Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Task Manager Disabled


  • Please log in to reply
7 replies to this topic

#1 protocell

protocell

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 24 February 2008 - 06:35 AM

please guyz help me on this. my task manager has been disabled and my net started to connect by itself w/o me connecting it. this happened because my classmate used my pc and surfed on the internet w/o my permission.

according to him, while he was searching on google, the IE suddenly crashed and a while later the whole pc crashed. of course he restarted it because of the crash. that's when the time i already noticed what had happened.

i observed what happened and tried using IE but when i clicked on one of the forum topics on this site (because i was already looking for the solution on the spyware), the IE started to open up new windows of that link unlimitedly.

please, i really need help on this one.

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,592 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:22 AM

Posted 24 February 2008 - 08:49 AM

What OS (Win XP, XP SP1, XP SP2/2000, etc) are you using? What type of anti-virus are you using? Have you performed any anti-spyware scans? Have you tried doing your scans in "Safe Mode"? Are you doing scans while logged into the "Administrator Account" or an "account with administrator privileges"?

You need to start there first. If rescanning in Safe Mode does not help, and your using Win XP/2000, then do this:

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply.

Please download MsnCleaner.zip and save to you Desktop. (in addition to removing infected files, it will remove certain restrictions on your system often disabled by malware.)
  • Extract (unzip) the file to your desktop. (click here if your not sure how to do this) but DO NOT use it yet.
  • Reboot your computer in "Safe Mode" using the F8. To do this restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A boot menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
  • Double-click MsnCleaner.exe to run the tool.
  • Click the "Analyze" button.
  • A report will be created after the scan and will be saved to C:\MsnCleaner.txt.
  • If it finds an infection, click the "Deleted" button.
  • Reboot normally and post the contents of MsnCleaner.txt in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 protocell

protocell
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 24 February 2008 - 02:37 PM

i have done all the instructions and as of now, my task manager is still disabled. but it's ok. i know you (quietman7)will find a solution. by the way thanks quietman7 for replying.

here is the sdfix log:


SDFix: Version 1.146

Run by Administrator on Mon 02/25/2008 at 03:02 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\Installer\{17c5a15b-1280-4f1f-a924-7ab4e1f6a12b}\zip.dll - Deleted
C:\WINDOWS\SYSTEM32\DLLGH8~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\WINMDS.EXE - Deleted
C:\12C.TMP - Deleted
C:\12D.TMP - Deleted
C:\12E.TMP - Deleted
C:\12F.TMP - Deleted
C:\130.TMP - Deleted
C:\131.TMP - Deleted
C:\132.TMP - Deleted
C:\133.TMP - Deleted
C:\134.TMP - Deleted
C:\135.TMP - Deleted
C:\136.TMP - Deleted
C:\137.TMP - Deleted
C:\138.TMP - Deleted
C:\Program Files\Trend Micro\Internet Security\Quarantine\1.dllb - Deleted
C:\Program Files\Trend Micro\Internet Security\Quarantine\2.dllb - Deleted
C:\Program Files\Trend Micro\Internet Security\Quarantine\5.dllb - Deleted
C:\Program Files\Trend Micro\Internet Security\Quarantine\6.dllb - Deleted
C:\Program Files\Trend Micro\Internet Security\Quarantine\7.dllb - Deleted
C:\WINDOWS\system32\dllgh8jkd1q8.exe - Deleted
C:\WINDOWS\system32\herjt386.exe - Deleted
C:\WINDOWS\system32\vx.tll - Deleted
C:\WINDOWS\system32\winlogans.tmp - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 03:12:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

IPC error: 2 The system cannot find the file specified.
scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,31,bd,d4,6b,91,20,31,41,60,25,ed,23,03,53,6f,f8,fa,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41]
"khjeh"=hex:20,02,00,00,43,51,be,43,27,80,62,7a,ce,a4,a0,d2,59,0c,a0,46,88,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42]
"khjeh"=hex:20,02,00,00,04,51,be,43,ca,47,95,36,95,dc,5c,1b,d4,5f,4a,cd,e7,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf43]
"khjeh"=hex:20,02,00,00,f6,50,be,43,f0,55,4e,01,53,53,60,2c,ca,55,f9,5c,95,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\sdfix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 4 Aug 2004 1,667,584 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Wed 5 Dec 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 15 Feb 2008 19,845,632 ...H. --- "C:\Documents and Settings\Arsenio I. Cagulang\My Documents\~WRL0004.tmp"
Wed 16 Nov 2005 78,104 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Wed 16 Nov 2005 12,912 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Sun 24 Feb 2008 24,102 ..SHR --- "C:\WINDOWS\Installer\{2edcd1a5-59ce-4b75-b497-ee833e3d6b51}\zip.dll"
Sun 24 Feb 2008 24,102 ..SHR --- "C:\WINDOWS\Installer\{3bf11b14-bfe7-4e8e-b267-4246dc7d41c7}\zip.dll"
Sun 24 Feb 2008 24,102 ..SHR --- "C:\WINDOWS\Installer\{4d57af4f-1a44-45c3-b547-e969d0a8e861}\zip.dll"
Sun 24 Feb 2008 24,102 ..SHR --- "C:\WINDOWS\Installer\{8561d49b-3a0a-44dc-97b4-0a964bf5ff61}\zip.dll"
Sun 24 Feb 2008 24,102 ..SHR --- "C:\WINDOWS\Installer\{88666e49-1e70-477e-af20-585caee57f24}\zip.dll"
Sun 24 Feb 2008 24,102 ..SHR --- "C:\WINDOWS\Installer\{b0fc066a-1a7a-4760-80c6-2013a5c544c3}\zip.dll"
Sun 24 Feb 2008 24,102 ..SHR --- "C:\WINDOWS\Installer\{be6a83e5-a056-4f4c-91ec-52524dc85192}\zip.dll"
Sun 24 Feb 2008 24,102 ..SHR --- "C:\WINDOWS\Installer\{bf0780d7-c66b-4155-9007-82331bd8d273}\zip.dll"
Sun 3 Feb 2008 102,553 A.SHR --- "C:\Program Files\Trend Micro\Internet Security\Quarantine\121.tmp"
Wed 29 Aug 2007 290,912 A.SHR --- "C:\Program Files\Trend Micro\Internet Security\Quarantine\122.tmp"
Tue 13 Nov 2007 229,709 A.SHR --- "C:\Program Files\Trend Micro\Internet Security\Quarantine\124.tmp"
Sat 23 Feb 2008 625 A.SHR --- "C:\Program Files\Trend Micro\Internet Security\Quarantine\126.tmp"
Tue 15 May 2007 251,097 A.SHR --- "C:\Program Files\Trend Micro\Internet Security\Quarantine\2A.tmp"
Tue 22 Jan 2008 110,106 A.SHR --- "C:\Program Files\Trend Micro\Internet Security\Quarantine\2B.tmp"
Sat 17 Nov 2007 229,709 A.SHR --- "C:\Program Files\Trend Micro\Internet Security\Quarantine\2C.tmp"
Sun 13 Jan 2008 250,094 A.SHR --- "C:\Program Files\Trend Micro\Internet Security\Quarantine\2D.tmp"
Wed 20 Feb 2008 562 A.SHR --- "C:\Program Files\Trend Micro\Internet Security\Quarantine\B.tmp"
Sun 24 Feb 2008 106,602 A.SHR --- "C:\Program Files\Trend Micro\Internet Security\Quarantine\INFO.exe"
Wed 4 Aug 2004 73,728 A.SH. --- "C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe"
Thu 27 Sep 2007 0 ...H. --- "C:\Documents and Settings\Arsenio I. Cagulang\Application Data\Microsoft\Word\~WRL0001.tmp"
Sun 13 Jan 2008 236,032 ...H. --- "C:\Documents and Settings\Arsenio I. Cagulang\Application Data\Microsoft\Word\~WRL0514.tmp"
Sun 13 Jan 2008 236,544 ...H. --- "C:\Documents and Settings\Arsenio I. Cagulang\Application Data\Microsoft\Word\~WRL2534.tmp"
Sun 13 Jan 2008 239,104 ...H. --- "C:\Documents and Settings\Arsenio I. Cagulang\Application Data\Microsoft\Word\~WRL3273.tmp"
Wed 5 Dec 2007 4,348 ...H. --- "C:\Documents and Settings\Arsenio I. Cagulang\My Documents\My Music\License Backup\drmv1key.bak"
Wed 5 Dec 2007 20 A..H. --- "C:\Documents and Settings\Arsenio I. Cagulang\My Documents\My Music\License Backup\drmv1lic.bak"
Sun 2 Sep 2007 312 A.SH. --- "C:\Documents and Settings\Arsenio I. Cagulang\My Documents\My Music\License Backup\drmv2key.bak"

Finished!

AND HERE IS THE MSNCLEANER.LOG:

- Logfile MSNCleaner 1.5.5 by www.forospyware.com
- Created Logfile: 2/25/2008 on 3:27:31 AM
- Operative System: Windows XP
- Boot mode: Safe mode
_________________________________________

Detected files: 0
Deleted file: 0
Undeleted Files: 0

<<<<<<< No file found >>>>>>>

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,592 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:22 AM

Posted 24 February 2008 - 02:49 PM

This step involves making changes in the registry. Always back up your registry before making any changes.

Go to Start Run and type: regedit
  • Click OK.
  • On the left side, click to highlight My Computer at the top.
  • Go up to File Export
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put RegBackup.
  • Choose to save it to C:\
  • Click save and then go to File Exit.
Or you can download and use ERUNT which is an excellent free tool that allows you to to take a snapshot (backup) of your registry before making changes and restore it when needed.

Click on the link below:
http://www.kellys-korner-xp.com/xp_tweaks.htm
Scroll down to #275 and click "Lift Restrictions - TM, Regedit and CMD" in the left column. Go to File, choose "Save page as" All Files and save regtmcmdrestore.vbs to your desktop. Double-click on that file to allow the script to run and reboot when done. Since the script modifies certain registry settings your anti-virus package may warn you about it. Ignore the warning and allow it to run.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 protocell

protocell
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 25 February 2008 - 06:26 AM

i somehow managed to repair my task manager using the method you gave me, quietman7 but it cost me to much cpu usage after it was restored. but still thanks because my task manager did come back, however, after that, i did my own set of solutions.

first i downloaded a trial of KASPERSKY Internet Security and tried it for the meantime. it is my means of preventing any additional attacks to my pc. and then i resorted to my second-to-the-last choice: move all my important files to a new folder i created in my local hard drive and then delete my currently infected account using admin privileges under safe mode and create a new account. since i installed the KASPERSKY Internet Security, i let it complete scan the new account. that's when the time i moved all the files i put in the local hard drive into the new account. it then cost me more time to reconfigure all of my preferences to the new account.

the hard part in doing my own solution is to transfer the permission from my previously infected account into my new account because i have to individually set the new owner of the files i moved from my previous account to my new account. and now it is repaired. (phew! it took me 7 hours to finish it.)

thanks again quietman7 for replying. :thumbsup:

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,592 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:22 AM

Posted 25 February 2008 - 08:53 AM

Persistance pays off and thats what counts.

Don't forget to Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state. Then use Disk Cleanup to remove all but the most recently created Restore Point.

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"Best Practices - Internet Safety for 2008".
"Hardening Windows Security - Part 1 & Part 2".
"IE Recommended Minimal Security Settings".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 protocell

protocell
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 26 February 2008 - 07:59 AM

thanks again for the advice quietman7 and thanks bleepingcomputer.com.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,592 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:22 AM

Posted 26 February 2008 - 10:30 AM

Your welcome. :thumbsup:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users