Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Can't Access Task Manager, regedit.exe and Safe Mode.

Started by Obscur , Dec 24 2008 06:15 AM

  • Please log in to reply

#1
Obscur
Posted 24 December 2008 - 06:15 AM

Obscur

    New Member

  • Member
  • Pip
  • 5 posts
hello,
i can't access Task Manager, regedit.exe and Safe Mode along with that i change the file hidden attributes. No antivirus programs run either and my firewall didn't autostart since i think the pc got infected.
Besides that i found a file in every disk drive named "g2pfnid.com", renamed it to something else to disable it. I tried to "fix" the keys by HJT but its all the same on next boot and now HJK won't even start, the error is "Only part of a ReadProcessMemory or WriteProcessMemory request was completed", MBAM did no good either, the task manager still remains blocked. Thanks for all you time and help looking into this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:51:51 PM, on 12/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:57, on 2008-12-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe
C:\Program Files\Opera\opera.exe
C:\DOCUME~1\ADMINI~1.000\LOCALS~1\Temp\aljjww.exe
C:\DOCUME~1\ADMINI~1.000\LOCALS~1\Temp\winbokb.exe
C:\DOCUME~1\ADMINI~1.000\LOCALS~1\Temp\winpfku.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe" /minimized
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative....101/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15106/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{287F7905-70FB-4FF8-8DF7-A72E8941FB8D}: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{43E2F0E8-E4DB-4ADC-9BD9-946CBA87A143}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{287F7905-70FB-4FF8-8DF7-A72E8941FB8D}: NameServer = 208.67.220.220 208.67.222.222

--
End of file - 2910 bytes




Malwarebytes' Anti-Malware 1.31
Database version: 1539
Windows 5.1.2600 Service Pack 2

2008-12-24 17:36:28
mbam-log-2008-12-24 (17-36-28).txt

Scan type: Quick Scan
Objects scanned: 57894
Time elapsed: 2 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Obscur, 24 December 2008 - 06:29 AM.

  • 0

Advertisements

#2
kahdah
Posted 24 December 2008 - 07:10 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Obscur

Welcome to G2Go. :)
=====================

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

  • 0

#3
Obscur
Posted 28 December 2008 - 01:41 PM

Obscur

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
thanks for the reply, i attached both the files
Attached File  log.txt   14.5KB   508 downloads Attached File  info.txt   6.36KB   327 downloads
  • 0

#4
kahdah
Posted 28 December 2008 - 01:51 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

=======================================
  • 0

#5
Obscur
Posted 28 December 2008 - 03:17 PM

Obscur

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
thanks for the immediate reply, the task manager was back for a second i.e when combofix was preparing the report and then it all came back to nothing, everything is the same. Here is the comofix log.

Attached File  ComboFix.txt   10KB   493 downloads
  • 0

#6
kahdah
Posted 28 December 2008 - 04:37 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
abp470n5
fcvjofnms
rhgml

File::
c:\windows\system32\drivers\hmomsn.sys

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-

SysRst::


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#7
Obscur
Posted 29 December 2008 - 01:56 PM

Obscur

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Attached File  ComboFix.txt   9.53KB   292 downloads
Attached File  hjt.txt   3.07KB   295 downloads

thanks again.

Edited by Obscur, 29 December 2008 - 02:07 PM.

  • 0

#8
kahdah
Posted 29 December 2008 - 08:11 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Post that log in your next reply.

(Note if you cannot open the log it produces then right click on it and choose rename.
Rename it to .txt and you will be able to open it)
  • 0

#9
Obscur
Posted 30 December 2008 - 06:38 PM

Obscur

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
just finished with the scan and everything looks fine so far, can't thank you enough mate, cheers. Heres' the report

Attached File  Drweb.txt   9.33KB   990 downloads
  • 0

#10
kahdah
Posted 30 December 2008 - 07:13 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hmm you are infected with Sality or at least you were.
Dr.Web cured those files returning them back to their original state.

I would like for you to run a removal tool for that virus as it is a file infector and can be cleaned if the system isn't that badly infected.
Please follow the instructions on this page and run the removal tool. http://free.avg.com/...moval.ndi-67769
If you get an option to save the log please do so and post it here.
If not then let me know how it turns out ( if it says it cleans anything or not).

You are welcome :)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP