Aces High Bulletin Board
General Forums => Hardware and Software => Topic started by: Denholm on December 10, 2008, 06:59:56 PM
-
It's got a very pesky bug...
Anyways, let me get started explaining the situation. Firstly, the bug will disable the Task Manager in a way that you can only access the, "Applications" tab of the utility and nothing else. The bug also prevents explorer.exe from starting, and if it does manage to start, it only stays up a minute maximum before going offline again. Not a problem though, I can still browse the computer's folders through the task manager's browse feature to launch new processes.
Now this is the interesting part. When my neighbors first got the bug they installed PC Tools Spyware Doctor (Free Version) because they read it was the best. So, I used the utility to see if it could find the bug, or some of the bugs. Well, after the scan finished it found a Virtumonde entry that appeared to have listings of the bug I am encountering. Spy Doctor reported that Virtumonde was embedded into WinMgmt.exe and some other critical OS processes making it impossible to not boot the virus (Yup, even from safe mode) to get rid of it. UNFORTUNATELY it was the free version, and the utility would not remove the bug. Afterward we waited (was late that evening) and the next day I returned with a flash drive and a copy of VundoFix.exe. This utility will supposedly find and eliminate the Vundo virus (Virtumonde is a form of the Vundo Virus.)
When I launched the VundoFix.exe utility, it returned an error:
Run-time error '-2147023174 (80070706ba)';
System Error &H800706BA (-2147023174). The RPC server is unavailable.
Alright, no big deal, I'll just start the RPC server / service. *Caugh* WRONG! Well, surprise surprise. The virus restructured itself. Now the services can no longer be accessed, instead this error is returned:
Unable to open service control manager database on .
Error 1307: This security ID may not be assigned as the owner of this object.
Well, I'm logged in as the administrator, so this is strange. Well, I carry on and attempt to run an online scan with NOD32 or the OneCare safety scan. Unfortunately, neither firefox nor Internet Explorer manage to connect to websites. So I check the connections panel. Well, that doesn't load. So I decide to download the trial version of NOD32 and Ad-Aware 2008 to install onto the system. Well, I stick in the flash drive and upon attempting to install the Antivirus another error is returned that the Windows Installer Service is offline and can't be reached. That's just great, since I can't access the services of the system to activate any of these crucial services. So obviously installing bug removal software is out of the question.
This virus just has me beat. I'm going to try one more thing, which is the last idea I have before giving up and suggesting a reformat. My question is in regards to this virus. Can anyone suggest something that will unlock the services and Internet so that I can launch the Windows Installer service and access the web to get the latest security definitions? Or does anyone else agree with me and think this is a lost cause?
A side-note. Could the hard-drive jumper setting have anything to do with this? I managed to forget which slot it was in when I took it out to set the hard-drive as slave so that I could scan it on a different system (No, that other computer did not get infected.) The reason I'm asking, when I set the jumper as primary the dell BIOS doesn't recognize the Hard Drive. However when I pull the jumper out, set it as CS, or set it in a slot without a label, the BIOS picks it up and boots without a hitch. There's one jumper setting that I have not tried out yet. It's labeled PM2.
Anyways... Thanks in advance for any assistance. Been battling this sucker for quite some time now. :(
-
Honestly, the three times I've had viruses on my main machines in 8 years (both my fault and others using it), I generally just end up saying 'F it' if I cannot remove the virus within say 30 minutes. I back up what I haven't backed up before (backing up files is a religion to me) and I format. I generally format about once a year and the infrequency I have with virus problems, I don't lose too much sleep.
I find comfort in knowing I'm just wiping the slate clean. I'd rather not spend X hours trying to find where its embedded and trying to remove all of it only to find out that I didn't get all of it and its back with a vengeance.
-
I'm at about the point where I am going to suggest reformatting. However I have a nag for negotiating situations instead of nuking them. ;)
-
I'm at about the point where I am going to suggest reformatting. However I have a nag for negotiating situations instead of nuking them. ;)
(http://farm3.static.flickr.com/2224/1800234736_7861106fbe.jpg?v=0)
-
Try NOD32 from eset. www.eset.com (http://www.eset.com) Get the whole suite. IF your running another AV, Firewall etc disable them. There is a 30day full working trial version. Usually catches anything before getting onto a system (the suite). It should fix your current situation, but I cant say for sure.
-
+1 for "Don't spend more than 30 minutes on it" advice.
When I'm not writing for a magazine, I'm a professional computer consultant. I clean off about 10 computers a month, and lately I've been encountering more and more machines that just can't reliably be cleaned from the infected machines themselves. I can usually pull the drive and use another machine to clean it to the point where it can run antivirus and antispyware utilities on its own again, and then have a reasonable chance of success against whatever's on it, but even that is no guarantee. And even then, it takes 3 or 4 hours of work.
In less time, I can usually connect another hard drive, boot with a Linux LiveCD, pull off any data files, erase the hard drive (or even better, install a fresh one - these things are usually 3 or 4 years old anyway, and 5 years is an average HD lifespan) and reinstall windows (or use the vendor's restore CD), and copy the data files back, and the result is a guaranteed clean system. With a new hard drive (that's probably lots faster than the original), the resulting machine is faster too.
And it costs the client less overall.
-Llama
-
I've noticed that particular bug is listed on the Spybot program.
-
Try NOD32 from eset. www.eset.com (http://www.eset.com) Get the whole suite. IF your running another AV, Firewall etc disable them. There is a 30day full working trial version. Usually catches anything before getting onto a system (the suite). It should fix your current situation, but I cant say for sure.
*Slams forehead into desk, three times*
I tried that.... As I mentioned, Windows Installer won't start, so I can't install the darn thing. Thanks anyways.
Thanks for the info Llama. I did try something you mentioned, before you mentioned it. I pulled out the disk, stuck it into another system, scanned the infected hard drive, and quarantined any infected files found. However when I took out the infected hard drive and stuck it back into it's case the darn thing took 20 minutes to start up. I'm guessing it's because the windows OS processes are looking for the infected files and it's overloading the processor. So afterward I restored the infected files in hopes of getting the computer to run without such a horrible processor hit. Well, then it restructured itself and now the system is locked down.
GetBack, could I get a link to what you're mentioning?
-
http://www.download.com/Spybot-Search-amp-Destroy/3000-8022_4-10122137.html?tag=mncol;pop
It's located on many sites but I trust cnet.
Best of luck and hope it does the trick.
-
Oooh, I misunderstood something. Spybot is already on that system, but it never picked up the bug.
-
Oooh, I misunderstood something. Spybot is already on that system, but it never picked up the bug.
Is it updated? You may want to try avast. When installed it runs prior to booting windows.
-
(http://rofl.wheresthebeef.co.uk/Kill%20it%20With%20Fire%20Aliens.jpg)
Sorry I'm no real help
-
*Slams forehead into desk, three times*
I tried that.... As I mentioned, Windows Installer won't start, so I can't install the darn thing. Thanks anyways.
Thanks for the info Llama. I did try something you mentioned, before you mentioned it. I pulled out the disk, stuck it into another system, scanned the infected hard drive, and quarantined any infected files found. However when I took out the infected hard drive and stuck it back into it's case the darn thing took 20 minutes to start up. I'm guessing it's because the windows OS processes are looking for the infected files and it's overloading the processor. So afterward I restored the infected files in hopes of getting the computer to run without such a horrible processor hit. Well, then it restructured itself and now the system is locked down.
GetBack, could I get a link to what you're mentioning?
You can install an AV on a USB drive, pull the drive and put it as a 2nd drive on another machine.... go into BIOS and have the machine boot from USB stick with an AV on it...
-
Okay. So let me make sure I have this correct so that I don't make errors.
I'm going to install NOD32 onto the removable drive, no special folders? So just straight to the E:\ drive? Want to make sure I get this right the first time. And when it boots, do I have to do anything other than tell the BIOS to boot off the USB stick? Or will the AV automatically start scanning?
-
(http://rofl.wheresthebeef.co.uk/Kill%20it%20With%20Fire%20Aliens.jpg)
Sorry I'm no real help
I'm with Fulmar. Time for a new hard drive.
-
Okay. So let me make sure I have this correct so that I don't make errors.
I'm going to install NOD32 onto the removable drive, no special folders? So just straight to the E:\ drive? Want to make sure I get this right the first time. And when it boots, do I have to do anything other than tell the BIOS to boot off the USB stick? Or will the AV automatically start scanning?
Depends on your install. I would install on the USB drive from a clean computer the NOD32 take the USB to the infected computer and run the software. If that does not clean it, then make a USB boot disk with NOD32 installed and run it.
Agreed with Fulmar about a new drive they are cheep and this is the least time intensive, but if you have data that is needed on the current drive you could risk losing it making it a slave or second SATA drive after a new OS install.
-
Alright, working on that now. In the case that this doesn't work, how would I go about making the USB boot disk?
-
Not uncommon for a virus to disable task manager.
Happened to me a few time
Couple of ways to re-enable task manager
BTW if it wont let you do this normally.
Try it in safe mode
http://www.pchell.com/support/taskmanagerdisabled.shtml
Task Manager Has Been Disabled, How to Fix It?
Many times when working on a computer that has been infected with a virus, trojan, or piece of spyware I find myself with the Task Manager being disabled. Malware creators like to disable Task Manager so it makes solving the problem and removing the issue difficult.
If this happens you'll normally have to edit the Windows registry to fix the problem. A restriction has been placed on the user to not allow them to run Task Manager, this might be ok in an office environment where the IT department wants to control things, but in a home office this can cause major problems trying to fix a malware or virus issue.
Listed below you will find the many ways to reenable Task Manager along with an automatic method that works wonders.
To open the Task Manager, you normally would do one of the following:
* Press CTRL-ALT-DEL on the keyboard
* Press CTRL-SHIFT-ESC on the keyboard
* Right-click on a blank area on the start bar and choose Task Manager
* Click on Start, Run and type TASKMGR in the run box and press Enter
Sometimes instead of Task Manager opening you'll see the following screen. In these cases, you'll have to follow the methods below to re-enable access to the Task Manager.
Task Manager has been disabled by your administrator
First we'll begin with the various registry modification methods for correcting this problem.
Method 1 - Using the Group Policy Editor in Windows XP Professional
1. Click Start, Run, type gpedit.msc and click OK.
2. Under User Configuration, Click on the plus (+) next to Administrative Templates
3. Click on the plus (+) next tSystem, then click on Ctrl+Alt+Delete Options
4. Find Remove Task Manager in the right-hand pane and double click on it
5. Choose the option "Not Configured" and click Ok.
6. Close the Group Policy Window
Method 2: Change the Task Manager Option through the Run line
1. Click on Start, Run and type the following command exactly and press Enter
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
Method 3: Change Task Manager through a Registry REG file
1. Click on Start, Run, and type Notepad and press Enter
2. Copy and paste the information between the dotted lines into Notepad and save it to your desktop as taskmanager.reg
------------------------------------
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
-------------------------------------
3. Double click on the taskmanager.reg file to enter the information into the Windows registry
Method 4: Delete the restriction in the registry manually
1. Click on Start, Run, and type REGEDIT and press Enter
2. Navigate to the following branch
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies\ System
3. In the right pane, find and delete the value named DisableTaskMgr
4. Close the registry editor
-
After you've done that.
Download and install Easycleaner
http://personal.inet.fi/business/toniarts/ecleane.htm (GREAT little program)
It helps if your intimate with what is supposed to be running on boot up
But often I've found the offending program is obvious
Once Easycleaner is running.
Click the startup box. and look for the offending program.
If you see anything unusual.
Google search it to double check it
And/or click Remove.
then try installing your Antivirus
-
+1 for "Don't spend more than 30 minutes on it" advice.
When I'm not writing for a magazine, I'm a professional computer consultant. I clean off about 10 computers a month, and lately I've been encountering more and more machines that just can't reliably be cleaned from the infected machines themselves. I can usually pull the drive and use another machine to clean it to the point where it can run antivirus and antispyware utilities on its own again, and then have a reasonable chance of success against whatever's on it, but even that is no guarantee. And even then, it takes 3 or 4 hours of work.
In less time, I can usually connect another hard drive, boot with a Linux LiveCD, pull off any data files, erase the hard drive (or even better, install a fresh one - these things are usually 3 or 4 years old anyway, and 5 years is an average HD lifespan) and reinstall windows (or use the vendor's restore CD), and copy the data files back, and the result is a guaranteed clean system. With a new hard drive (that's probably lots faster than the original), the resulting machine is faster too.
And it costs the client less overall.
-Llama
+1, great advice :aok
-
After you've done that.
Download and install Easycleaner
http://personal.inet.fi/business/toniarts/ecleane.htm (GREAT little program)
It helps if your intimate with what is supposed to be running on boot up
But often I've found the offending program is obvious
Once Easycleaner is running.
Click the startup box. and look for the offending program.
If you see anything unusual.
Google search it to double check it
And/or click Remove.
then try installing your Antivirus
That's going to be quite useful if I can manage to install it, I already know what I'm looking for. Going to try MSCONFIG first, if it doesn't work I'll install this.
-
Although it's ages I had to reinstall XP for any problem outside swapping major hardware, I always partition my harddrives so that I have a completely separate C: partition for the OS. That way I can dump the partition without a second thought if necessary leaving all my personal data intact on the other partition.
Lately I've also started putting Raid5 or 10 to my boxes to make sure a single drive failure won't destroy my data. Lost 80Gb with my first raid0 experiment - never again I say. :cry
-
Often I find that Virus's are aware of the installer names for the popular antivirus/antispyware programs. Sometimes changing the name of the setup program will work. I've seen this many times when trying to use Super Antispyware/Spybot/Grisoft AVG. I usually add a 1 at the end of the file name and it installs fine.
I usually try to avoid wiping the hard drive if at all possible when working with client computers, even though its how I fix my own, and the only sure fire way to fix the problem. There's always some program they've lost the disk to, some obscure thing they were "just sure it was there" that wasn't, and the list goes on.
-
That's going to be quite useful if I can manage to install it, I already know what I'm looking for. Going to try MSCONFIG first, if it doesn't work I'll install this.
If you know what it is your looking for.You can also do a search on its name and manualy remove all instances of it.
Even if it doesnt get rid of it.
It sometimes disables it long enough for you to get an AV installed
-
At this point...wipe that puppy and start anew.
-
Often I find that Virus's are aware of the installer names for the popular antivirus/antispyware programs. Sometimes changing the name of the setup program will work. I've seen this many times when trying to use Super Antispyware/Spybot/Grisoft AVG. I usually add a 1 at the end of the file name and it installs fine.
I usually try to avoid wiping the hard drive if at all possible when working with client computers, even though its how I fix my own, and the only sure fire way to fix the problem. There's always some program they've lost the disk to, some obscure thing they were "just sure it was there" that wasn't, and the list goes on.
I was in your state of mind when working on the system, refraining from wiping the drive. However renaming the installer didn't do anything because the virus disabled every service there was listed in the services.msc region. And since windows installer was disabled, I couldn't install NOD32. Also attempting to run NOD32 from a flash drive didn't work since ekrn.exe (the scanner service) couldn't initiate.
Anyways, I got tired of trying to fight it because I wasn't getting anywhere. I tried all I knew and all that was suggested to no avail. The disk was wiped and has Windows installed fresh. Now I'm just waiting for them to get their confirmation of acceptance into the ESET NOD32 Smart Security Trial before I install it for them.
Thanks again guys, you were all helpful in a way. (Yes, even you Fulmar.)
-
LOL FINALLY!
-
Well, it was bound to happen. I simply didn't want to do it because my Windows Installer has a few corrupt entries which causes .WMV read errors and a few other bugs. Now they'll have to live with it.
-
WOW finally! Tell them to start backing that stuff up and lay off certain sites.
-
Well, it's mainly their teenagers that use the system. The parents only use it to check email and bank accounts (Yeah, I know, bad idea considering teenagers use the same computer.) However they don't store anything on that computer that they absolutely require, which made reformatting a breeze. I asked them if they required any files to be backed up before formatting the system. They imply told me, "Hmmmm.... No."
That certainly was a relief, considering the 20 minute start up time. And yes, I did talk to the teenager that downloaded the virus recommending that he stop using a certain application.
-
It really is heart breaking sometimes when you run into people that never backed up their stuff. My pet peev is digital pictures. So many people store all their pics on their computer and are yet quite computer novice. The day comes when their hard drive crashes and bam, 3 years of memories gone.
-
Well, some people don't have the Hard Drive space for a second partition, and they don't have a spare hard drive to store their files. Such was the case with this family.
I've got to start backing up my files. :P
-
At one of the jobs I worked there were a bunch of 22 year olds working. (That place only hired kids) I couldn't remember a site to buy music and asked them. They gave me some free site when I was actually looking for itunes or some legit site. I told them that they will get virus's from those free sites. They said no problem. They would just simply wipe the drive and start anew. Then I said what about your friends and family that you send e-mails too? You should have seen the look on their faces! Like a deer in headlights.