Hi barot,
The "Window Not Found" error is most likely being caused by a trojan.
This has been mentioned in several discussions on the Internet:
Newbie.org: taskmngr.exe discussion
http://www.newbie.org/help/messages/2553.html
Google Groups search: "window not found" (trojan OR virus)
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&q=%22window+not+found%22+%28trojan+OR+virus%29
The following article on Symantec's web site provides instructions on
how to remove the trojan using Norton AntiVirus:
Symantec Security Response - Trojan.IrcBounce
http://securityresponse.symantec.com/avcenter/venc/data/trojan.ircbounce.html
According to the article, you must do the following:
"1. Update the virus definitions.
2. Run a full system scan, and delete all files that are detected as
Trojan.IrcBounce."
There are two ways to update the virus definitions:
"Run LiveUpdate, which is the easiest way to obtain virus definitions.
These virus definitions are posted to the LiveUpdate servers one time
each week (usually Wednesdays) unless there is a major virus
outbreak."
"Download the definitions using the Intelligent Updater. Intelligent
Updater virus definitions are posted on U.S. business days (Monday
through Friday). They must be downloaded from the Symantec Security
Response Web site and installed manually."
I recommend that you run LiveUpdate, since that is the easier of the
two methods. However, if you want to use the Intelligent Updater,
then you will need to go to the following page:
Symantec Security Response - Virus Definitions Download Page
http://securityresponse.symantec.com/avcenter/defs.download.html
Here are the instructions on how to use the Intelligent Updater:
http://service1.symantec.com/SUPPORT/nav.nsf/docid/1998082013035306
Here is how to scan and delete files:
"1. Start your Symantec antivirus program, and make sure that it is
configured to scan all files.
- Norton AntiVirus consumer products: Read the document How to
configure Norton AntiVirus to scan all files [
http://service1.symantec.com/SUPPORT/nav.nsf/docid/1999110513272906 ].
- Symantec enterprise antivirus products: Read the document How to
verify a Symantec Corporate antivirus product is set to scan All Files
[ http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2002052213125148
].
2. Run a full system scan.
3. If any files are detected as infected with Trojan.IrcBounce, click
Delete."
The article also states that you may want to remove a value from the
registry:
"As noted in the Technical Description, the Trojan uses Taskmngr.exe,
which is actually a renamed copy of the legitimate program Mirc32.exe.
Because it is a legitimate program, it is not detected by Symantec
antivirus products. The Trojan may add a reference to this file to a
registry key so that mIRC starts each time that you start Windows.
This is not harmful, but can be annoying. Follow these steps to remove
the reference from the registry:
CAUTION: Symantec strongly recommends that you back up the registry
before you make any changes to it. Incorrect changes to the registry
can result in permanent data loss or corrupted files. Modify only the
keys that are specified. Read the document How to make a backup of the
Windows registry [ http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617
] for instructions.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, look for a value or value data that refers to
Taskmngr.exe
5. Delete the reference if you find it.
6. Exit the Registry Editor."
In addition to removing the trojan, there may also be some damage that
needs to be repaired. The following Microsoft knowledge base article
states that the trojan can modify the security policy on computers
that act as domain controllers:
MIRC Trojan-Related Attack Detection and Repair
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328691
"If the compromised computer is a domain controller, the security
policy is modified. Some of the possible effects of a modified
security policy are:
- Guest accounts that were previously disabled are re-enabled.
- New unauthorized accounts, possibly with administrative privileges,
are created.
- Security permissions are changed on servers or in Active Directory.
- Users cannot log on to the domain from the workstations.
- Users cannot open Active Directory snap-ins in Microsoft Management
Console (MMC).
- Error logs display multiple, failed logon attempts from legitimate
users who were locked out."
The article also states that you should engage in the following
practices to avoid being infected by the trojan again in the future:
"- Eliminating blank or weak administrator passwords.
- Disabling the guest account.
- Running current antivirus software with up-to-date virus signature
definitions.
- Using firewalls to protect internal servers, including domain
controllers.
- Staying up to date on all security patches."
If your computer acts as a domain controller and its security policy
was modified, you should restore the default security policy and make
changes from there. The following article has instructions on how to
restore the default security policy (see step 5 under the 'How to
remove the Trojan' section):
mIRC (port 445) Trojan Analysis
http://www.klcconsulting.net/mIRC_Virus_Analysis.htm
If you still encounter the "Window Not Found" error after removing the
trojan, please request a clarification and I will investigate the
problem further.
Regards,
sldreamer
Search strategy:
"window not found" "windows 2000"
://www.google.com/search?hl=en&lr=&ie=ISO-8859-1&safe=off&q=%22window+not+found%22+%22windows+2000%22
http://groups.google.com/groups?hl=en&lr=&ie=ISO-8859-1&safe=off&q=%22window+not+found%22+%22windows+2000%22
"window not found" (trojan OR virus)
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&q=%22window+not+found%22+%28trojan+OR+virus%29
taskmngr.exe
://www.google.com/search?hl=en&lr=&ie=ISO-8859-1&safe=off&q=taskmngr.exe |
