[solved] Blocked Registery And Task Manager

Ok here we are!

So this all began with the viruses that infected my machine and which I deleted manually. It was a generic malware in C\windows\system 32\ mspgw.exe. I have sent copies of the previously mentioned files when the problem happened and they said they sent it to you virus department. I don't know if I run these tools now if they will reveal anything since I deleted one of the viruses manually when I wasn't answered in 2 days. Sure wasn't a smart move but you know how a depressed person behave

I was contacted by the support team by email now with some steps. I will follow their advice and see what happens. I have tried SCF/scannow to make windows restore any missing files with no results. I also want to say that after deleting that file manually BD seems to see nothing wrong anymore eventhough I'm sure my regedit and other files are infected.

NB:

Thanks,

Fida, what you describe sound very much like an infection (blocked task manager and regedit, with administrative warning message).

Please create a new topic for your problem and post there logs of Avis and Gmer (as described HERE).

Cris.

Find more posts tagged with

Comments

alexcrist

Hello Fida,

Please run those 2 tools and post the logs here. I don't have access to the mails you sent so I have no way of knowing what they contain. Also, fresh logs will provide accurate system status, especially since you say that you manually removed certain files.

Cris.

dave r

You should be able to unblock them, using gpedit, To open it, go to Start-Run and enter "gpedit.msc" (without quotes). then type open the run command box:Run > gpedit.msc (Press enter). Group policy editor will appear.

User configuration > Administrative Templates > System > "Ctrl+Alt+Del Options"

Double click on "Remove Task Manager".

Disable this option (Yes, disable. If you enable this option Task Manager will be disabled

after this is successful you can enable regedit using "gpedit.msc" too,as follows

Run > gpedit.msc (Press enter). Group policy editor will appear.

User configuration > Administrative Templates > System

Double click on "Prevent access to registry editing tools".

Disable this option (Yes, disable. If you enable this option Regedit will be disabled)

the windows default setting is set "not configured" otherwise other prog's such as spyware doctor will flag it up, each time you scan (after a re-boot) hope the info helps you out, there is also ****** files available for download from a web site kelly's corner which will or should do the same almost but i favor the gp edit route personally

Fida

Hi davey,

Thanks for your thoughts and advices. I have read about those steps 3 days ago somewhere in the internet and tried to follow them but I was baffled when I opened the gpedit.msc etc and couldn't find under Administrative templates the System folder!! Its then I realized something so bad going on.

I'm waiting for the files to finish scanning to upload them here as Chris advised maybe someone can help me with this.

You should be able to unblock them, using gpedit, To open it, go to Start-Run and enter "gpedit.msc" (without quotes). then type open the run command box:Run > gpedit.msc (Press enter). Group policy editor will appear.

User configuration > Administrative Templates > System > "Ctrl+Alt+Del Options"

Double click on "Remove Task Manager".

Disable this option (Yes, disable. If you enable this option Task Manager will be disabled

after this is successful you can enable regedit using "gpedit.msc" too,as follows

Run > gpedit.msc (Press enter). Group policy editor will appear.

User configuration > Administrative Templates > System

Double click on "Prevent access to registry editing tools".

Disable this option (Yes, disable. If you enable this option Regedit will be disabled)

the windows default setting is set "not configured" otherwise other prog's such as spyware doctor will flag it up, each time you scan (after a re-boot) hope the info helps you out, there is also ****** files available for download from a web site kelly's corner which will or should do the same almost but i favor the gp edit route personally

Fida

Hello Cris,

These are the logs. I hope you will be able to spot the problem. The Avis file obtained I can't upload it I don't know why maybe because its a password protected.

Thanks

Hello Fida,

Please run those 2 tools and post the logs here. I don't have access to the mails you sent so I have no way of knowing what they contain. Also, fresh logs will provide accurate system status, especially since you say that you manually removed certain files.

Cris.

/applications/core/interface/file/attachment.php?id=5540" data-fileid="5540" rel="">gmer.log

gmer.log

alexcrist

Upload the Avis log here and post the link here.

You are not allowed to attach any type of archive (password-protected or not) on this forum, as they represent a security risk.

Cris.

Fida

Sorry for not being quiet familiar with so many things about these matters.

Here is the link : http://www.sendspace.com/file/mbu9vp

Fida

Upload the Avis log here and post the link here.

You are not allowed to attach any type of archive (password-protected or not) on this forum, as they represent a security risk.

Cris.

alexcrist

Fida,

The only suspect things I noticed are 3 drivers detected by gmer:

c:\windows\System32\Drivers\c44a07e0.sys
c:\windows\System32\Drivers\8c153aea.sys
c:\windows\System32\Drivers\4880f03a.sys

Please try this:

- download the latest version of gmer from HERE

- unplug your network cable and disable BitDefender Realtime Protection

- open gmer, wait for the quick startup scan to finish, then click on the "> > >" tab. Multiple tabs will appear.

- select the Files tab, where you will find an Explorer-like interface (files and folders)

- find the above files

Keep in mind that browsing with gmer is a lot slower than conventional browsing (with Explorer, or any file manager), because it also searches for files hidden by rootkits, which is a slow process.

For each file you find, select it and click Copy. Save all files in a new, empty folder. Also, it might be a good idea to add a new extension to the files, but also keep the old extension (for instance filename.ext should become filename.ext.old or anything similar).

- re-enable BitDefender Realtime Protection before re-connecting your network cable.

Afterwards, put all the files in a password-protected archive (with the password infected; details HERE), upload the archive on a file-sharing service (details in the previous link) and send me the download link by PM.

In the end, try to re-enable regedit and TaskManager like this:

1) click Start -> Run and enter this command:

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

This should re-enable RegEdit.

2) Read this article: http://support.microsoft.com/kb/555480 and check the registry values presented there.

Cris.

Fida

Hello Cris,

Finally today I tried to do what you asked me to. But before all that I decided to run gmer.exe just to see if it can find anything else 'fishy'. Well it gave me a log file clear of all those kernel errors that were in the previous file. Despite all that I followed your steps and searched for them using gmer, and also they were not there. I went to start>Run> and then typed CODE as you said nothing happened I tried all the line also nothing (sure the message was windows can't find..etc). I used microsoft's advice and I'm still having the same funny thing: I opened gpedit.msc (which opened after 2 times of not responding windows) gpedit.msc>user configuration> administrative templates but I have no SYSTEM file there!! I have only windows components. Where did the system file go? I even searched under computer configuration and also it wasn't there.

So what do you think I should do? I'm sending you the gmer log of today's if it might be any help.

Thanks,

Fida

Fida,

The only suspect things I noticed are 3 drivers detected by gmer:
c:\windows\System32\Drivers\c44a07e0.sys
c:\windows\System32\Drivers\8c153aea.sys
c:\windows\System32\Drivers\4880f03a.sys
Please try this:

- download the latest version of gmer from HERE

- unplug your network cable and disable BitDefender Realtime Protection

- open gmer, wait for the quick startup scan to finish, then click on the "> > >" tab. Multiple tabs will appear.

- select the Files tab, where you will find an Explorer-like interface (files and folders)

- find the above files

Keep in mind that browsing with gmer is a lot slower than conventional browsing (with Explorer, or any file manager), because it also searches for files hidden by rootkits, which is a slow process.

For each file you find, select it and click Copy. Save all files in a new, empty folder. Also, it might be a good idea to add a new extension to the files, but also keep the old extension (for instance filename.ext should become filename.ext.old or anything similar).

- re-enable BitDefender Realtime Protection before re-connecting your network cable.

Afterwards, put all the files in a password-protected archive (with the password infected; details HERE), upload the archive on a file-sharing service (details in the previous link) and send me the download link by PM.

In the end, try to re-enable regedit and TaskManager like this:

1) click Start -> Run and enter this command:
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
This should re-enable RegEdit.

2) Read this article: http://support.microsoft.com/kb/555480 and check the registry values presented there.

Cris.

/applications/core/interface/file/attachment.php?id=5545" data-fileid="5545" rel="">gmer_18_09.log

gmer_18_09.log

alexcrist

Indeed, the log seems clean now.

As for the REG command, check to see if in C:\windows\system32\ the file reg.exe is present or not.

About gpedit, I've done some search and I've come across a few advices. First of all, go to Start -> Run, type cmd and press Enter.

After that, in cmd, type the following commands, one by one (after each one, press Enter).

regsvr32 gpedit.dll
regsvr32 gptext.dll
regsvr32 fde.dll
regsvr32 ieaksie.dll
regsvr32 ipsecsnp.dll
regsvr32 certmgr.dll
regsvr32 wsecedit.dll
regsvr32 appmgr.dll

After each command, you should receive a message stating DllRegisterServer in <dll name> succeeded.

Reboot your system and try gpedit again. If it doesn't work, try these steps:

Right Click on Administrative templates and select Add/Remove templates....
When the Add Remove Templates Dialog appears, click the ADD Button (lower left side of the window). This will bring up the Policy Templates dialog.
Highlight system.adm and click the Open button.
Click the Close button on the Templates Dialog.

If you can't find system.adm, you can download the file from here: http://www.microsoft.com/downloads/details...;displaylang=en

In theory, this should bring back the System tab.

Cris.

Fida

Hi again,

After following the steps you gave me, now I can see the 'system' file in the gpedit.msc. Thanks for solving this issue.

I checked the link you sent me earlier (http://support.microsoft.com/kb/555480) and tried following the steps. I tried their 'gpupdate/force' method but when I typed it a small black window flashes and directly disappears. This is also what is happening with the REG command. I checked in windows\system32\ and the reg.exe file does exist but also same behavior when I click on it. So till now I can't use the taskmgr.exe nor the regedit.exe.

I wanted to ask you about this result I obtained with program (Autoruns.exe), I found many 'File Not Found'. I pasted the ones with this note here:

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components" "" "" ""

+ "0" "" "" "File not found: About:Home"

"HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" "" "" ""

+ "Display Panning CPL Extension" "" "" "File not found: deskpan.dll"

HKLM\System\CurrentControlSet\Services"

+ "Changer" "" "" "File not found: C:\WINDOWS\System32\Drivers\Changer.sys"

+ "FileDisk2" "Virtual disk encryption driver" "(Not verified) UPEK Inc." "c:\program files\common files\protector suite ql\drivers\filedisk.sys"

+ "i2omgmt" "" "" "File not found: C:\WINDOWS\System32\Drivers\i2omgmt.sys"

+ "lbrtfdc" "" "" "File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys"

+ "meiudf" "DVD-RAM UDF File System Driver" "(Not verified) Matsushita Electric Industrial Co.,Ltd." "c:\windows\system32\drivers\meiudf.sys"

+ "MPFIREWL" "" "" "File not found: C:\WINDOWS\System32\Drivers\MPFIREWL.sys"

+ "Netdevio" "TOSHIBA Network Device Usermode I/O Protocol" "(Not verified) TOSHIBA Corporation." "c:\windows\system32\drivers\netdevio.sys"

+ "PCIDump" "" "" "File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys"

+ "PDCOMP" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys"

+ "PDFRAME" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys"

+ "PDRELI" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys"

+ "PDRFRAME" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys"

+ "upperdev" "" "" "File not found: C:\WINDOWS\System32\Drivers\upperdev.sys"

+ "WDICA" "" "" "File not found: C:\WINDOWS\System32\Drivers\WDICA.sys"

"HKCU\Software\Microsoft\Windows NT\CurrentVersion\Drivers32" "" "" ""

+ "vidc.ffds" "" "" "File not found: -"

"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" "" "" ""

+ "regedit.exe" "" "" "File not found: 0"

+ "taskmgr.exe" "" "" "File not found: 0"

Maybe they are related to the behavior of my machine.

Thanks,

Fida

alexcrist

Fida,

I don't know about "gpupdate /force" (never tried it), but the REG tool behavior that you noticed should be ok, since that tool is a console-based tool which closes automatically after it's work is done. And the command I gave you above uses REG to add a key to the system registry, to enable regedit.

If you want to see the result of REG (or any other console-based tool), go to Start -> Run, type cmd and Enter. Then, in cmd, write the commands as you would write them in Run. Then, whatever result is displayed by the tool will be visible in cmd. So you can try this method to run the gpupdate and REG commands to see what's the result.

On the other hand...about what you posted (from Autoruns). I will check to see if I can find out anything about those missing drivers.

In the meantime, please check these:

- use gmer to see if you find any of those "missing files" in those folders. Post back if you find any

- in that log says that regedit and taskmgr are completely missing. Please check to see if they exist in C:\windows\system32

Cris.

Fida

Hi Cris,

I couldn't find anything missing in gmer.exe. I opened the C:\Windows\System32 I can see the files regdit.exe (cube with flying little smaller cubes) and taskmgr.exe(computer like icon) but both of them when I click them I get the same windows error message

Windows can't find 'regedit'.Make sure you typed the file correctly and try again.

Same for taskmgr ( I also tried adding ".exe" nothing also) and also through the Run command same thing.

On the other hand, under the Registry tab in gmer in : HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options, both (regedit.exe) and (taskmgr.exe) showed in the right hand window this:

Name: Debugger, Type: REG_SZ and Data: 0

and there is another file in : HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your image file here without a path..which has 2 subfiles:

One is a: Name: Debugger/ Type: REG_SZ/ Data: ntsd-d and another

Name: GlobalFlag/ Type: REG_SZ/ Data: 0x000010F0

I don't know if these are related to this problem. I'm really out of ideas. Its so strange that we are trying all the seemingly possible solutions to restore the regedit and tskmgr and nothing is succeeding. Maybe that 'Debugger' thing is related I really don't know anymore.

Thanks,

Fida

alexcrist

Fida,

It seems you came across a quite old method of registry exploit. I became curious about those registry keys and I've done some searching about them.

I'll start with the simplest thing: I don't know exactly what's the purpose of Your image file here without a path and it's too late in the night right now to read about it. But the same values appear in my registry for this key, so my guess is that they are correct and safe.

The other ones (regedit and taskmgr) don't exist at all in my registry (at that address). And reading about Image File Execution Options on the web revealed that the Debugger value is used for launching a debugger instead of launching the actual process (in your case, regedit or taskmgr). For developers, this can be a useful feature... for also, for malware creators, it can be an easy way of replacing some processes with infected ones (because instead of launching what YOU want, something different will be launched instead).

And, in case the Debugger value is incorrect (points to an inexistent application) or it's 0 (as in your case), then when you'll try to launch that application (regedit or taskmgr), you'll get an ERROR_FILE_NOT_FOUND error (something like "Windows cannot find the file).

The problem is that neither Windows, nor some other application (like an AV software) can say if the value behind Debugger is a real debugger or a malicious software...

A quick test on my system reproduced the same effects.

If you (or anyone else) are interested to read more details about this, here are a few starting points:

http://isc.sans.org/diary.html?storyid=4039

http://blogs.msdn.com/oldnewthing/archive/.../19/505449.aspx

Now back to trying to solve the problem: in theory, assuming that there's no active infection on your system (and, so far, we couldn't find any traces, so hopefully there isn't), fixing it only requires you to delete the regedit and taskmgr keys. (To avoid confusion, a key is like a folder in Windows Explorer). Use GMER to delete them.

To be sure you don't break anything, write down any information before deleting it, so you can undo the deletion if you need to.

After deleting those 2 keys, see if regedit and taskmgr work.

Also, check the other keys in Image File Execution Options for Debugger values. If you find other ones, post them here. Normally, there shouldn't be any Debugger value.

Cris.

alexcrist

Hello Fida,

I made a small mistake in my last post. As I said, it was kinda late in the night and I didn't really check if GMER can delete registry keys (and, apparently, it can't...it can only edit their values).

So, to delete the key, try to use the REG tool: go to Start -> Run, type cmd and press Enter. Then type these 2 ommands, one by one:

REG DELETE HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe /f
REG DELETE HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe /f

Cris.

Fida

Hi Cris,

Sorry I was out of town and just now checked your post. Well at least we now kind of know what is going on. I just want to make sure about something before I start. Regarding this advice:

To be sure you don't break anything, write down any information before deleting it, so you can undo the deletion if you need to.

These files I found them with the Autoruns.exe so what information should I write down before deleting them? I mean the information which was available there was only the name and type and value. Is there anything else? or maybe I should access them with GMER to know further information?

Thanks

Fida

alexcrist

Yes, use GMER (Registry tab) to navigate to those keys and note all values (Name / Type / Data) for taskmgr.exe and regedit.exe

After that, use the 2 REG commands I wrote in my previous post.

Note: Registry keys are shown like folders in the left-side, and values are shown like files, on the right side.

Cris.

Fida

Hi Cris,

I did as you said through the Run>cmd> but I got an error after typing the first command line and clicking enter:

Error: too many command-line parameters.

Fida

alexcrist

Try putting the path between quotes:

REG DELETE "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /f
REG DELETE "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe" /f

Cris.

Fida

Hi Cris,

FINALLY. Now I can bring the taskmanager window with ctrl/alt/del and in Run, regedit opens. Thanks very much Cris for all the trouble I caused you guys. I just wanted to ask you about the System Restore. In the beginning of the problem after I deleted the virus manually I made a new system restore point and then I tried restoring my computer to it after some days but I was always getting the message: Your computer can't be restored to this date". Do you think this was related to what we solved today? Or do you think I should create a clean system restore point from today's?

I'm really grateful for the help you provided.

Regards,

Fida

alexcrist

Thanks very much Cris for all the trouble I caused you guys.

No problem. I'm glad I could be of help.

I just wanted to ask you about the System Restore. In the beginning of the problem after I deleted the virus manually I made a new system restore point and then I tried restoring my computer to it after some days but I was always getting the message: Your computer can't be restored to this date". Do you think this was related to what we solved today? Or do you think I should create a clean system restore point from today's?

Please check if there are any other keys in File Image Execution Options that have the Debugger value set. If you find any, post them here.

If not, create a new System Restore Point, just to be sure it contains correct data.

Cris.

Fida

Hi Cris,

I have checked under that file i found this:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your image file here without a path

It has 2 subfiles:

One is

Name: Debugger/ Type: REG_SZ/ Data: ntsd-d

and another:

Name: GlobalFlag/ Type: REG_SZ/ Data: 0x000010F0

Fida

alexcrist

That is valid. If there aren't any other, then you're OK.

Cris.

Fida

Ok then. Thanks again Cris. hope I won't be facing other nightmares in the near future.

good luck,

Fida

alexcrist

OK. Since this issue is solved, I will close this topic. If you need it re-opened, drop me a PM.

Cris.

== CLOSED ==

== ISSUE SOLVED ==