Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

(Help) I Dont Know if Virus Or Malware...Disabled registry,taskman


  • Please log in to reply
7 replies to this topic

#1 rundll32

rundll32

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 24 November 2009 - 05:44 AM

I need Your Help... i have the result of malwarebytes i am using sp3, my sp3 is freshly installed then when i installing norton 360 v1 it stop processing my registry entry and taskmanager is disable my firewall to when i turn it on it back to off...sorry for my bad english the result of malwarebytes.

Malwarebytes' Anti-Malware 1.41
Database version: 3051
Windows 5.1.2600 Service Pack 3

10/29/2009 7:10:56 PM
mbam-log-2009-10-29 (19-10-56).txt

Scan type: Quick Scan
Objects scanned: 90785
Time elapsed: 4 minute(s), 5 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\mbagog.exe (Trojan.Downloader) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\mbagog.exe (Trojan.Downloader) -> Delete on reboot.

BC AdBot (Login to Remove)

 


#2 rundll32

rundll32
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 25 November 2009 - 09:22 PM

i try format again but when i attempt to install anything the problem is occur my taskmanager and registry entry disabled the appearing error "taskmanager has been disabled by your administrator"registry editing has been disabled by your administrator"

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:40 AM

Posted 25 November 2009 - 11:25 PM

Hello and welcome.


This step involves making changes in the registry. Always back up your registry before making any changes.

Go to Start Run and type: regedit
Click OK.
On the left side, click to highlight My Computer at the top.
Go up to File Export
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put RegBackup.
Choose to save it to C:\
Click save and then go to File Exit.

Or you can download and use ERUNTwhich is an excellent free tool that allows you to to take a snapshot (backup) of your registry before making changes and restore it when needed.

Click on the link below:
http://www.kellys-korner-xp.com/xp_tweaks.htm
Scroll down to #275 and click "Lift Restrictions - TM, Regedit and CMD" in the left column. Go to File, choose "Save page as" All Files and save regtmcmdrestore.vbs to your desktop. Double-click on that file to allow the script to run and reboot when done. Since the script modifies certain registry settings your anti-virus package may warn you about it. Ignore the warning and allow it to run.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 rundll32

rundll32
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 27 November 2009 - 04:07 AM

Thanks for HElping me But there was a problem an error message appear i will upload it but i choose to continue then after restarting, when i scan again the malware or virus is there again (T_T)

http://s894.photobucket.com/albums/ac147/j...ent=problem.jpg

Malwarebytes' Anti-Malware 1.41
Database version: 3241
Windows 5.1.2600 Service Pack 3

11/27/2009 4:59:59 PM
mbam-log-2009-11-27 (16-59-59).txt

Scan type: Quick Scan
Objects scanned: 98385
Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\windhyjnc.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\windhyjnc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Edited by rundll32, 27 November 2009 - 04:35 AM.


#5 rundll32

rundll32
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 27 November 2009 - 04:34 AM

This is my second attempt of scanning and i have no any anti-virus because the virus or malware stop it when im installing any anti-virus

Malwarebytes' Anti-Malware 1.41
Database version: 3241
Windows 5.1.2600 Service Pack 3

11/27/2009 5:28:13 PM
mbam-log-2009-11-27 (17-28-13).txt

Scan type: Quick Scan
Objects scanned: 98294
Time elapsed: 3 minute(s), 9 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\yrxit.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\yrxit.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temp\winkdrrww.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:40 AM

Posted 27 November 2009 - 03:36 PM

Hi please run this first. It should kill what is blocking you. Then run MBAM again and try your Antivirus now.
RKill....

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
You will need to run the application again if rebooting the computer occurs along the way.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 rundll32

rundll32
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 29 November 2009 - 07:53 AM

I Run the rkill A black DOS box is briefly flash and then disappear then i run the MBAM and check the update after that i scan but the error appears again i think some process in scanning skip my MBAM is not a full version is that okey?

Edited by rundll32, 29 November 2009 - 08:37 AM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:40 AM

Posted 29 November 2009 - 03:46 PM

This is starting to look like a new variant we are seeing. Try DrWeb-CureIt next. Only if this fails run HJT next,


Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

f thar failed You need to run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users