View Full Version : Painful computer infection - msconfig&task manager down
01-17-2010, 12:03 PM
My laptop has an infection now and there is a nontrivial chance I would murder the bastard who created it. Ive cleaned part of it, but the basic core remains intact: I can't open msconfig or the task manager (and thus can't close the proceses). AVG, SuperAntispyware, and Anti-Malware don't seem to help more.
This particular bit of P-i-t-A-ness likes to pop up and tell me I'm infected, and if I click "here" it will happily fix the problem (yeah....). When I try to open msconfig, it tells me it's infected and thus can't be opened! (I will give the creator of this mess props for sheer chutzpah, for sure.) When I hit Crtl-Alt-Delete to run the task manager and close things, the option no longer even appears available!
The message it lieks to kick up on my screen every five moinutes is as follows:
Attention! System detected a potential hazard (TrojanSPM/LX) on your computer that may infect executable files. You private information and PC safety is at risk. To get rid of unwanted spyware and keep your computer safe you need update your current security software. Click OK to download official intrusion detection system (IDS software).
I really want this guy behind bars. Preferably naked in a zoo, where I can poke him with a stick.
01-17-2010, 12:22 PM
Try these instructions (http://www.2-spyware.com/remove-antivirus-live.html).
Or boot into safe mode, run regedit. Open
There will be an entry with a pretty random name, usually pointing to something like C:\Documents and Settings\<your user id>\Local Settings\<random>\<random.exe>. Delete this key and the executable. Run a complete antivirus scan in safe mode.
Then reboot your system and fix the Internet Explorer settings as noted in the above link.
I just cleaned a system on friday using this method. The trick is identifying the Run entry of the malware, but you can usually figure it out.
01-17-2010, 12:27 PM
try the info at http://www.bleepingcomputer.com/forums/lofiversion/index.php/t230898.html
01-17-2010, 12:37 PM
Malware Bytes is pretty good.
01-17-2010, 06:22 PM
It sounds like you've got a rootkit -- and that's bad news. There are rootkit scanners, and they can help (if the virus doesn't kill them first; they scan the directories alphabetically instead of scanning the Windows folder first, a triumph of laziness).
I've had luck by booting with a CD-based operating system like Bart-PE and then searching for suspicious files in the Windows/system32 folder (check the date for the most recent files; they're the most likely). Delete the files then and see if you got lucky. Otherwise, the rootkit can be anywhere.
01-17-2010, 06:35 PM
It sounds like a root kit. I encountered System Security last year. Bleeping Computer might be too busy, try the MBAM site. Have you tried msconfig in Safe Mode? It's how I began chipping away at my problem.
I'm infected - What do I do now?
01-17-2010, 09:47 PM
You can also download a new version of msconfig and run it directly.
Do you know where you contracted your infection?
01-17-2010, 10:11 PM
msconfig is not really infected, the spyware is just blocking it and telling you it is infected. It does not need to be replaced.
01-18-2010, 12:31 AM
First of all, be sure to disconnect from the Internet -- unplug your Ethernet cable or disable your wireless. Otherwise, you can get so infected that the only fix is a reformat of your drive. You need to use a rootkey virus killer like RootRepeal (http://rootrepeal.googlepages.com/). It did the trick for me. After wiping the offending the entry in your registry, immediately boot into safe mode and run the various anti-malware programs. The one from Malwarebytes is pretty good. If you need help, download HijackThis from here (http://www.bleepingcomputer.com/files/hijackthis.php), get a report and post it at the Malwarebytes or Bleeping Computer forums. Someone will come along to help. BTW I had a very similar problem a few weeks ago and it's frustrating but solvable.
01-18-2010, 01:04 AM
msconfig is not really infected, the spyware is just blocking it and telling you it is infected. It does not need to be replaced.You can download it and run it directly without replacing it. It doesn't require installation, it's a stand-alone program.
01-18-2010, 01:29 AM
Right but the virus will pop up that message when the OP tries to run any program calls msconfig. The OP can copy msconfig to a flash drive and rename it and it should work.
If the op was in NJ I'd offer to help clean it in person at a starbucks or panaea
01-19-2010, 11:29 AM
Alright, I managed to clean it. Sadly, the advice most offered was not helpful, although I can hardly blame you for that - this sucker was mean. if I ever find the loser to created it... well, I'd have a few things to confess the next day, let me tell you.
It closed upon opening: msconfig, regedit, the task manager as well as hiding it, the windows help file (which I used to find an alternative means of opening the task manager), the rkill.com process used to disrupt the virus process itself, and so on.
Eventually, a combination of malwarebytes and renaming rkill.com did the trick. For good measure, once it went down I checked msconfig and my registry as well as deleting the problem file folders and locating that twisted, evil version of smss.
Anyway, this one is called Internet Security 2010, and this worked for me even when I couldn't use anything else. This particular one is ransomware, so hopefully somebody caled the police and the FBI took the jerkface down.
vBulletin® v3.7.3, Copyright ©2000-2013, Jelsoft Enterprises Ltd.