[Metallica]

Translating hex doesn't render anything sensible.

Save that file as a backup
(all you have to do is change the name to taskmgrccs.reg and doubleclick it to get the old values back)

Then copy the part in bold below into notepad and save it as taskmgrrem.reg
Set Filetype to "all files"

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\taskmgr.exe]

Doubleclick that file and confirm you want to merge it with the registry.

Then reboot and try both doubleclicking taskmgr.exe and using Ctrl_Alt_Del

Let me know what happens.

Regards,

[Advertisements]

No change..if I cntl-alt-del, I get the same little box at bottom of screen that has the "monitor with green screen and lightning bolt, but no "task Mgr" written beside it...if i right clikc, double click, ect nothing happens....
If I go in and double clikc the file name filemgr .exe same thing, opens the untitled Task Mgr box Icon, but will not open ARGGGGG!

Also, did search for TaskMgr.exe and found a bunch???

Found a copy in emergtutils file, three of them inWindows/prefetch folder wit .pf extensions, one in Systems32, and one in servicepack files / I386??

SD

[tvrfan2003]

No change..if I cntl-alt-del, I get the same little box at bottom of screen that has the "monitor with green screen and lightning bolt, but no "task Mgr" written beside it...if i right clikc, double click, ect nothing happens....
If I go in and double clikc the file name filemgr .exe same thing, opens the untitled Task Mgr box Icon, but will not open ARGGGGG!

Also, did search for TaskMgr.exe and found a bunch???

Found a copy in emergtutils file, three of them inWindows/prefetch folder wit .pf extensions, one in Systems32, and one in servicepack files / I386??

SD

[Metallica]

Can you do me a favor and rename one of the taskmgr.exe files to taskmanager.exe ?

Sometimes malware targets program windows with a certain name.
So renaming the file will help.

Let me know if that is the case.

Regards,

[tvrfan2003]

Ok, I went in and changed the Taskmgr.exe files in both Windiwos\system32, and Servicepackfiles|i386, to taskmanager.exe and when opened with right click or double clicked simply flicker and open another of the Icon boxes without text at bottom that will not open as normal with full filebox

I do now however, have a small green "Icon" of a green graph that gives CPU usage as a percentage 5-10% when I move the cursor over it, but again it will not oppen to say whats running????

[Metallica]

Please download: http://www.sysintern...ssExplorer.html

Run it while you have the taskmanager icon in the systray.
Then look in Process Explorer if there is another process running as a child-process
(if you look at my screenshot you will see CNYHkey.exe running as a child process of explorer)
Also look at explorer.exe for the same sort.
Let me know if and what you find.

Tip: in Process explorer click Options > Replace Taskmanager. After you get used to it you will be glad Taskmanager disappeared. Nevertheless we will want to find out how and why.

Regards,

[Metallica]

forgot the screenshot

Attached Thumbnails

• 

[tvrfan2003]

Process PID CPU Description Company Name
System Idle Process 0 86.76
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 420 Windows NT Session Manager Microsoft Corporation
csrss.exe 476 1.47 Client Server Runtime Process Microsoft Corporation
winlogon.exe 500 Windows NT Logon Application Microsoft Corporation
services.exe 544 4.41 Services and Controller app Microsoft Corporation
svchost.exe 724 Generic Host Process for Win32 Services Microsoft Corporation
OPScan.exe 1384 Norton AntiVirus Out of Process Scan Server Symantec Corporation
msmsgs.exe 3088 Windows Messenger Microsoft Corporation
svchost.exe 796 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 880 Generic Host Process for Win32 Services Microsoft Corporation
wuauclt.exe 2804 Automatic Updates Microsoft Corporation
svchost.exe 980 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1020 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1148 Spooler SubSystem App Microsoft Corporation
CCSETMGR.EXE 256 Common Client Settings Manager Service Symantec Corporation
NAVAPSVC.EXE 1248 Norton AntiVirus Auto-Protect Service Symantec Corporation
SAVSCAN.EXE 1496 Symantec AntiVirus Scanner Symantec Corporation
svchost.exe 1864 Generic Host Process for Win32 Services Microsoft Corporation
symlcsvc.exe 1964 Symantec Core Component Symantec Corporation
wdfmgr.exe 2016 Windows User Mode Driver Manager Microsoft Corporation
CCEVTMGR.EXE 1716 Common Client Event Manager Service Symantec Corporation
symwsc.exe 464 4.41 Norton Security Center Service Symantec Corporation
alg.exe 2528 Application Layer Gateway Service Microsoft Corporation
lsass.exe 556 LSA Shell (Export Version) Microsoft Corporation
taskmgr.exe 3232 Windows TaskManager Microsoft Corporation
explorer.exe 1420 1.47 Windows Explorer Microsoft Corporation
hpsysdrv.exe 1488 hpsysdrv Hewlett-Packard Company
HpqCmon.exe 1512 HpqCmon MFC Application
hkcmd.exe 1544 hkcmd Module Intel Corporation
EM_EXEC.EXE 1560 Control Center Logitech Inc.
DEVDET~1.EXE 1568 Device Detector ACD Systems, Ltd.
realsched.exe 1576 RealNetworks Scheduler RealNetworks, Inc.
CCAPP.EXE 1592 Common Client User Session Symantec Corporation
msnappau.exe 1620 MSN Updater Microsoft Corporation
msnmsgr.exe 1644 MSN Messenger Microsoft Corporation
zonealarm.exe 1696 ZoneAlarm Zone Labs Inc.
vsmon.exe 1764 TrueVector Service Zone Labs Inc.
minilog.exe 200 TrueVector Basic Alert Logger Zone Labs Inc.
iexplore.exe 1352 Internet Explorer Microsoft Corporation
WINZIP32.EXE 2732 WinZip WinZip Computing, Inc.
procexp.exe 3596 1.47 Sysinternals Process Explorer Sysinternals

Process: Procexp Pid: -2

Type Name

[Metallica]

That doesn't help much.

Download Pfind.zip file and extract it to your C:\ folder. This will create a folder called Pfind in C:\pfind. Inside c:\pfind is a file called pfind.bat. Double-click on this file and wait for it to finish. When it is done, it will open up a notepad that contains a log of what it has found. Copy that log as a reply to the topic where you are are receiving help.

It can take quite a while so please be patient.

Did you replace Taskmanager with Process Explorer and does Ctr_Alt_Del open Process Explorer now?

Regards,

[tvrfan2003]

Yes thanks, when I did what you suggested with Process Manager, it now comes up when I do Cntl-Alt-Del...looks like a much more detailed and clearer program for data...hopefully it will allow me to figure out why my startup is so slow????? Appreciate the help in getting me that far anyway, nice to have something that works , and apparently better than Task Mgr...

I tried the link you gave me but it comes up with a 404 "Page not found" error?

[Metallica]

You can download it by using the download link here:
http://www.bleepingc...files/pfind.php

Regards,

[tvrfan2003]

I get the page, but when I click thge link to download stil get me a 404, page not found error??
SD

[tvrfan2003]

According to their forums, the link has been disabled for now Arghhhhhhh..

[Metallica]

Yes. That is right.

No real problem. There are other ways. Just a bit slower.

Please download RKFiles from here:
http://skads.org/special/rkfiles.zip
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in safe mode and run RKFiles.bat. It may take a while. When it is finished a window should appear with a log.

Restart your computer in normal mode, and please post the contents of the logfile, which should be at c:\log.txt.

Regards,

[tvrfan2003]

C:\Documents and Settings\Owner\My Documents\Unzipped\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\DivX.dll: PEC2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\JNR$01.EXE: UPX!
C:\WINDOWS\RMAgentOutput.dll: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye

[Metallica]

Ohoh.

Can you have this file:
C:\WINDOWS\JNR$01.EXE
scanned here:
http://virusscan.jotti.org/

If I am right it will be identified as Backdoor Outbreak

If this is true delete that file and look for:
c:\WINDOWS\system32\win32api.exe

Delete that as well if found.

Let me know,