Thursday, March 19, 2009

Windows Task Manager is Disabled


The most likely cause for disabled windows task manager and registry editing is because the computer has been infected by a virus. Most often, when you try to access the registry editor through the regedit command, you receive a message that “registry editing has been disabled by the computer administrator.”

The most common cause for this is a virus that commonly comes as SCVVHSOT.EXE. If you can access the task manager, you will see this as a process running. This should not be confused with the other genuine process called svchost.exe which is a genuine windows process.

SCVVHSOT.EXE can also use the following file names:

  • NEW FOLDER.EXE
  • DS4.EXE
  • BLASTCLNNN.EXE
  • 94691636.EXE
  • DD2.EXE
  • DOC STAMPS COMPUTATION.EXE
  • XSCVVHSOT.EXE
  • DCIM.EXE
  • BABY_ANNE.EXE
  • MGA N LAWS 2 B.EXE
  • _PALBTN.EXE
  • 08-30-07.EXE

The filename SCVVHSOT.EXE refers to multiple instances of an executable program.

The most common file size is 290,419 bytes. But the following file sizes have also been seen:

  • 331,776 bytes
  • 300,544 bytes
  • 468,448 bytes
  • 290,816 bytes

The unsafe files using this name are associated with the malware group WORM.IM.SOHANAD.L.

These files have no vendor, product or version information specified in the file header.

SCVVHSOT.EXE has been seen to perform the following behavior(s):

  • The Process is packed and/or encrypted using a software packing process
  • Executes a Process
  • Can communicate with other computer systems using HTTP protocols
  • This Process Deletes Other Processes From Disk
  • Adds a Registry Key (RUN) to auto start Programs on system start up
  • Disables Access to the Windows Registry Editor
  • Modifies Windows Security Policies to restrict/expand User Privileges on the machine
  • Disables Access to the Task Manager built into Windows
  • Enables the system to use a Communications Proxy Server
  • Registers a Dynamic Link Library File
  • The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
  • This Process Creates Other Processes On Disk
  • Disables the built in Windows File Protection System
  • Makes outbound connections to other computers using NETBIOSOUT protocols

Normally an updated antivirus such as MacAfee or Kaspersky will detect this virus. However, if your system is already infected with this virus, you could try to boot your machine in safe mode and try to delete it manually. This could be almost impossible since the virus duplicated itself in every folder on your hard disk/ removable disk.

You however could first disable it from the startup items so that it does not run when you on startup as you seek to update your antivirus.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)