Skip to main content

Task Manager, CMD, Regedit Virus

Once every 6 months or so, I do get a virus. I came across this one from Limewire.

Symptoms: regedit, cmd & task manager lost! "in use by another program"

After using Ad-Aware and Microsoft Defender, my system was reported as clean; only clearing out some cookies.

Several sites report the problem: Cannot open task manager; task manager fails, regedit and cmd same issue.

The virus takes hold of these application pointers, fortunately I use an application as a replacement for command prompt so I was able to source the issue.

Resolution:
Two files need to renamed/deleted:
b.exe (in Windows root folder) and svchost.exe located in Startup. The virus uses a trusted name (svchost.exe) but puts the file in the Startup folder.


Background:
I don't use any memory resident virus prevention software. I rarely come across malware, however when looking for a software crack, questionable software, or the like. In this case, I downloaded something from Limewire. Many of the listings on Limewire these days are viruses and such, so you do need to be careful. I believe the software operates as a Limewire distributor for the virus itself. I cannot find anything it does beyond redistribution of itself.

Comments

Popular posts from this blog

Windows Firewall can not run because another program or service is running that might use the Network Address Translation component (IPNat.sys)

Windows Networking Firewall failure Error Upon trying to open and configure the Windows built-in Firewall, you receive the error: "Windows Firewall can not run because another program or service is running that might use the Network Address Translation component (IPNat.sys)" Cause is due to settings left in by "Routing and Remote Access" service. Even if the service is stopped, Windows will still report this error because the network card bindings are still being held by RRAS. Disable RRAS by opening the MMC for it and "Disable Remote Access and Routing". This can also be found by Right -clicking "My Computer", opening the Service and Application node. By Disabling RRAS in this way, the network protocol interface bindings are removed allowing for the Windows Firewall and Connection Sharing service to take over.

VB.Net code to control mouse movement and click

VB.Net code to perform mouse movements and clicks. Include references at the top of the class code file to Windows interface libraries: Public Declare Auto Function SetCursorPos Lib "User32.dll" (ByVal X As Integer, ByVal Y As Integer) As Integer Public Declare Auto Function GetCursorPos Lib "User32.dll" (ByRef lpPoint As Point) As Integer Public Declare Sub mouse_event Lib "user32" Alias "mouse_event" (ByVal dwFlags As Integer, ByVal dx As Integer, ByVal dy As Integer, ByVal cButtons As Integer, ByVal dwExtraInfo As Integer) Some fixed constant values will be needed, so include these as basic names: Public Const MOUSEEVENTF_LEFTDOWN = &H2 Public Const MOUSEEVENTF_LEFTUP = &H4 Public Const MOUSEEVENTF_MIDDLEDOWN = &H20 Public Const MOUSEEVENTF_MIDDLEUP = &H40 Public Const MOUSEEVENTF_RIGHTDOWN = &H8 Public Const MOUSEEVENTF_RIGHTUP = &H10 Public Const MOUSEEVENTF_MOVE = &H1 This

Remove Acrobat Toolbar Plugin From Outlook and Office

After installing Acrobat Reader or Professional, a toolbar surfaces in Microsoft Office applications. It wouldn't be so bad except that even when you select to remove the Plugin, it comes right back after the office application restarts. Worse yet, the toolbar puts itself on a new line each time, reducing the usable window size. Since I rarely use this toolbar and would rather open Acrobat explicitly to use the print, email, or save as PDF features, I got rid of the toolbar. Adobe doesn't make this easy, forcing the toolbar to always be visible, unfortunately you have to modify the windows registry. Warning, don't casually modify the windows registry; since it effectivley controls Windows and most applications. 1. Begin by closing the office applications. 2. Then click start, Run, and type: regedit 3. Browse to the below registry keys and delete each one. Note that HKEY_LOCAL_MACHINE is referenced as HKLM in regedit. Outlook HKEY_LOCAL_MACHINE \Software\Adobe\Acrobat\PD