Task Manager - Display Disappears After 2 Seconds
Jim Ries
Every time I execute Task Manager it appears on my screen
for only 2 seconds and then disappears.
Has anyone encountered this problem, and if so, do you
have a fix?
thanks
Sir_George
Usually it's caused by Klez or Yaha viruses. Users typically report that it
closes as soon as it opens. So test for this first.
http://securityresponse.symantec.com/avcenter/venc/data/w32.k...@mm.html
or
http://securityresponse.symantec.com/avcenter/venc/data/w32.y...@mm.html
There are some other causes but the above is the most common.
--
Sir_George
"Jim Ries" <jim_...@prodigy.net> wrote in message
news:0df701c329df$753577b0$a401...@phx.gbl...
Virage
software companies would like you to believe, none of the virus scans
and "remove applications" were able to identify or fix the virus.
This includes Norton Antivirus and Trend Micro House Call.
Isolation of this virus was nearly impossible! After solid 26 hours
of hunting for solutions, inspecting the system, and auditing registry
entries, here are some useful hints in case any one of you comes
across some of the following symptoms (one or more):
The Virus
The virus found on my PC was very similar to PE_BUGBEAR.B is a
file-infecting variant of WORM_BUGBEAR.A. This variant includes all
the functionalities of the previous variant with the addition of the
file infection routine.
Symptoms:
1. Network connection gets dropped about every 10 - 30 minutes: your
network connection icon shows "Network cable unplugged"
2. If working behind a firewall (router), suddenly you are not able to
browse the Web or download email from the server: "Cannot locate
server..." message box appears.
3. After re-booting, your computer is constantly sending out packets
even though no processes to substantiate this are running: you are not
running a Web server, Database server, or FTP server.
4. Most Obvious: when you try to open Windows Task Manager, it appears
for about 1-3 sec. and then disappears.
5. Most Obvious: when trying to run Registry Editor (from
Start/Run/Regedit.exe), it appears for about 1-3 sec. and then
disappears.
Characteristics:
1. Virus is distributed via email from many parts of the world and is
really well disguised: here is a link for a comprehensive overview:
a. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BUGBEAR.A
2. This worm propagates via shared network folders and via email. It
also terminates antivirus programs, acts as a backdoor server
application, and sends out system passwords – all of which compromise
security on infected machines.
3. As a backdoor, this worm allows remote users to connect to infected
systems and obtain information, manipulate files, and execute programs
on the infected systems
4. This worm drops 3 .DLL and 2 .DAT files in the Windows System and
Windows folders respectively using random filenames. One of the three
.DLL files is a key logger program that hooks some events from the
keyboard.
5. This key logger component intercepts keystrokes made on the
infected machine and saves the keystrokes encrypted into the other
dropped .DLL files. The key logger component is also detected as
WORM_BUGBEAR.A, while the two other .DLLs are non-malicious. The two
dropped .DAT files are also non-malicious data files and are
encrypted.
How to find and remove the virus:
1. Your anti-virus software may initially detect the virus and as such
it will be quarantined or deleted.
a. If quarantined, the removal tool may be able to locate the source
file and remove all of its components
b. If deleted, the link to the source will be lost and you may not be
able to find the active components
2. In the latter case, if you observe the symptoms shown above, you
may try to download removal tools from Symantec or Trend Micro but in
my case, neither was able to find any virus files on my PC!!
3. The most obvious place where you will find issues related to those
type of viruses are two areas in your Registry:
HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>RunOnce
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Run
HKEY_CURRENT_USER>Software>Microsoft> Windows>CurrentVersion>RunOnce
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>RunServices
HKEY_CURRENT_USER>Software>Microsoft> Windows>CurrentVersion>Run
a. Since Regedit.exe will not run now, copy is as Regedit.com and run
this one instead
b. When inspecting those areas you have to look for entries that do
not appear to belong there: programs that you would not expect to run
automatically when your system is started
c. Most of them will correspond to items in your system tray but
others will not
d. Most worm and Trojans put files to automatically execute in this
area
e. Other references are made in the Classes part of the registry, esp.
"exefile" (you will find reference to how to fix these at the above
anti-virus sites)
4. Catch 22:
a. Since you can't run Task Manager, how can you see what services are
running and which are not supposed to run?
b. An excellent tools available out there are:
i. Process Explorer: just like Task Manager but much better
1. http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
ii. AnVir Task Manager: a really awesome tool that actually showed me
when services I tried to delete were automatically restarted by the
virus engine!!
1. http://anvir.com/taskmanager/index.htm
c. Now, the biggest catch is to find out what services are being
spawned over and over:
d. My best suggestion to those that may not know much about Win
services is ... to start from the top and stop each services; those
that are required will not be aborted or will restart
e. To see what the services are try this link:
i. http://www.liutilities.com/products/wintaskspro/processlibrary/tcpsvcs/
f. Those that are referenced in the registry by the virus will be
restarted and you will be able to see that in AnVir (really great
tool!)
5. Since none of the removal tools nor anti-virus software were able
to find any reference to the viruses, this was trial and error
process, esp. with this group of viruses which produce RANDOM FILE
NAMES:
a. In my case, the three culprits where:
i. xstyles.exe
ii. rwtrisfg32.dll
iii. Perflib_Perfdata_34c.dat
b. As you can see, none make any sense!
i. The Registry Entry that tied them together was NvXpLDeamon
ii. The "deamon" gave it away a bit
c. Since these are random files you will not be able to find reference
to them on the Web
6. Upon inspection of the content of the virus files I was able to
confirm that rwtrisfg32.dll was referencing spybot.dll and was
performing the following functions:
a. Quoting from the virus source code: that is truly scary!!
b. "Searsing for passwords"
c. ":netdevil IP:"
d. "passed pleaz_run_done pleaz_run"
e. "Server uploaded to kuangserver IP:" - note that kuangserver is
part of the Kuang2 virus which this one piggybacks on!!
f. read: http://www.lurhq.com/sig-milkit.html
g. "already logging keys to %s use "stopkeylogger" to stop Spying on
port"
h. as well as nearly 2000 words and phrases that are potentially used
as passwords: "LOCAL SERVER SYSTEM BACKUP USER ACCESS TEST DEMO FILES
READ BOTH FULL WRITE SHARE TEMP PASSWORD ADMIN ROOT GUEST
ADMINISTRATOR "
Highlights:
1. Anti-Virus Software may or may not remove known viruses
2. 2. If the main virus file is deleted, you may not be able to find
the remaining pieces even using the removal tools.
3. If you quarantine your viruses, record their names so you can
narrow down your search later.
4. Use the tools abovementioned to help you in finding the culprits
5. Use Port Monitors such as Statistics part of Symantec's Internet
Security to see what's happening when the virus is running
a. I saw communication from net.hackarmy.tk attempting to get into my
PC while the worm was running:
b. read: http://www.lurhq.com/sig-milkit.html
c. this is how I was able to put the hackarmy and milkit and bear bug
together
6. Removal of the previously mentioned files, esp. xstyles.exe
reinstated by Task Manager and Regedit!
7. Set up your Virus Scan to run nightly
8. Set up Internet Sercurity to block Trojan Horse intrisions
9. Set up your Router to notify you of intrusion attempts
10. Set up update to virus definitions to take place automatically as
soon as they are available.
11. Change your password after the attack for all profiles on
particular PC
For more info, contact me at www.prism-itc.com
PPJ
You just made my life alot easier!
My story is different (so far...)
I have been having problems the last 2 days and I tried to figure out what
was going on..
I just did a CLEAN install last week, already I was noticing slow downs...
I tried to install mcafee -I usually do this right after installing, but I
guess I missed it this time :.(
I could not install, so I tried to run MSCONFIG, and it would just fkip on
to the screen and the right off!
I then tried to run taskman, well we already know what it does!
I then did a safe boot (w network) an ran MSCONFIG... Suprise! Here are some
of the entries I found:
xstyles.exe (This is what lead me to your post!)
iexpilorer (noticed the mis spelling!!!)
I am currentlty scanning with Mcafee (I will also do Symantec) and so far I
have found
backdoor-fk.srv and downloader-af the source file (I am turnind bright
red....) "14 year old cock sucking anal sex.exe"
I will post updated info when done....
I WILL reformat and reinstall....But I will first post the results of the
virus scans when done for everybodied knowledge
P
"Virage" <vir...@shaw.ca> wrote in message
news:305d821.03060...@posting.google.com...
> application, and sends out system passwords - all of which compromise
Michael Jenkin
same issue.
I actually booted with a boot disk (NTFS4DOS) and created a folder in
teh system32 directory called xstyles.exe I then deleted xstyles.exe
and rebooted. I then found the DLL, deleted it and removed the entry
from the registery.
I did note that renaming Taskmgr.exe or regedit.exe to taskmgr1.exe or
regedit1.exe allowed the tools to run free from the weird shutdown
issue.
I run Trend PcCillin and to this day it does not pick up the virus.
Weird !
Michael J Jenkin
"PPJ" <p...@attbi.com> wrote in message news:<CTJDa.1138152$S_4.1170144@rwcrnsc53>...
Virage
rely on your server / pc for your daily bread! That's what really
makes me want to meet the good ole' folks from Hackarmy or the social
reject that wrote the virus: I'd love to take him/her for couple of
rounds * ugh *.
On a more calm note: has anyone tried the Symantec removal tool for
this? Does it work? I can't imagine that it would if (and only if) the
file names are randomly generated.
In my last post, I neglected to mention that you have to do all your
cleaning up in Safe Mode: otherwise, you can observe the service being
re-crated by the virus engine everytime you try to delete the file or
registry entry. Best seen in AnVir Task Manager.
michael...@usa.net (Michael Jenkin) wrote in message news:<2fe5bb76.03060...@posting.google.com>...
Sir_George
In reference to your June 6, 2003 post where you stated that Norton
Antivirus was unable to identify or fix the problem caused by the virus; are
you unaware that Norton and Symantec are synonymous terms referring to the
same company? Therefore, if you tried using the removal tool from Norton and
it failed then Symantec's tool will also fail as it is the same thing.
--
Sir_George
For better access to newsgroups;
http://www.microsoft.com/windowsxp/pro/using/newsgroups/setup.asp
Virage
able to isolate the virus. Have you had any experience with other
a-virus software and this version of Bug Bear / Milkit?
"Sir_George" <Sir_G...@yahoo.com> wrote in message news:<bc4ns9$fa94q$1...@ID-149646.news.dfncis.de>...
Travis
closing down). I was also suspended from my internet service due to a
bunch of port activity. What it was was the net devil virus, a
backdoor virus that can totally control every aspect of your computer.
It was making my computer run like crap and shutting me out of IRC.
Look it up at the symantec website, under backdoor.devil. it infected
my kernel32.dll file but i was able to clean it up using safe mode.
It also leaves traces of itself in your registry under:
HKEY_LOCAL_MACHINE\Software\Windows\CurrentVersion\Run
there were two entries there which i deleted. good luck
'Travis
vir...@shaw.ca (Virage) wrote in message news:<305d821.03061...@posting.google.com>...