Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

All Trojans removed, but PC reboots whenever I login


  • Please log in to reply

#1
Kanzaman

Kanzaman

    New Member

  • Member
  • Pip
  • 2 posts
Hi All,

I googled when I thought I had a trojan and followed up one of your topics Here that helped me to eliminate 1_32bean32_1.dll

OK Let's get back to the start few days ago.

==
I am the Administrator of my PC, I'm the one who plays with installation, downloads and testing various appz.

Until few days ago, I would right click 'n get the "Task Manager". When it disappeared, I tried to "CTRL+ALT+DEL" and it gave me that error, "Task Manager has been disabled by your administrator." popup

I tried Start | Run | taskmgr == It gave the same popup error.

I have XP with SP2.
I have AVG Anti-virus

I executed "Ad-Aware SE Professional", it didn't yield much.

So, I downloaded AVG Anti-Spy 7.5 and installed it. It found some Trojans, let it delete em and rebooted.
Same problem.

* I've noticed that whenever I reboot the time is changed to GMT-2 and the date is always changed to 2 days ahead or 2 days behind?? I'm in GMT+10.

* I keep loosing my Network Connections, although I am connected through Netgear DG834GT (108 Mbps) and have ADSL2+ connection that have been working like a whistle.

* I googled and found some good information, but it still didn't work.


I did this, it worked for 5 minutes then stopped working
========
1. Click Start, Run, type gpedit.msc and click OK.

2. Select "User Configuration | Administrative Templates | System | Ctrl+Alt+Delete Options | Remove Task Manager".

3. Double-click the Remove Task Manager option from the Group Policy menu.

You can then disable or set the policy to Not Configured. Disabling or setting this policy to Not Configured should solve the problem.

==

I'm currently on safe mode with Network access (using FireFox Safe Mode!!). I'm running both AVG Anti-Spy & Anti-virus.

I have been able to access Task Manager on Safe Mode as Administrator

I ran Anti-Spy on Memory, Registry, and system files. Now it's doing a Full run.

I did find and delete:
Dropper.Multi.i (High)
Trojan.Small (High)
Backdoor.Tagent.e (High) about 6 occurrences.

=

I executed HijackThis several times, and each time I would compare my findings to the one mentioned above and act upon it.

=

I found the following Trojans (high Risk)

Downloader.INService.ja
Trojan.Small
Trojan.Disabler.c

=

Using HijackThis again,

Found this runs on start and disabled it (NvCplDaemon)

=

While on safe mode, using hijackthis I found it was calling some ZonLab files. Although I have uninstalled ZoneAlarm over 3 years ago. I disabled the calling.

=

1. I managed to disable Windows XP System Restore.
- I deleted all the files inside "System Volume Information" for each disk or disk partition I have.

2. I ran Anti-Spy in Safe Mode and it did find the "Trojan.Disable.c" & had it deleted.
- it was pointing to a "a.reg" file, which when I read it at text showed the time and date reset to GMT.
- I was not able to keep the file in any name or form, as the trojan found it and reactivated it when I rebooted.
- I did save it as text on gmail account I have. Hoping it will help me to analyse later.

3. When I booted the PC, there were no changes in the time or date. i.e, it remained on Aus time.

BUT, it rebooted in about 1 minute.

Whenever I try to access the PC on my account, it shuts off in approx a minute.

I believe there is something running that checks, doesn't find the said file and shuts off.

4. The Task Manager is still disabled on my account.
==


Will anybody be able to analyse this for errors. This is from the Windows Log file for errors and crashes...
==
Misc =========== Logging initialized (build: 5.8.0.2469, tz: +1100) ===========
Misc = Process: C:\WINDOWS\Explorer.EXE
Misc = Module: C:\WINDOWS\system32\wuaueng.dll
Shutdwn Install at shutdown: no updates to install
Misc =========== Logging initialized (build: 5.8.0.2469, tz: +1100) ===========
Misc = Process: \??\C:\WINDOWS\system32\winlogon.exe
Misc = Module: C:\WINDOWS\system32\wuaueng.dll
Shutdwn FATAL: WUAutoUpdateAtShutdown failed, hr=8024000C
Misc =========== Logging initialized (build: 5.8.0.2469, tz: +1100) ===========
Misc = Process: C:\WINDOWS\System32\svchost.exe
Misc = Module: C:\WINDOWS\system32\wuaueng.dll
Service *************
Service ** START ** Service: Service startup
Service *********
Agent * WU client version 5.8.0.2469
Agent * SusClientId = '91abaa01-d784-4d67-8c5f-6f6ea9615796'
Agent * Base directory: C:\WINDOWS\SoftwareDistribution
Agent * Access type: No proxy
Agent * Network state: Connected
Agent *********** Agent: Initializing Windows Update Agent ***********
Agent *********** Agent: Initializing global settings cache ***********
Agent * WSUS server: <NULL>
Agent * WSUS status server: <NULL>
Agent * Target group: (Unassigned Computers)
Agent * Windows Update access disabled: No
DnldMgr Download manager restoring 0 downloads
Agent * Failed to load persisted download calls, error = 0x80070002
Agent WARNING: DeleteVolatileServices::GetServiceList failed with 0x80070002.
DnldMgr FATAL: DM:CAgentDownloadManager::RestoreDownloadJobs: GetSession failed with 0x80070002.
DnldMgr FATAL: DM:CAgentDownloadManager::DelayedInit: RestoreDownloadJobs failed with 0x00000000.
AU ########### AU: Initializing Automatic Updates ###########
AU AU setting next detection timeout to 2007-01-15 07:40:44
AU # Approval type: Scheduled (User preference)
AU # Scheduled install day/time: Every day at 3:00
AU # Auto-install minor updates: Yes (User preference)
AU FATAL: Failed to get session from datastore, error = 0x80070002
AU FATAL: Failed to Unserialize from data store, error = 0x80070002
AU # WARNING: Exit code = 0x80070002
AU WARNING: InitAUComponents Failed, will restart AU in 30 mins, error = 0x80070002
AU AU Restart required....
DnldMgr FATAL: DM:CAgentDownloadManager::CheckAllCallDownloadStates: GetSession failed with 0x80070002.
AU ########### AU: Initializing Automatic Updates ###########
AU AU setting next detection timeout to 2007-01-15 07:41:41
AU # Approval type: Scheduled (User preference)
AU # Scheduled install day/time: Every day at 3:00
AU # Auto-install minor updates: Yes (User preference)
AU FATAL: Failed to get session from datastore, error = 0x80070002
AU FATAL: Failed to Unserialize from data store, error = 0x80070002
AU # WARNING: Exit code = 0x80070002
AU WARNING: InitAUComponents Failed, will restart AU in 30 mins, error = 0x80070002
AU AU Restart required....
Misc =========== Logging initialized (build: 5.8.0.2469, tz: +1100) ===========
Misc = Process: \??\C:\WINDOWS\system32\winlogon.exe
Misc = Module: C:\WINDOWS\system32\wuaueng.dll
Shutdwn FATAL: WUAutoUpdateAtShutdown failed, hr=8024A000
Service *********
Service ** END ** Service: Service exit [Exit code = 0x240001]
Service *************

=====


I ran this The Avenger as told Here

Then I ran SmitfraudFix

Then while in safe mode I ran HijackThis.

This is gone 1_32bean32_1.dll but I had this,

O23 - Service: IYJAZDZE - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IYJAZDZE.exe (file missing)

Earlier in the day when I had run HijackThis, this thread was present as

O23 - Service: IYJAZDZE - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IYJAZDZE.exe

I accessed Reg with Registrar Lite searched for and deleted all ocurrences of IYJAZDZE.exe
==

I don't want to disable reboot unless I have to. I'm sure there should be a way that will enable me to login to my account without the PC shutting off and rebooting.

I do have more than one HijackThis log, I had them saved dated to help analyse the process I went thru.
I am still on safe mode with Network access. I have Spybot SD, AVG Anti-Spyware, as well as Anti-virus running.

Best Regards and Thank you for your time,

Kanzaman
  • 0

Advertisements


#2
Kanzaman

Kanzaman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
I fixed it and not thanks to you.

All I needed was some guidance as I had already done all the hard work.. But then I asked my team at PuZo and they gave the right answer.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP