Task manager missing, system hanging.

Discussion in 'ProcessGuard' started by Manticmeister, Apr 23, 2004.

Thread Status:
Not open for further replies.
  1. Manticmeister

    Manticmeister Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    18
    Hello all, I hope someone will take the time to help me out with my PC problems as I have struggled day and night now for over two weeks to no avail. Earlier in Apr. a malicious website loaded something the instant I hit it that Grisoft's AV said was called "Dropper." I quarentined it and then used GoBack to revert to a prior time. I then noticed my free Sygate firewall telling me of repeated port scans and once, an intrusion detection. I upgraded the firewall to the Pro version. I purchased TrojanHunter and it said I was clean. I used Spybot S&D and it again found and removed Dropper. I then found that I was unable to download anything without it being corrupted, except updates to TH and AdAware. The attacks continued and I did an online scan with Bit Defender, which found the Byte Verify Trojan, two of whose exploits it described as "get access" and "open channel." Unable to download any remedy I deleted AVG and bought the disks for McAfee. McAffe found and quarentined the Byte Verify Trojan. I then bought ProcessGuard and trained it for a few days. It of course didn't like TH Guard so I disabled same. It also wanted to restrain many functions of McAfee's AV. I allowed McAfee to do what it wanted as I wanted it's full functionality. Then I saw that Spybot S&D had a beta rc4 version available so I downloaded that. In deleting the rc3 version the process was interrupted because I had forgotten to disable the "tea timer" (execution protection?) in my system tray. The instant I disabled the "tea timer," McAfee popped up and said it found two Trojans. In a panic I deleted these without even noting their names or any other info about them. I then realized I had been training ProcessGuard on an infected system so I disabled all it's protections. Then yesterday I bought TDS-3, got the keyfile this morning, upgraded and ran it and it said I was clean. Don't know if it was checking for NTFS alt. data streams by default or not. At this point Task Manager is missing. I had thought that ProcessGuard had disabled it, but now that PG itself is disabled, Task Manager is still gone. When I press Ctrl+Alt+Del, nothing pops up and the system makes that noise that it does when you do something it doesn't like. I am also finding that when on the Internet the Sygate firewall will sometimes crash leaving the system frozen and necessitating a hard re-boot. The system will also freeze the same way when offline as it did during a scan by TH yesterday. At one point in all this I used GoBack again and it told me that my system had recovered from a serious error (kernal fault). Norton's Windoctor says all is well. The system seems seriously hosed and yet all my applications tell me that it is fine, which it surely is not. My trial version of Port Explorer finds nothing suspicious either.
    The instructions with Processguard say to install it on a clean system, which I apparently did not do. How should I now proceed? I am exhausted mentally at this point. Could this be a rootkit?
    Manticmeister
    PS- As I was writing the above, my ports were scanned again. I went offline and tried to bring up McAfee AV to no avail. System again needed hard re=boot. I am desperate at this point!
    Manticmeister.
     
    Last edited: Apr 23, 2004
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Manticmeister & Welcome, You have certainly had a host of problems without a doubt.
    Appears to me that with all that has gone on some of your system files have become corrupted & this what you need to address first.
    Can you you use XP's system restore? I know you have GoBack but if you have a sytem check point for an earlier time than the Dropper episode then System Restore may help. You may have to run the restore point from Safe made, this requires pressing F8 just before windows starts.
    Other than that you may need to do a repair install of windows, this is not the first repair option that comes up but the second. This way you will, at least, not lose any data but you will need to re-install any XP patches.
    After that you will need to tell us how you get on and we can give further guidance as required.

    HTH Pilli
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    A couple of things. If used goback to revert prior to the problem then you should have been fine, as long as you didn't recover the bad stuff, if there was any.

    Elaborate on what you mean by port scans and attacks. My firewall catchs scans all the time, but it blocks them. Not a big deal. Just means the firewall is doing its job.
     
  4. Manticmeister

    Manticmeister Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    18
    Hello again--Thanks very much for replying. Pilli; Regarding System Restore, the initial episode with "Dropper" occurred Apr. 6th or so, I know GoBack won't take me back that far. I don't know about System Restore- if you or someone thinks there is a possiblity of System restore taking me back that far, I'll try it. I am somewhat reluctant to try this method though because of the large number of downloads since then (Sygate firewall Pro, TDS-3, ProcessGuard, Spybot S&D rc4, Port Explorer, etc.) I dread having to re-contact the vendors and re-download all of that on my little dial-up connection.
    Peter 2150; Regarding the firewall issues, what is happening at present is that my Sygate Firewall Pro is crashing when it receives a port scan. I have written a large number of "advanced rules" in it, blocking the IP address of the hacker (or hackers) that scan me. One episode that occurred not long after the "Dropper" infection was called an "intrusion" by the firewall. At that point I forwarded the security logs to the abuse account of the hacker's IP, but that didn't seem to make a big difference as the scans from the same source continue. That's all I know about that issue.
    The idea of a system repair sounds like my best option, my only concern was that if a root kit had been installed that that wouldn't get rid of it. Also, I don't really know how to do a repair install. If someone could give me instructions about this or point me towards a tutorial I'd really appreciate it.
    I have been searching for instructions on how to do a "clean install" but so many times they refer to needing a floppy disk (which I don't have) or at some point "making sure you don't have a boot sector virus." And how exactly was I supposed to do that??
    I am running XP serv.Pak 1 with all the patches prior to this month applied. At present I am also unable to download patches from Microsoft for reasons unknown, possibly some setting in IE- or one of my anti-spyware packages preventing scripting or something. I just don't know.
    Thank you all for your help.
    Manticmeister
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hello again Manticmeister,
    A system restore would be your best and easiest option at this stage - It only restores sytem files and does not effect your My documents folder or program files.
    If you have a CD writer and you want to be sure of your downloads security copy them to CD including any licence files or registration information, although system restore will not remove them.

    Failing that please report back and we can give you the correct information or links to do a repair install or a clean install.
    BTW You will not need a floppy for a clean install or repair but you must have a bootable operating system CD, usually supplied with your computer.
     
  6. Manticmeister

    Manticmeister Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    18
    Hello again Pilli- I have tried System Restore now several times, but without success. Although I have two or three restore points indicated for a few days prior to the "Dropper" episode, when I try to restore to those points it won't do it. I tried disabling my antivirus as well as Spybot's "tea timer" and still no success. When I disabled Spybot's "tea timer," McAfee AV again popped up and told me it had deleted a Trojan called "Reg/Seeker." The path for this was given as Documents and Settings\all users\application data\Spybot-Search&Destroy\Snapshots\RegGBP2.reg and also Documents and Settings\all users\application data\Spybot-Search&Destroy\Snapshots\RegUBP2.reg . And this after several scans with a fully updated version of both TDS-3 and TrojanHunter. I hope that this is just a false positive because if it isn't, that may mean that the file that everyone is downloading to get Spybot is infected. ?
    My understanding after reading a tutorial at Bleepingcomputer.com is that the System Restore utility will in fact uninstall any programs that I have installed after the chosen restore point. I am prepared to do that if necessary. Do you know whether or not I must also disable GoBack in order to use System Restore? And does the location given for this Trojan get backed up into a Sytem Restore point? Please advise.
    Manticmeister
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    If spybot identified something then it maybe spyware rather than a Trojan so could you please follow the instructions here: https://www.wilderssecurity.com/showthread.php?t=15913
    System restore can be done from Safe mode, no other services should be running there that might get in the way.
    Yes you would need to re-install programmes loaded after the restore point but you would not lose any data documents, email etc.
     
  8. Manticmeister

    Manticmeister Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    18
    Hello again Pilli- I'm afraid you misunderstood me. It was not Spybot that found something. It was McAfee Antivirus that has now, for the second time, identified the Trojan "Reg/Seeker" which it has flagged instantly each time I unload the "tea timer" execution protection of Spybot from my system tray. I followed your link and I already have AdAware configured for deep scanning and running. It has found nothing. I am leery of Spybot now since this Trojan keeps re-appearing. This is the rc4 version of Spybot I am talking about, which I downloaded from http://www.spybot-updates.com/files/spybot13rc4.exe . I don't know if it is a false positive from McAfee or not but it has re-appeared twice now because I have uninstalled and re-installed Spybot twice.
    I will try the System Restore from safe mode and see what happens.
    Thanks, Manticmeister
    PS-- Ok, I have tried system restore now on all three checkpoints prior to the initial "Dropper" episode and it will not do it. I am ready now to try a "repair install". My system is a Dell laptop and I do have a system disk. You said that the repair install was the "second one that appears." I need a little more info regarding that please. Also, in beginning the process, should I boot from the CD or just boot normally? And would I be better off removing the laptop from my docking station or does that matter?
    Thanks again, Manticmeister
     
    Last edited: Apr 24, 2004
  9. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Manticmeister,

    There is a thread at Net-Integration Forum where PepiMK has answered a similiar question regarding the TeaTimer and McAfee detecting the seeker 'virus'

    http://forums.net-integration.net/index.php?showtopic=13898

    Hope that helps a bit,

    Regards,

    snap
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    I am using the latest Spybot RC4, but I have kept Teatimer turned off. I haven't tried it, and see no reason to do so. Teatimer, is now like a lot of other programs, that all are trying to protect running processes. Zone Alarm does the same thing and I have it process protection turned off. Process Guard does, this more effectively then they can hope to, so let PG do its job, and turn the others off so they don't interfere. I have found Spybots immunize function reliable, and helpful.

    Manticmeister. Frankly before I would do any serious repairing, I would turn off McAfee, go to www.f-prot.com, get their free DOS version, download the latest def's and do a scan of your system at the DOS level. If F-Prot, TDS, SpyBot (without tea), and Adaware say you are clean you probably are. If Mcafee is still giving you hits.... (never mind, I don't want to go into bashing mode)
     
  11. Manticmeister

    Manticmeister Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    18
    Hello all - I am pleased to say that my computer is back to normal now. You were right Peter 2150. In my focus on trying to get System Restore to take me back to the beginning of Apr. it took me a while to notice that all my problems had gone away once I had disabled "tea timer" in Spybot S&D. Even the Task Manager has magically re-appeared.
    I went to F-Prot on your advice and had a look but if I am not mistaken there is no MS-DOS included w/ XP, so I didn't download it. At this point I am wondering what would be the best anti-virus to try and use with Process Guard. As I mentioned before, since AVG was unable to disinfect me when I had the Byte Verify Trojan, and I was unable to download anything, I went out and bought the disk for McAfee, which did remove it. However, McAfee forces me to configure IE in an inherently unsafe fashion so that it will function and also does a lot of things that Process Guard doesn't seem to like (Global Hooks, etc.). Although McAfee has one of the highest detection rates out there I am wondering if anyone could recommend an anti-virus app. that gets along with ProcessGuard better. I had been considering Kaspersky. Additionally, since I was apparently training Process Guard on an infected system when I first got it, what steps should I take now to un-train or re-train it? Would I need to uninstall and then re-install it? Thanks to all for your help.
    Manticmeister
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Whilst running TDS3 & Process Guard - NOD32 is a very good and fast scanner with excellent heuristics.
    KAV is also a good choice with a vast detection base but is slower & works also works well with TDS3 PG etc

    I use both but on two different machines :)
     
  13. Manticmeister

    Manticmeister Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    18
    Hello again- Thank you Pilli and all who have helped me on this forum. It is great to have somewhere to turn when these complex problems turn up. Thank you also for the antivirus suggestions, I will no doubt go with either Nod 32 or Kaspersky. But what about the fact that I was training ProcessGuard on an infected system? I know the instructions told me to install it only on a clean system, but of course I didn't know that I had the Byte Verify Trojan when I installed it. Should I simply re-start the protections now, or uninstall the program and then re-install it- or what would you suggest? If I should ever encounter the Byte Verify Trojan again, I wouldn't want Process Guard to think that it was OK. Thank you all again, and I shouldn't need any more advice on this particular thread after this.
    Manticmeister
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    I would also recommend F-Prot for windows. Simple and low profile, and has worked well for me. It's real time scanner has nailed stuff from some websites, when the files tried to download. Also caught a nasty in a zip file, that I thought was legit.

    I don't think you need to reinstall. You might try rebooting into Safe Mode and copy your pghash.dat file(c:\windows\system32\pghash.dat somewhere for backup, and then delete it. Put PG in the learning mode, and it should just start relearning.

    Pilli, and/or Jason can confirm this.

    Pete
     
  15. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    H Manticmeister, Personally I would do as many scans as possible in your situation, Spyware Adware, AV & AT just to be certain, also you may want to post your HighJackThis log in the HJT forum below to get a clean bill of health from the experts there.
    When the above has been confirmed.
    Find a good registry cleaner and clean your registry.
    Defragment your drives.
    Switch off System restore to clear the old restore points in case any malware has been backed up, Once you have rebooted restart the restore service and create a new point.

    HTH Pilli
     
  16. Manticmeister

    Manticmeister Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    18
    Hello Pilli and Peter 2150,- I have scanned repeatedly now with McAfee AV pro, TDS-3, Trojan Hunter, Spybot S&Drc4 and Ad Aware and they all say I am OK, and the system seems pretty OK. I say pretty OK because for unknown reasons I haven't been able to download the MS updates issued this month for XP yet, although I am corresponding with them to try and do so. I also cleaned the registry with Tweaknow's registry cleaner. Peter; I will try your suggestion regarding the pghash.dat file, but it would be nice to have that confirmation from Pilli or Jason that you spoke of. How 'bout it Pilli & Jason? Would that be the proper thing to do now in order to start afresh with Process Guard?
    Thanks again all,
    Manticmeister
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Hi Manticmeister

    Since no one jumped in I just went ahead and tried what I suggested, and it worked. Go into safe mode, and copy the pghash.dat file somewhere and then delete it from the c:\windows\system\ directory. when you reboot and restart windows, Process Guard will recreate it and start the PGhash.dat from scratch. If you have a high degree of confidence your system is clean then put Process Guard in learning mode before you start the above procedure. If your not sure leave it with enable checked before you start. Then when you reboot from the safe mode you will have to do a lot of allowing as the system comes up, but you can watch what is being allowed, and if you are not sure, write down the file name, let the system come up, and then you can check out the programs with which you are not familiar.

    Its late, hope the above makes sense.

    Pete
     
  18. Manticmeister

    Manticmeister Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    18
    Hello Peter 2150- Thanks for getting back to me on that, I'll do as you suggest with PG's hash file. I'm beginning to think that a forum devoted to the interactions between all the various anti-malware programs would be quite helpful. Getting them all to "get along" is just as time consuming as dealing with malware itself! For instance, I found McAfee's antivirus as well as Trojan Hunter to both be doing things that Process Guard didn't like. And of course there was the fiasco with Spybot's "tea timer." I'm not sure yet, but it looks like if I were to keep McAfee, a lot of what Process Guard does would have to be disabled. Perhaps someone could create a graphic indicating what the programs are doing, duplicate functions could then be seen easily. I've gotten into loops between two programs fighting over changes to the same thing a couple of times now. I've been able to glean some info from reading the lists of applications that experienced folks have at the bottom of their posts, but that is hardly an efficient way of getting that info. Thanks again to all for your help. If I need additional info I'll probably start a new thread as I'm pretty straight on this particular issue now.
    Manticmeister
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Hi Manticmeister

    Since bashing other products is really inappropriate, I'll be good, but if asked I would recommend getting rid of Mcafee stuff. They scatter stuff all over the system. This post will self destruct in 30 seconds. :rolleyes:
     
Thread Status:
Not open for further replies.