Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Task manager got disabled by administrator


  • This topic is locked This topic is locked
11 replies to this topic

#1 Gromaniak85

Gromaniak85

  • Members
  • 33 posts
  • OFFLINE
  •  

Posted 28 November 2016 - 12:45 PM

So recently I got this problem, when i ran a program (potentially virus) it began to block me from opening task manager and registry editor, I dont know if it will make more bad things, so i scanned it with Mbam and it found out that I got a pup which disables task manager and also registry editor.
 
I did restart my computer but my problem was still here.
 
also it did make a folder called ddpmgr and inside there was ddpmgr.exe and it was running, it was on process list.
 
How did I open process list? 
 
by using procexp which shows process list (obviously) and can shutdown any process. When i tried to shutdown ddpmgr.exe it got me bluescreen.
 
I am attaching logs from mbam and frst
 

 
Also, please tell me do you want logs to get attached or to be posted?

Edited by Al1000, 19 December 2016 - 12:01 PM.
logs removed


BC AdBot (Login to Remove)

 


#2 Gromaniak85

Gromaniak85
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  

Posted 28 November 2016 - 02:10 PM

Also I did scan it with virustotal, interesting thing is in the last tab, there is information about sending TCP connections to some ip, I may believe I am now a part of some botnet or just got ratted

 

https://virustotal.com/pl/file/15d629c2f00fc23384908a1f4d30b9038bcf5efae849067013c764376f722597/analysis/1480359614/


Edited by Gromaniak85, 28 November 2016 - 02:11 PM.


#3 packetanalyzer

packetanalyzer

  • Members
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:33 PM

Posted 30 November 2016 - 11:20 AM

Hello Gromaniak85,

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

Thank you for your patience,

packetanalyzer

#4 Gromaniak85

Gromaniak85
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  

Posted 01 December 2016 - 09:02 AM

Thanks for reply, packetanalyzer.



#5 packetanalyzer

packetanalyzer

  • Members
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:33 PM

Posted 02 December 2016 - 04:38 PM

Hello Gromaniak85,welcome to Bleeping Computer and thank you for posting your FRST log. You can call me packetanalyzer and I will be helping you with your removing malware from your computer. Please take a moment to review the following.

Please read my instructions completely and follow them closely.

Please do not run any tools unless and until I ask you to do so.

Please only run the tools I ask you to run.

If you have any questions at any point, please stop and ask me before you try to complete the step.

Please refrain from using your computer for any purpose other than us working together to clean malware from it until I have notified you your computer is clean.

Please be patient as most of us at Bleeping Computer are volunteers and your logs take time to closely analyze. If you do not hear back from me in 48 hours, please feel free to send me a PM.

If I do not hear from you within 3 days after any post, this thread will be closed.
 
Now we are going to get started. Please do the following:
 
++++ Step 1 FRST Fix ++++
  • Press the windows key + r on your keyboard at the same time (this will open Run)
  • Type notepad.exe
  • Press Enter
  • Copy and paste the code below in the open notepad window
  • Save the file as fixlist.txt in the same folder where the Farbar tool is running from (FRST should be on your desktop).
  • Right click FRST64.exe
  • Click Run as administrator
  • Click the Fix button
  • When FRST finishes running, your computer will restart itself
++++ Step 2 Run an online Emsisoft Emergency Kit Scan ++++
  • Download Emsisoft Emergency Kit and save it to your desktop.
  • Double-click icon then click Install
  • A Window should open highlighting Start Emergency Kit Scanner
  • Right click on the icon and select Run as administrator
  • Click 1. Update now!
  • Once the update is completed select Settings under Scan
  • Uncheck Join the Emsisoft Anti-Malware Network
  • Click Scan at the top
  • Click On scan completion
  • Click Quarantine detected objects, then click OK
  • Click Malware Scan
  • Once completed click View Report
  • Save the file to your Desktop as EmsisoftScan2-December.txt
++++ Step 3  Share Your Logs++++
  • Please post the contents of the Fixlog.txt file that was created when you ran the FRST fix in your next reply
  • Please post the contents of the EmsisoftScan2-December.txt file that was created when you ran the Emsisoft scan in your next reply
Thank you,
 
packetanalyzer

Edited by Al1000, 19 December 2016 - 12:03 PM.
script removed


#6 Gromaniak85

Gromaniak85
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  

Posted 02 December 2016 - 04:57 PM

Thanks for helping packetanalyer, my problem is now gone and theres frst log.
 

 
I had problem withs second step, because that tool isnt compatible with windows xp.

Edited by Al1000, 19 December 2016 - 12:04 PM.
log removed


#7 packetanalyzer

packetanalyzer

  • Members
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:33 PM

Posted 04 December 2016 - 03:17 AM

Thank you for the log Gromaniak85.

 

Malware Infection

 

First and foremost I need to give you an update. Yes Task Manager and Registry Editor were disabled but the bigger problem was you were infected with a Remote Access Trojan (RAT).

Please be aware that this means your computer may be under remote control of an attacker and your banking information including usernames and passwords may have been stolen.

Because your computer was infected with a backdoor trojan please print this post and read the following very carefully.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Even though we have identified the malware on your computer and we can remove it, because it is a backdoor, your PC is very likely compromised and there is no way to be sure your computer can be trusted even after we remove the malware. This type of infection gives a hacker the ability to add additional backdoors, malware, and create new vulnerabilities on your computer. Vulnerabilities may not be detected by anti-virus and if even one is missed the hackers may be able to reacquire access to your PC. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards.

 

Windows XP

 

The second issue we need to mention is that you are running Windows XP which is not longer supported. That means your computer is not getting security patches and because of that is more vulnerable to being infected. I would recommend upgrading to a supported Operating System that gets security updates.

 

Malware Removal

 

++++ Step 4 FRST Fix ++++

  • Press the windows key + r on your keyboard at the same time (this will open Run)
  • Type notepad.exe
  • Press Enter
  • Copy and paste the code below in the open notepad window
  • Save the file as fixlist.txt in the same folder where the Farbar tool is running from (FRST should be on your desktop).
  • Right click FRST64.exe
  • Click Run as administrator
  • Click the Fix button
  • When FRST finishes running, your computer will restart itself
C:\Documents and Settings\Dell\Moje dokumenty\RexInJector_1.exe
EmptyTemp:

++++ Step 5 Run MBAM ++++

 

1. Open Malwarebytes Anti-Malware

2. If the databases are out of date, click Update

3. After the databases are current, click Scan (the button on the top not the Scan Now button)

4. Check Scan Memory Objects, Scan Startup and Registry Settings, Scan Archives, and Scan for Rootkits

5. Check drive C:

6. Click Scan Now

7. When the scan has completed, click Quarantine All, then click Apply Actions

8. When you are asked by Malwarebytes Anti-Malware allow your computer to restart

 

++++ Step 6  Share Your Logs++++

  • Please post the contents of the Fixlog.txt file that was created when you ran the FRST fix in your next reply
  • Please post the contents of C:\Documents and Settings\Dell\Application Data\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-2016-12-XX in your next reply. XX will be the day of the month you run the scan.

 

Thank you,

 

packetanalyzer



#8 Gromaniak85

Gromaniak85
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  

Posted 04 December 2016 - 05:12 PM

Okay, so there is frst log:
 

 
There is mbam log:
 

 
There wasn't any malware only some registry pup or something, I didnt remove it since you wanted to get everything in quarantine, there was no option like that so i left it.

Edited by Al1000, 19 December 2016 - 12:05 PM.
logs removed


#9 packetanalyzer

packetanalyzer

  • Members
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:33 PM

Posted 07 December 2016 - 04:24 PM

That leave us with our final set of steps. :)

 

++++ Step 7  How to Stay Safe Online and All Clear++++

 

Thank you Gromaniak85 for following through the steps with me.

 

Summary of Concerns

  • Task Manager Could Not Start
  • Registry Editor Could Not Start 

Summary of Findings

  • FRST revealed registry values were set to disable Task Manager and Registry Editor
  • FRST revealed the existence of a RAT
  • Malwarebytes Anti-Malware confirmed the existence of a RAT

Security Reminder

 

We wish to remind you even though the RAT was removed, a RAT is a type of backdoor there is no way to be sure your computer can be trusted. This type of infection gives a hacker the ability to add additional backdoors, malware, and create new vulnerabilities on your computer. Vulnerabilities may not be detected by anti-virus and if even one is missed the hackers may be able to reacquire access to your PC. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

 

Furthermore, you are using Windows XP which is not supported and does not receive security updates from Microsoft. By continuing to use Windows XP you are putting the security of your computer at risk. Please immediately upgrade to a current Operating System.

 

By doing basic things you can reduce the level of risk to your computer. No one solution or combination of solutions will give you 100% protection from all threats, but by doing the following you greatly decrease the risk to the security of your computer and reduce the attack surface you present to attackers.

 

  • Keep your Operating System Up to Date
  • Keep your Applications Up to Date
  • Use Different Passwords on Every Website
  • Install, Keep Up to Date, and Run Regular Scans of a Reliable Anti-Virus Product
  • Enable, Properly Configure, and Maintain a Firewall
  • Backup Your Data
  • Periodically Test Your Backups
  • Do Not Open Attachments from People You Do Not Know
  • Watch Out for Online and Phone Support Scams

You can find more information on tips to keep your computer safe online here and examples of security best practices here.

 

Thank you for your patience. If you have any other questions for me, please let me know. Otherwise you should be ready to use your computer.

 

packetanalyzer



#10 Gromaniak85

Gromaniak85
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  

Posted 08 December 2016 - 08:44 AM

Thanks for help, packetanalyzer.

 

I did tried to install windows 7, but installator does not detect disc, that's why I am going to buy new one, again thanks for help.



#11 packetanalyzer

packetanalyzer

  • Members
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:33 PM

Posted 08 December 2016 - 09:20 AM

You're very welcome. Good luck!



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:33 AM

Posted 08 December 2016 - 12:25 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users