Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Task Manger, Registry Editor & Safe Mode have been disabled...Help


  • This topic is locked This topic is locked
29 replies to this topic

#1 Tingle07

Tingle07

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 01 December 2009 - 02:22 PM

Sony VAIO PC
Windows XP Home Edition Version 2002
Service Pack 2

I seem to have caught a Virus that has disabled the Task Manager, Registry Editor, Safe Mode & other things. I noticed this problem about 3 weeks ago when I tried opening "Task Manager" to close something down and couldn't open it. I thought it was normal until I used a "System Restore" and the problem still persisted. Also my cousin was on like 5 days ago and caught the "Anitvirus System Pro" program which probably caused even more damage. My computer is not slow, still runs at the same speed. I've looked for a solution online everywhere and no luck. I'm sick and tired of this virus and I want to finally get rid of it. The last thing I want to do is Reformat & Reinstall Windows. Please Help.


Here are some of the Symptoms I've found so far:

Task Manager
When I try Ctrl + Alt + Delete it says: "Task Manager has been disabled by your administrator"

Registry Editor
When I try Run > regedit > it says: "Registry editing has been disabled by your administrator"

Show Hidden Files and Folders
I go to Folder Options, select "Show hidden files and folders", click OK. As soon as I close the window & re-open it, it goes back to "Do not show hidden files and folders"

Anti-Virus Sites Won't Load
Any major websites that have to do with anti-virus won't load or open. For example McAfee, Symantec, etc.

System Recovery
I've used the "System Recovery" tool but even after restoring my PC to its to factory settings like twice, the virus seems to still be there because the "Task Manager" and "Registry Editor" still won't open

Safe Mode
I've tried booting my PC into Safe Mode using two methods but no luck with both:

msconfig method
When I try Run > msconfig > OK > BOOT.INI > /SAFEBOOT > OK.
The computer restarts, I try selecting "Safe Mode", then select Windows XP Home Edition, it then triggers a bunch of code, and just reboots the computer into the same "Safe Mode" Screen. No Matter what you select it just reboots to the same screen turning it into a never ending loop.

F5 method
When I try hitting F5 at the beginning of the computer's start up screen, I get the same effect as above. I try selecting "Safe Mode", it reboots the computer and just takes me back to the same screen. Only way to get out is by selecting "Normal Mode"



THINGS I'VE TRIED:

- I've tried Malwarebytes' Anti-Malware. It finds 5 infections, I then remove the selected infections, it reboots the computer. I then re-scan the computer and the same 5 infections are still there.

- I've tried Kaspersky Anti-Virus 2010. I install the program try to open it and nothing happens.

- I've tried to install Avast but I can't. I hit the the setup and nothing happens.

- I've tried TuneUp Utilities in house registry editor to try and delete "DisableRegistryTools" & "DisableTaskMgr" and they just regenerate seconds later. I've tried changing their value to "0" as well, and it just goes back to "1" as well.

- I've tried SafeBootKeyRepair.exe by sUBs. I run the program, it finishes. I turn off the computer, turn it on again. Try to reboot it into "Safe Mode" by hitting F5. Select "Safe Mode" and this time it successfully goes into "Safe Mode" but it seems like the virus has control in "Safe Mode" as well because none of the malware programs seem to function well. Also, in "Safe Mode", I get a lot errors like "Explorer.EXE - no disk"

- I've also tried little registry fix tools that fix the "Task Manager" or "Registry Editor" and while it fixes them, it only last a few seconds and then go back to normal.

Edited by Tingle07, 01 December 2009 - 02:30 PM.


BC AdBot (Login to Remove)

 


#2 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:04:25 AM

Posted 01 December 2009 - 02:34 PM

The first thing I can think of would be to have a look at these instructions.

If after following these instructions you still have the same problems, it may be in your best interest to post the results of your MalwareBytes log and someone will be sure to help you go through it and make sure you're clean or help you finish the cleaning.

Hope this helps,

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#3 Tingle07

Tingle07
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 01 December 2009 - 03:07 PM

Ok so I went to the link you gave me, followed the instructions and the problems still persist. I don't think "Anitvirus System Pro" is on my system anymore because I'm pretty sure I removed it with a "System Restore". The problems I have now where happening even before I caught the "Anitvirus System Pro" program.


I guess I'll post my MalwareBytes log then. Do I post it here in this same thread or in the logs forum?

#4 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:04:25 AM

Posted 01 December 2009 - 03:19 PM

Yes,

Post your log here. I'll do my best to help you.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#5 Tingle07

Tingle07
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 01 December 2009 - 03:22 PM

Ok, Here's the log
________________________________________________________________________________

Malwarebytes' Anti-Malware 1.41
Database version: 3268
Windows 5.1.2600 Service Pack 2

12/1/2009 2:58:55 PM
mbam-log-2009-12-01 (14-58-55).txt

Scan type: Quick Scan
Objects scanned: 106709
Time elapsed: 3 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:04:25 AM

Posted 01 December 2009 - 03:31 PM

You're still having the same issues after allowing Malwarebytes to remove/reset these registry settings correct?

You may want to run a Full System Scan with Malwarebytes. Before running the scan, click on the settings tab and put a check next to:

"Terminate Internet Explorer during Removal"

Before running Malwarebytes, run rkill by Grinler. Immediately after running rkill, run a full scan with Malwarebytes.

Post your logs when complete. You will not receive a log from rkill.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#7 Tingle07

Tingle07
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 01 December 2009 - 03:39 PM

Yes, I'm still having the same issues even after Malwarebytes supposedly removes the infected files.


OK, so I'm going to do what you told me next and I'll be right back with the details. BRB

#8 Tingle07

Tingle07
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 01 December 2009 - 04:35 PM

OK, so I did what you told me to. I checked "Terminate Internet Explorer during Removal" in the Settings tab. Ran rkill before running a Full System Scan with Malwarebytes. As soon as I started running the scan, I began getting errors like:

atiptaxx.exe - No Disk
"There is no disk in the drive. Please insert a disk into drive /Device/Harddisk1/DR4"

&

mbam.exe - No Disk
"There is no disk in the drive. Please insert a disk into drive A:."

Unfortunately the problems still persist. But here's the log though:
________________________________________________________________________________

Malwarebytes' Anti-Malware 1.41
Database version: 3268
Windows 5.1.2600 Service Pack 2

12/1/2009 4:20:34 PM
mbam-log-2009-12-01 (16-20-34).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 182582
Time elapsed: 32 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:04:25 AM

Posted 01 December 2009 - 09:33 PM

OK. Let's try this.

( borrowed from garmanma )

Please download and scan with SUPERAntiSpyware Free
•Double-click SUPERAntiSypware.exe and use the default settings for installation.
•An icon will be created on your desktop. Double-click that icon to launch the program.
•If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
•In the Main Menu, click the Preferences... button.
•Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
•Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
◦Close browsers before scanning.◦Scan for tracking cookies.◦Terminate memory threats before quarantining.•Click the "Close" button to leave the control center screen and exit the program.
•Do not run a scan just yet.
First
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:•Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
•On the left, make sure you check C:\Fixed Drive.
•On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
•After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
•Make sure everything has a checkmark next to it and click "Next".
•A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
•If asked if you want to reboot, click "Yes" and reboot normally.
•To retrieve the removal information after reboot, launch SUPERAntispyware again.
◦Click Preferences, then click the Statistics/Logs tab.◦Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.◦If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.◦Please copy and paste the Scan Log results in your next reply.
•Click Close to exit the program.

Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.


Please post the logs when this completes.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#10 Tingle07

Tingle07
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 02 December 2009 - 08:57 AM

Before I follow your next instructions, I have a few questions. Because I noticed you have to go into "Safe Mode":

1. On my computer, going into "Safe Mode" is a bit different. F8 brings me to a Blue "Boot" Screen instead and F5 is the one that brings me to the "Safe Mode" Screen, I guess I'll use F5 instead right?


2. And the second thing I wanna add is that the virus has disabled me going into "Safe Mode". When I try going into "Safe Mode" I hit Enter and it just reboots the computer to the same screen into a boot loop. The only way to get out is to select Start Windows Normally. But I've found a little tool online called "SafeBootKeyRepair.exe" by sUBs that is the only way I can get into "Safe Mode" successfully. Could I use that when it gets to the part where I'll have to go into "Safe Mode" instead?

#11 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:04:25 AM

Posted 02 December 2009 - 11:26 AM

Yes, use the safebootkeyrepair and get yourself into safe mode.

Then continue with superantispyware.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#12 Tingle07

Tingle07
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 02 December 2009 - 11:44 AM

Ok,

I'll be right back.

#13 Tingle07

Tingle07
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 02 December 2009 - 12:39 PM

OK, Done.

Here's the log:
__________________________________________________________________________

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/02/2009 at 12:32 PM

Application Version : 4.31.1000

Core Rules Database Version : 4327
Trace Rules Database Version: 2182

Scan type : Complete Scan
Total Scan Time : 00:30:17

Memory items scanned : 198
Memory threats detected : 0
Registry items scanned : 4491
Registry threats detected : 0
File items scanned : 12096
File threats detected : 5

Adware.Tracking Cookie
C:\Documents and Settings\Jesse\Cookies\jesse@2o7[2].txt
C:\Documents and Settings\Jesse\Cookies\jesse@atdmt[2].txt
C:\Documents and Settings\Jesse\Cookies\jesse@ad.wsod[2].txt

Trojan.MailDrop/Gen
C:\DOCUMENTS AND SETTINGS\JESSE\LOCAL SETTINGS\TEMP\WINGIKGP.EXE

Trojan.Agent/Gen
C:\DOCUMENTS AND SETTINGS\JESSE\LOCAL SETTINGS\TEMP\WINUKURYF.EXE

#14 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:04:25 AM

Posted 02 December 2009 - 12:59 PM

Just to be safe and sure, would you update Superantispyware from http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE and run one more complete scan.

Please repost your logs when finished.

Edited by techextreme, 02 December 2009 - 01:01 PM.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#15 Tingle07

Tingle07
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 02 December 2009 - 01:04 PM

Following the same instructions from the first time, like in "Safe Mode"?

Also where are the updates on that link you just put up?

Edited by Tingle07, 02 December 2009 - 01:05 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users