Sign in with
Sign up | Sign in
Your question

malicious script : task manager unavailable

Last response: in Windows 2000/NT
Share
July 4, 2005 11:56:07 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi.
A malicious script infected my win2000sp4 with kernels32.exe in
c:\winnt\system32.
I delete the file from safe mode and I create a read only folder with the
same name, and I remove it from the registry in the line shell=explorer.exe
kernels32.exe.
I restart, but still :
my start up is very slow, and when I press ctrl+alt+del, the button task
manager is grayed, impossible to check my running apps, and kill them.
Even if I start, run : taskman.exe, nothing comes.
I have scanned my pc with norton av 2005, with latest updates, and with MS
antispyware beta 1, with latest updates : nothing is found or corrected.
What can I do ?
Thanks.
Anonymous
July 4, 2005 5:50:17 PM

Archived from groups: microsoft.public.win2000.security (More info?)

With the increase in "root kit" type compromises of computer operating
systems it is not always possible to easily make repairs or be sure that the
system is actually clean. What I would suggest is that you try a second
opinion such as the free Trend Micro Sysclean and use the SysInternals free
tool RootKitRevealer to see if you can determine if you have a root kit
compromise and if that is the case a clean install of the operating system
is by far the best option to restore things to normal. While at the
SysInternals website download Process Explorer, Autoruns, and TCPView. These
tools may work and help you further determine what is up with your computer
by showing great detail in running processes and startup programs. If you do
decide to do a clean install be sure to scan any backed up data media with
antivirus before you copy to the fresh install and take steps to prevent
reoccurrence of compromise.

Such steps at minimum would be to have a firewall protecting your computer
before connecting to the internet again, installing all critical security
updates at Windows Updates, use strong passwords for your user accounts,
disable unneeded services which Microsoft Baseline Security Analyzer can
help you with, configure minimum recommended security levels for Internet
Explorer, and using a quality antivirus program that also is kept up to date
and scans ALL email attachments, downloads, and monitors your computer in
real time. The links below may help. --- Steve

http://www.sysinternals.com/Utilities/RootkitRevealer.h... --- link to
SysInternals and RootKit Revealer
http://www.trendmicro.com/download/dcs.asp --- Sysclean
http://www.trendmicro.com/download/pattern.asp --- Sysclean pattern file
in .zip
http://www.microsoft.com/technet/security/tools/mbsahom... --- MBSA
security tool
http://www.microsoft.com/downloads/details.aspx?FamilyI...
--- Anti Virus in Depth guide

"bestofcomputer" <bestofcomputer@discussions.microsoft.com> wrote in message
news:9225F965-8ADD-4A69-A3DE-05903B06DD05@microsoft.com...
> Hi.
> A malicious script infected my win2000sp4 with kernels32.exe in
> c:\winnt\system32.
> I delete the file from safe mode and I create a read only folder with the
> same name, and I remove it from the registry in the line
> shell=explorer.exe
> kernels32.exe.
> I restart, but still :
> my start up is very slow, and when I press ctrl+alt+del, the button task
> manager is grayed, impossible to check my running apps, and kill them.
> Even if I start, run : taskman.exe, nothing comes.
> I have scanned my pc with norton av 2005, with latest updates, and with MS
> antispyware beta 1, with latest updates : nothing is found or corrected.
> What can I do ?
> Thanks.
!