Admin processes not working?

Hi all,
Ive got a problem, I can't get any processes such as taskmanager, msconfig etc to work (I AM logged on as administrator) When I hit alt+ctrl+delete task manager flashes up for a second then dissapears, msconfig does the same.

When I try to install new programs, the installer almost finishes installing but doesn't respond when the progress bar is full (I have left for over an hour and nothing happens). Also a game I play over the internet (counter strike source) lags a lot more than it used to. originally I had latency of 30-80 and now im lucky if it is under 200.

I have read and done everything the read me first guide for removal of spyware etc has told me to do but the problem still persists. I have tried every free scanner I could find and some of the not so free one's (with full intention of purchasing if they solved the problem!).

Symantec internet check said I have the worms gaobot and sdbot, not sure what that means though!

I dont know if the problems above are connected, hope someone can help i've lost count of the amount of hours I've tried fixing this!

My specs are:
Acer aspire 1622lm (laptop)
P4 3.0ghz
512mb ddr ram
60 gb hdd
xp home

Thanks in advance for the help!

 

I have done all the steps in READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal and I still got the problem.

I downloaded HijackThis from the link and tried to run it, I clicked on the icon, some warning flashed up for a second and then nothing happened.
I tried running it from C:, C:/program files and C:/progtram files/HJT and the same thing happened in each one.
Any suggestions?

 

I downloaded the file to the new folder and unzipped it using winrar, Ive tried opening it again and I don't think that it is an error message but a warning message from HijackThis.

Does a warning message appear when this file is run? (I don't know exactly what the message says because it onl flashes up for a second and then dissapears!

I can just read the bottom line it says,
"Some ad-aware supported programs may cease to function if the associated adware is removed"
any ideas?

 

Are you able to run HJT and get a log?

 

No, the warning message flashes up for less than a second and then nothing happens.

 

Okay! Lets try this, click the link below to download HJT. Save this to your desktop, try to run it from there and see what happens.

http://216.180.233.162/~merijn/files/HijackThis.exe

 

I tried running HijackThis from desktop, the warning message flashes up for a second and then windows explorer crashed.
After that all my desktop icons dissapeared and I couldn't click on start, when I hover over start big egg timer thing appears insted of cursor.
I can't even get in to task manager to see whats happening or run explorer so I had to turn computer off.

 

Download the W32.Gaobot Removal Tool

Boot into Safe Mode and run this tool!

After this try running HJT again. Also, try running HJT from Safe Mode see what happens now.

 

I ran the removal tool in safe mode and it said that the worm wasn't found on my system!? Thats strange because the online scan I did at Trend Micro website said that I was infected by it! I tried to re-scan, but the page will load only halfway then doesn't respond!

I ran HijackThis in safemode from the desktop and have attatched the file.

 

Okay! You do have the GAOBOT Worm.

Here is some information on this WORM:
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.bb.html

Boot into Safe Mode again and run the following online scans:

Run the following online scanners:
Bitdefender
RavAntivirus <-- select Auto Clean then click Scan My PC
TrojanScan

Post results from these scans!

Also, go into Add/Remove Programs and uninstall Media Access. We will address the smaller issues after we get this under control.

 

When I boot up in safe mode with networking I cant connect to the internet, my connection is 1mb adsl. I can connect either through an ordinary modem or a router with wireless network card.

I'll run the scans in normal mode and tell you what I find.
Thanks for the help so far!!

 

Okay! Be sure you have System Restore disabled.

 

Yep i've got system restore disabled, scanning now! Bitdefender firstly said that it couldnt load the updates and then it said that it couldn't scan my computer!? It didn't give a reason as to why not?!

Should I be able to connect to the internet in safe mode?

 

Safe Mode w/ Networking you should be able to yes. Do the scan without updates and then run it again with updates if you cant get them still.

Probably wouldnt hurt to run TrendMicro's again.

http://housecall.trendmicro.com/housecall/start_corp.asp

 

I completed the scan with RAV antivirus and got the following results:
Scan started at 09/04/2005 19:21:02

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\WINDOWS\system32\msmsgr.exe - Win32/Spybot.BN.worm -> Infected

Scanned
============================
Objects: 36861
Directories: 3001
Archives: 6984
Size(Kb): 1599549
Infected files: 1

Found
============================
Viruses found: 1
Suspicious files: 0
Disinfected files: 0
Mail files: 79

I tried scanning with the other two but both of them didn't respond while the page was loading and when into control panel and clicked on add/remove programs nothing happened!!

 

Okay! Try running the others one more time just to see if they will work.

 

I rebooted in safe mode and uninstalled media access, just clicked on the bitdefender and it has started scanning!
Ill post the results of the two scans when they have finished!

 

Okay!

 

Hi, i have scanned with bitdefender, RAV antivirus and trojanscan.
I have posted the results of RAV antivirus on a previous post, Trojanscan said that I am not infected with anything. Bitdefenders report was the following;
Scanned File

C:\WINDOWS\system32\msmsgr.exe
Infected with: Backdoor.RBot.150CFB7D

C:\WINDOWS\system32\msmsgr.exe
Disinfection failed

C:\WINDOWS\system32\msmsgr.exe
Delete failed

C:\WINDOWS\system32\wind32.exe
Infected with: Backdoor.RBot.A2AF9961

C:\WINDOWS\system32\wind32.exe
Disinfection failed

C:\WINDOWS\system32\wind32.exe
Delete failed

I tried to do trendmicro scan but the virus definitions wouldnt load and then the scanner wouldnt load!?

 

Okay! So boot into Safe Mode and delete these files if they exist. Reboot and see how things are now.

C:\WINDOWS\system32\msmsgr.exe
C:\WINDOWS\system32\wind32.exe

 

I deleted the msmsgr.exe file in safe mode but I couldnt find the win32.exe file, I have checked the box in folder options so I can see hidden files. I manually looked for it and used search to find it but it didnt come up with anything.

I have also tried to get task manager up but it still flashes up for a second and then dissapears. It works in safe mode though.

 

Its C:\WINDOWS\system32\wind32.exe not win32.exe

Download and run CWShredder 2.14
Note: Select FIX and let it scan.

Now run these online scans!
TrendMicro Online Scan
Symantec Online Scan
Panda Online Scan
RAV AntiVirus Online Scan
ComputerAssociates Online Scan
Bit Defender Online Scan
Command On Demand Online Scan
Freedom Online Scan
AhnLab Online Scan
PCPitStop Online Scan

After doing these online scans (skip the ones you've done already) attach a fresh HJT log.

 

sorry that was a typo!
can I run more than one online scan at once?

 

Sure, the only problem you may run into is that if one of the scans find the same thing as another it may delete the file first and one may give an error. But yeah I dont see why not.

 

I just ran CWshredder and got this report;
**** Run Keys ****

RUN: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
RUN: [Compaq Service Drivers] wind32.exe
RUN: [Microsoft System Services] msmsgr.exe
RUN: [CnxDslTaskBar] C:\Program Files\SAMSUNG\SAMSUNG AHT-E310\CnxDslTb.exe
RUN: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
RUN: [Microsoft System Services] msmsgr.exe
RUN: [Compaq Service Drivers] wind32.exe

There was quite a lot of other stuff aswell but I think this is the main bit, not sure why msmsgr.exe is still there I deleted that file in safe mode (and cleared it from the recycle bin!)

 

Okay! Finish those online scans and we will see where we stand. We may have to go to my last resort.

Wouldnt hurt to run it again to be sure it got everything, click FIX instead of Scan just in case your doing scan.

 

Scanning now, tried scanning with trendmicro virus definitions wouldn't load and then the virus scanner wouldn't load!

Then tried the panda one and my connection dropped for some reason, got an error message saying something to do with generic host proccess for win32 services has crashed and needs to......

DOing the computer associates scan now.

 

Oh yeah I forgot to add, hope that the last resort isn't rebooting!? That would make me very

 

You have to reboot in Safe Mode, but after you come out of Safe Mode, it will be worth it. It just takes a LONG time to do thats why I said "last resort"

 

I did the online scans, well the one's that I could do!
Computer associates, Freedom and Command on Demand said that I had no virus. I couldn't do the scan with Trend Micro or panda and I have already performed scans with the remaining ones except Ahnlab inc which said I have the following virus;
Filename: wind32.exe
Folder c:\windows\system32
Virus name: win32/IRCBot.worm.gen

I have looked for this file and I cant find it, either in safe mode or normal mode! (I can see hidden files)

I ran hijack this in safe mode because the program wouldnt run in normal mode for some reason.

 

Download Pocket KillBox

Now, Copy and Paste C:\WINDOWS\System32\wind32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\msmsgr.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\wind32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Now have HJT fix these entries:

O4 - HKLM\..\Run: [Compaq Service Drivers] wind32.exe
O4 - HKLM\..\Run: [Microsoft System Services] msmsgr.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] wind32.exe
O4 - HKLM\..\RunServices: [Microsoft System Services] msmsgr.exe
O4 - HKCU\..\Run: [Microsoft System Services] msmsgr.exe
O4 - HKCU\..\Run: [Compaq Service Drivers] wind32.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] wind32.exe


Reboot & attach another HJT log.

 

hey hey it works!!!
I had almost forgotten what task manager looked like!!
I followed the instructions in your previous post and have attatched a HijackThis file.

Thankyou very much for all your help!!!

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

STOPzilla! <-- Its up to you!

Media Access

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

scrtkfg.exe

MediaAccK.exe

MediaAccess.exe

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: (no name) - {00000000-DD60-0064-6EC2-6E0100000000} - (no file)

O4 - HKLM\..\Run: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\RunServices: [System CSRSS Patch] scrtkfg.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: {5DD731E6-D4F0-11D3-BE3F-00105A6FDA50} (V3ProX Control) - http://ahnlabdownload.nefficient.co.kr/plugin/myv3/myv3.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

Now, Copy and Paste C:\WINDOWS\System32\scrtkfg.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

NOW:
Navigate to and DELETE the following if they should remain:

C:\Program Files\Media Access

NEXT:
Run CCleaner

Reboot, Scan with HijackThis and attach the new log.

 

I did all your previous post said except that I had to boot in safe mode to delete media access and I didn't want to delete stopzilla because I use it for a pop up stopper.
Its quite good really, I never get any pop-ups!
I have also attatched a hijack this log.

Sometimes when I'm browsing the internet or playing on counter strike, my connection drops for what seems like no reason and I get an error message saying "Generic host process for win32 servises has encountered an error and needs to close......" What could that be?

 

First, Your running Avast & AVG antivirus. You need to uninstall one and run only one Antivirus as this will cause conflicts. After uninstall reboot and see if you still get that other error you mentioned.

Your log is clean!

Are you having any other problems?

 

No I'm having no other problems and that only happens once in a while and not since I have followed all your steps, i'll keep you posted. I think I will uninstall Avast, i prefer the look of AVG!
Computer boots up a lot faster now and generally takes less time to do things! I think that my laptop is finally virus free!
Do you think it would it be a good idea to upgrade to sp2?

 

For sure! Go to Windows Updates and get all avail. updates.

Take a look at this article on How to Protect yourself from malware!