manager. I ran AVG on the system after MBAM and it said the system was clean (same as MBAM said) I will try SAS now. That will be my next update.

If you decide to run HijackThis in the appropriate forum, post back here because I will want to try to follow it.

What are the proper forum procedures for going further with a HJ? Since I am new.... Do I just go to the HJ thread make a link to this thread and then post my log?


The funniest part of this malware/virus/whatever the heck it is, that all my google searches show nothing.
Like for instance the MC5753.exe file that is in msconfig and set for startup (tried to disable btw it says I have to be admin to make changes...i am logged in as local admin) the MC5753.exe no one seems to ever heard of it.
Is it possible I hit a virus on a day zero or something. How likely is that?

Thanks again Jose!

Tom
"Pull your tank behind me... I'm the 82nd Airborne Division and this is as far as the bastards are going." - PFC Martin "Battle of the Bulge"

#15 joseibarra

joseibarra

  • Members
  • 1,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:03:45 PM

Posted 06 June 2009 - 10:01 AM

The hour glass is new information (I think).

If you see an hour glass, does that mean you are going to Start, Run and typing the command in?

I wish you would try it from a command window - Start, Run, cmd <enter> and CD yourself to c:\windows\system32 and type in both taskmgr.exe and cincy.exe - there will be no hour glass. It might not do anything either.

Be sure you use the .EXE extension to rule out the possibility of a bogus .COM with the same name.

Are there any clues in the Event Viewer?

I'm getting a little annoyed about this!

Edited by joseibarra, 06 June 2009 - 10:04 AM.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users