Need Help!! Task Manager doesn't open, virus related?

Status
Not open for further replies.
I've formatted twice, once with an official XP Home cd, and once with a not so official XP Pro cd. Ok vig, here are the results of my regedit searches:

My Computer\HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603
My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\MSConfig\services
My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\ControlSet001\Enum\Root\Legacy_SMSC
My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\ControlSet001\Enum\Root\Legacy_SMSC\0000
My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\ControlSet001\Services\SMSC
My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\ControlSet001\Services\SMSC\Enum
My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\ControlSet002\Enum\Root\Legacy_SMSC
My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\ControlSet002\Enum\Root\Legacy_SMSC\0000
My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\ControlSet002\Services\SMSC
My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentControlSet\Enum\Root\Legacy_SMSC
My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentControlSet\Enum\Root\Legacy_SMSC\0000
My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentControlSet\Services\SMSC
My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentControlSet\Services\SMSC\Enum
My Computer\HKEY_USERS\S-1-5-21-839522115-492894223-1708537768-1003\Software\Microsoft\Search Assistant\ACMru\5603

Ok that's all of them. My guess is that it's in the search asssistant stuff, but who knows. Help ASAP is appreciated, my university's IT shut my IP down :/ I'm home right now trying to fix this. Thanks as usual.

Oh and one last thing, I didn't try RBS's tool for removing it, because I'm not quite sure where the actual smsc.exe is.
 
Click Start/Search/For files or folders/smsc.exe

In my XP-Pro registry there are no such keys as:
My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\ControlSet...

They are under:
My Computer\HKEY_LOCAL_MACHINE\System\ControlSet...
 
I tried searching for smsc already, nothing has turned up. Also, I'm sure that the there is an HKLM\Software directory in my registry. I'm 100% sure the registry addresses I posted are accurate.
 
Very interresting. RBS is right, XP does not store it's "real" config and controlset info in Software\Microsoft, but in System\Controlset.
Which just means something is really fishy here.

Do you know how to backup your registry? Do so and lets try to remove this thing.

Go to your first key:
My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\MSConfig\services
And then delete the smsc entry on the right-hand side.

Then delete the entire key (on the left side) for these keys, that is the key shown in bold text.

My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\ControlSet001\Enum\Root\Legacy_SMSC

My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\ControlSet001\Services\SMSC

My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\ControlSet002\Enum\Root\Legacy_SMSC

My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\ControlSet002\Services\SMSC

My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentControlSet\Enum\Root\Legacy_SMSC

My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentControlSet\Services\SMSC
-------------------------------

Okay, if XP doesn't let you delete the key on the left side, do this:

Right-Click the key and choose Permissions. Then with the Administrators entry highlighted, click the checkbox down below for Full Control - Allow. Then hit ok. This should give you permissions to delete the key now. I'm 95% sure you'll have to do this for the "legacy" keys.

Also, before deleting a key, you might want to look at some of the entries on the right side, and see if they point to any other files besides smsc. For example if one of the services points to blabla.exe, you may want to put that file in quarantine as well.

I'm sure you know the risks of editing the registry, so do what you gotta and give it a try.

Good luck!
 
Ok a quick recap of what I did since the last post:

I backed up my registry by exporting it? (Was that right?)
I deleted the registry files you told me to. (How come not the search assistant ones?)
I deleted the few traces (erase_me_xxxx.exe) in \system32 that Symantec was still picking up.
Even though Symantec was picking up traces, I wasn't experiencing any of the symptoms that I normally experienced. (Freezing when clicking the favorites icon in IE, freezing when saving files/opening them)
After deleting the erase_me files, I rebooted. There are no more erase_me.exe's in \system32.

I guess we just hold our breath now? I'm going to reformat with my XP Home recovery cd that came with my laptop so I can install sp2, mostly for the sake of getting back on my university's network, but also for extra security I guess.

Let me know if theres anything more I can do. Thanks!
 
The search assistant ones are MRU lists and are not a problem. MRU stands for Most Recently Used. Or something to that effect. MRU lists are used so Windows knows the last items you searched for, last RUN commands and many more. There are a lot of MRU lists in the registry.

Can I ask why you're going to format yet again? If you have it cleaned now, just install SP2 by itself and be done with it. Formatting will erase all you've done, and you'll get a new registry and everything all over again. Is it necessary?

Cheers
 
Ok some bad news for Vigi and others, hope youre still tuned in. Symantec has been picking up a few traces of trojan horses. I'm not sure if this is how trojans act, but it keeps vanishing and reappearing over and over. Last time, my laptop froze when ewido was scanning and it happened to be in one of the directories and ewido froze on that file, freezing up my whole system. This is what Symantec is picking up:

Dir (File):
C:\Windows\Temp\ (C27D8FEF-D7AE-42c0-82E6-F30598265639.exe)
C:\Documents and Settings\Anthony\Local Settings\Temp\ (C27D8FEF-D7AE-42c0-82E6-F30598265639.exe)
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\ (APDAPQ1C.tmp)

Ewido log is useless because it picks up nothing but cookies if the exe isn't located somewhere, and when it is, it just freezes. I will upload the hijackthis log, although I don't know if it'll help since the virus just jumps around.

Much help is ALWAYS appreciated.
 
I don't know where you pick up all this rubbish.
For one, your are using that crap Internet Explorer. Go to www.getfirefox.com !

As per previous instructions:
/P/ O4 - HKLM\..\Run: [Windows Run Services] WindowsRun.exe
/S/ O4 - HKLM\..\RunServices: [Windows Run Services] WindowsRun.exe
O4 - HKCU\..\RunServices: [Windows Run Services] WindowsRun.exe

Did you get your Norton/Symantec legally?
You should ditch that piece of turd-crap anyway and go to http://free.grisoft.com and get their AVG.
 
Ok, I did the few things you suggested. I think still the trojan or whatever it is is hibernating. Hopefully it doesn't come up but for now AVG isn't picking up anything. I disable windowsrun.exe in msconfig startup but it keeps re-enabling itself, and one entry containing windowsrun.exe in hijackthis keeps showing up. Any idea what this is? Seems fishy.

I searched my registry for 'windowsrun' and these are the locations it came up with:

My Computer\HKEY_CURRENT_USER\Software\Microsoft\OLE
My Computer\HKEY_CURRENT_USER\System\CurrentControlSet\Control\LSA
My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows Run Services
My Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\LSA
My Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\LSA
My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
My Computer\HKEY_USERS\.DEFAULT\Software\Microsoft\OLE
My Computer\HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
My Computer\HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices
My Computer\HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa
My Computer\HKEY_USERS\S-1-5-18\Software\Microsoft\OLE
My Computer\HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run
My Computer\HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunServices
My Computer\HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa
My Computer\HKEY_USERS\S-1-5-21-789336058-1060284298-1708537768-1003\Software\Microsoft\OLE
My Computer\HKEY_USERS\S-1-5-21-789336058-1060284298-1708537768-1003\SYSTEM\CurrentControlSet\Control\Lsa

Ok finally, that's it.
 
Yeah, I said a couple posts up that this thing is hibernating and comes up at random times, when it's not up Ewido doesn't pick up anything, and when Ewido actually comes by the file, it just freezes up and it freezes my whole system.
 
Whatever it is , it must come from one of the CDs you use to install programs, or you keep installing a program with a dodgy background.
We can't do anything until YOU find the source of the infection.

Is the PC physically disconnected from the internet when you install afresh?
Do you have other PCs on a (home-)network you are connected to?
Could they have the infection and spread it via network?

Have you tried installing without that crap Norton?
 
I dont know, the only plausible explanation is my XP Pro cd is infected, but I've used it so many times in the past to reformat and I've never had any problems with it. So I don't know how that could happen, how it could be bad this time. Symantec is installed from a cd my university provides, so it is pretty official and I dont know if that's bad either? And I'm on a university, so I dont think I can pick up a virus from the network, but who knows.

Right now I'm not experiencing any symptoms of a virus, so I'll hold my breath for now. I'll try to get a hold of a legit xp pro cd and reformat once again.
 
Status
Not open for further replies.
Back