TechSpot

Need Help!! Task Manager doesn't open, virus related?

By anthonychen725
Oct 4, 2005
  1. Help, task manager doesnt open, virus related? Tried everything..

    I'm new to this site and found it on google. Recently I upgraded some memory. The 7 port usb hub that was working fine before these problems now shows Device Malfunction, unrecognized USB Device.

    At first, random programs would freeze, trying to save things and install things. It would also freeze on virus scanning my hard drive on just one single file, and it would not move anymore. But from screwing around with task manager a bit, at first it would just not open. The green icon would open in the system tray but nothing would come up, and when I tried to restart or shut down it would have to end the process because of not responding. Now, I opened it the first thing right when my laptop booted up, and it did open. I am thinking that the virus or whatever it is loads itself up a little later on. As I am typing, this boot, everything so far is ok, nothing has screwed up yet.

    I have included the hijack log. I have also tried every single scan in the replies by RBS and done everything I can. I am basically stuck here. Help would be much appreciated! Thanks
     

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

  3. anthonychen725

    anthonychen725 TS Rookie Topic Starter Posts: 18

    Ok RBS, I just scanned with Ewido and did another Hijack This scan. Here are the two logs. Im about to reboot. The problem seems to have died down a bit, I can open task manager in the beginning until some random task I'm performing, last time it was sending a file on AIM, freezes the program. Then usually everything becomes messed up.


    Edit: I just rebooted and immediately my task manager isnt opening. So far these are the tools I have tried:

    Spyware: AdAware, Spybot S&D, Housecall Spyware Removal, CoolWebSearch, CWshredder

    Viruses: Housecall Trendmicro, Ewido, McAffee, Symantec 10

    Might be leaving a few out, but you get the idea. Need to know how to find this thing.
     

    Attached Files:

  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    If you post a HJT log, then put up a COMPLETE log!

    click on Start/Run and type in (followed by press Enter):
    regsvr32 /u C:\WINDOWS\SYSTEM32\ssttu.dll

    Let HJT fix all entries with (file missing) as well as
    O20 - Winlogon Notify: ssttu - C:\WINDOWS\SYSTEM32\ssttu.dll
    and delete ssttu.dll
     
  5. anthonychen725

    anthonychen725 TS Rookie Topic Starter Posts: 18

    Ok a few things. I ran Hijack This in normal mode, found those same things. Cleaned the ones you told me to, the two found with the sstl.dll and the missing file ones. I also went to explorer to look for the dll, and it wasn't there. But after I fix it with hijack, and try scanning again, the same exact things come back up. I also tried this same process in safe mode, same results.

    Also, I just got a windows error. Error loading u]-w (giberish). The specified module could not be found.

    When I do the run command you told me, this is the error i got. Titled RegSVR32: C:\windows\system32\ssttu.dll was loaded, but the DllUnregisterServer entry point was not found. This file can not be registered.

    The weirdest thing is that I cant find the file in System32 folder. Also what do you mean by posting a complete hijack this log? I thought the log I'm posting is already complete.
     
  6. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    You need to UNregister that file: regsvr32 /u C:\WINDOWS\SYSTEM32\ssttu.dll

    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.[/b]

    Your log seems awfully small and a lot of entries seem to be missing.
    Boot in safe mode, make a fresh log and post it here again as attachment.
     
  7. anthonychen725

    anthonychen725 TS Rookie Topic Starter Posts: 18

    Not to sound like a jerk, but I know how to show all the files. I am certain it's not there. I just formatted again, this time with XP Pro. I think it's still here, but not as bad. Basically, I just think its not completely gone. I had a few instances of a black Dos window popping up and vanishing immediately, like a program executing or loading or something.

    By the way, that WAS my complete log. Seriously those are all the processes I was running and the only things it found. But here is my new log, as of the reformatting. Also, the ssttu.dll isnt there right now.

    Edit/Update: I just tried downloading the AIM installation file and it froze when I tried saving. So it's definitely still there.
     

    Attached Files:

  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your system is infected by the w32.gaobot worm.

    Go HERE for a removal tool. While you are at it. Get both of the programmes below.

    Disconnect from the net, and once you system is clean, install them.

    Then reconnect to the net and run the updates.

    These are both free and will protect your computer. AVG Free and Sygate personal firewall

    Regards Howard :wave: :wave:
     
  9. anthonychen725

    anthonychen725 TS Rookie Topic Starter Posts: 18

    Hey howard, I downloaded that remover of the worm you thought I had, and nothing was picked up. Then I used Symantec 10 and it picked up a bunch of things. The traces all had to do with W32.Spybot.Worm. Then I got a Symantec AntiVirus Notification popup:

    Scan type: Auto-Protect Scan
    Event: Threat Found!
    Threat: W32.Spybot.Worm
    File: C:\WINDOWS\system32\eraseme_10027.exe
    Location: C:\WINDOWS\system32
    Computer: ACHEN_LAPTOP
    User: ACHEN_LAPTOP\SYSTEM
    Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
    Date found: Saturday, October 08, 2005 4:31:53 PM

    Edit: I read the traces a little more closely and saw that they were all system restore traces. I just deleted the traces since they were uncleanable. Then I turned off system restore and searched and it was clean. Now Symantec's search doesn't pick up anything, but from time to time I still get that pop-up saying a worm is found.

    Need a way to get this out of my system asap.
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    This is the last entry from your HJT log above.

    O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe

    The smsc.exe is added by a worm.

    If you do a google search for smsc.exe you will see what I mean.

    You could try stopping the service.

    Click start/run and type services.msc into the run box.

    When the window appears maximise it.

    Look for the service, and right click on it. If it is running select stop. Select properties, and set the startup type to disable. Click apply/ok

    Regards Howard :)
     
  11. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    If you did a format, none of this should be here. What do you mean when you say your reformatted with XP Pro? There is no way you can have bad services and files in systemrestore folder if you did a full format. Although it IS possible that you can get reinfected quick, that seems awfully quick!

    I would suggest this. Pool all your resources together, all the programs you've thus used, update them to be current. Then reboot into Safe Mode. Do not leave Safe Mode until all your programs report clean.

    One easy way to check for extra services is to go Start-Run and type MSCONFIG. Then go to the Services tab. Click the checkbox to "Hide all..." Look through the entries that are left. If the suspicious ones are still there, then it will infect you again upon reboot until that service is deleted, which HJT can do. BUT if HJT does not remove it (i.e. it keeps coming back), then you'll have to delete it from the registry yourself, as it is a permissions problem for the bad registry key.

    If you want to continue to have Internet access, you can go to Safe Mode with Networking, and get even get to this forum from Safe Mode.

    So anyways, if any of those bad files still exist in the registry, you will still be infected.

    Hope you can get to the bottom of it! If that service refuses to be cleaned, we'll have to do some manual registry editing. Which is complicated and risky, but I can help you through it.
     
  12. anthonychen725

    anthonychen725 TS Rookie Topic Starter Posts: 18

    Actually I heard that there are really really nasty viruses that stay with your formats. I first used an XP Home recovery cd which apparently formats the two drives and installs the OS. It's one of those recovery cd's lazy laptop companies have you create. Then I used an XP Pro cd to delete the partitions, create a new one, format it NTFS style, and install the O/S.

    Once again, I just think that this is a virus that stays with the formats. The only way, a technician once told me, to 100% get rid of EVERYTHING is a low-level format or zero-fill format. This isn't quite an opiton here since I don't know the company of my hard drive nor do I want to go that far, since it's quite time consuming.

    No matter what my anti-virus programs do, the traces are undeletable in both normal and safe mode I think, and all it takes is time after each boot for it to load itself. It's good in the beginning, then after a while Symantec picks up a trace. I may have to go into the registry to do it myself, but I'm not familiar at all with the registry nor do I know what to look for. More suggestions are appreciated. Thanks
     
  13. Spike

    Spike TS Evangelist Posts: 2,168

    The kind of viruses you refer to are boot sector viruses. They are very very rare and most of them archaic. the chances on someone having one that survives a format and can cause chaos and not be removed are incredibly slim, almost impossible.

    If your symantec AV detects the spybot worm, then this is what they know about it...

    http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html

    It doesn't live in the boot sector.


    the process Howard mentioned is most likely related to an sdbot worm/trojan infection - http://vil.nai.com/vil/content/v_100454.htm

    (amazing - I hate both companies I've given links to, and still I've given the links. pml.)
     
  14. anthonychen725

    anthonychen725 TS Rookie Topic Starter Posts: 18

    K another update lol. So I guess this worm isn't that harmful? But why would it survive through my numerous formats? If the recovery cd's format wasnt a true format, my xp pro cd was definitely a true format. That makes me wonder...

    Also, I've scanned with both Solo Scanner and Symantec Scanner, found traces of this irc/spyware bot, whatever its called, Symantec couldn't clean it, Solo renamed the traces and deleted them, but the recurring theme is that no matter what when I reboot, it's still there.

    I just can't seem to 100% delete this stupid worm.
     
  15. anthonychen725

    anthonychen725 TS Rookie Topic Starter Posts: 18

    Another update, as it seems like it's taking a bit of time for a reply. When I boot up now, everything seems fine. I leave Symantec's constant alert option up, and I have it only alert me with a popup when it detects a trace.

    Anyways, I usually get like 15 minutes at the least, it seems to be random I've never timed it, but everything is perfect until it loads itslef. I know this when Symantec gives me the pop up and all the usual symptoms come up. Still the same w32 spybot thing.

    As usual, help is appreciated. Up to this point, Iappreciate the help from RBS, howard, and spike. Thx.
     
  16. Spike

    Spike TS Evangelist Posts: 2,168

    OK. Remove the symantec stuff on your PC. It's absolute rubbish unworthy of the packaging it comes on.

    If you're willing to pay, install Kaspersky antivirus - www.kaspersky.com

    If you aren't willing to pay, install AVG free - http://free.grisoft.com.

    Scan your computer with whichever one you choose.

    If you really think you have a boot sector virus that's coming back nomatter what you do (and I'll almost guarentee that you haven't), you need to use something such as DBAN - http://dban.sourceforge.net/ to sanitize it (takes forever!) or to write all bits to 0 (takes about 3 hours for an 80 GB ATA100 IDE hard drive). If you decide to do this, when you reinstall, leave the Symantec rubbish OFF your machine and install one of the two AV's above instead.

    If you create a DBAN boot disk, mark it clearly and keep it safe. It's a powerful and dangerous piece of software.
     
  17. anthonychen725

    anthonychen725 TS Rookie Topic Starter Posts: 18

    Hey, another update to the situation. I didn't uninstall Symantec, as it may be bad in cleaning but it actually does detect when the virus loads itself.

    I instaled AVG like you suggested. I didn't bother scanning yet because I knew from numerous previous scans that no scan would pick up anything until the virus loads itself up, which it takes some time to do.

    I've been booted up for a few hours now, and Symantec has yet to detect a virus and similarly I've yet to experience a symptom of the virus. I'll be waiting when it does come up though, which is when I'll try to scan with AVG and hopefully repair/clean.

    It's gotta still be there though right? No way it just vanished.
     
  18. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    Chances are good your virus is a service. And also likely that the service is in the "LEGACY" service section, which normally does not give permissions to delete. If you post another HJT log we can see what the name of it is and have you delete it manually from the registry.
    If it is not a service, then at least it must be running, which is why it can't be deleted (because it's in use). For this, you'd have to get the name of it (assuming the name doesn't change itself), and delete it from safe mode or even recovery console. And remove it's startup entry, wherever it might be hiding.

    To see ALL your startups, download "autoruns" from www.sysinternals.com. When you run it, click on the options menu (I think) and click to "Hide Signed Microsoft...". Then refresh. From this list, you might find your sneaky startup.

    And since your Norton is finding it, doesn't it tell you exactly where it is and the file name? Is this info different each time Norton finds it?

    As for this virus getting you after a format, I don't suppose you are on a network with other PCs that might have the infection? Or do you have a backup that you are restoring, which might be infected? Is there a program you've downloaded which is perhaps infected?
    What Service Pack is on the OS CD you used to load Windows? If it doesn't even have SP1, then there are many viruses still out there which can get you without a firewall. But if you have SP2 and a firewall, it's a good bet this virus isn't getting to you off the Internet.

    Just some thoughts, hope you get it out soon!
     
  19. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    I would not be surprised if the XP-CD that you made is infected!
    From your previous posts, it seems as if you only follow those advices that suit you!
     
  20. Spike

    Spike TS Evangelist Posts: 2,168

    AVG antivirus has it's own resident sheild. In other words, AVG detects virii as they load up.

    I still say uninstall the symantec rubbish.

    Otherwise, what RBS said.
     
  21. anthonychen725

    anthonychen725 TS Rookie Topic Starter Posts: 18

    Ok so I booted up this morning and immediately Symantec picked up traces. I scanned with AVG, nothing. So...yeah, unless I'm using the scan wrong which I dont think is too possible.

    Also, the xp cd isn't infected, I've used it to reformat many computers many times before, working perfectly everytime.

    Edit: Symantec is practically popping up with alerts one after the other, non stop, saying it has found traces of the w32.spybot. But with the supposed load-up of the virus, I'm not experiencing any of the symptoms. Task manager opens up fine, no programs are freezing. I uninstalled Symantec, scanned with AVG and it didn't pick up anything. For now, I'm just not doing anything since I'm not getting any symptoms.

    Another edit: symptoms are now back. Also, AVG's resident shield isnt detecting anything. The virus seems to be loaded immediately when I start up now. My college is threatening to take away my internet, they've detected it too :/
     
  22. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    Tell us WHAT Norton is finding. What file? What location? It should give you details, whether in the popup or in the log files. Find these files and delete them from Safe Mode or Recovery Console if Safe doesn't work. And then remove their traces from the Registry.

    There has been instructions posted on how to remove W32.spybot. Take your time and get it done!
     
  23. anthonychen725

    anthonychen725 TS Rookie Topic Starter Posts: 18

    Ok Hmart and Vigilante, it's the same few traces that Symantec picks up. A few files named Erase_Me_xxxx.exe in /system32 and an infected smsc.exe file.

    Not to be disrespectful, but do you think at this point I have not tried EVERYTHING suggested? EVERY single approach/software I've tried has failed to clean and permanently remove this worm. Safe mode / normal mode removing doesn't work at all.

    If you guys think registry cleaning will work I will be happy to do that, but I have no idea how. That'd be a good place to start I guess, since everything else has failed.

    One more things, it seems like a "trap" how the files are named erase_me, so I'm pretty sure simply deleting those won't help. I have to find the source, which I'm guessing is smsc.exe, which remains uncleanable. As usual, much help is appreciated.
     
  24. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Download PocketKillbox here: http://www.downloads.subratam.org/KillBox.zip. Extract it from the zip file, remember where it goes.
    Double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box,
    enter the full path to this smsc.exe
    Click on the Action menu and choose "Delete on Reboot". In the Action menu select "Process and Reboot". You'll be prompted to reboot, do so.
     
  25. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    Also click Start-Run and type regedit and <enter>.

    Press F3 on the keyboard and type "smsc" and then hit <enter>. Regedit will then search (with all 3 checkboxes checked) and when it finds an entry, take down its location, don't do anything with it yet. Then hit F3 again and it will search for more. Write down all the places it turns up, names the key and subkeys. The each time it finds one, the full key path is listed in the status bar at the bottom of regedit.

    I would guess that smsc.exe is in a services area, or APPINIT_DLLS or wininit_dlls. Or in the NOTIFY key. Or perhaps a key starting with "LEGACY_".

    Post here what places you find the file listed. Then we'll step-by-step getting it the heck outta there.

    And hey, no disrespect taken I'm sure. It's just we don't "really" know what you do and don't do. After all, if Symantec explained how to remove it, it should have worked. Which leads back to wondering WHERE this thing is coming from. I'm still dumbfounded how it got on there right after a fresh loaded OS. Have you scanned all your CDs and disks? And any backups you may have? And ruled out all those options? Cause unless you loaded a non-service pack OS CD, at least Windows built in firewall and such should protect you until an AV gets installed.
    But I guess we aren't really going to know...
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...