TechSpot

I cannot open my task manager

By pmhalloran
Apr 9, 2008
  1. I have an error stating possible spyware infection that pops up. I ran hijackthis and have a log file attached. Please let me know what to do. Need to fix. Not sure what I clicked on.Don't do much surfing at work!
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    You have the same virus as 3/4 of the threads in last week

    We seem to have gotten a pretty good method going for removing it.

    Just make sure to follow all steps in order.

    Does your Norton product include a firewall?

    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt



    Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
     
  3. pmhalloran

    pmhalloran TS Rookie Topic Starter

    not sure

    I'm not sure if there is a firewall. In addition i installed ad-aware and ran that. Seemed to do something. Should I still proceed with your full instrutions?
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Yes you should, then attach the logs back into this thread, from there I can give further instructions once I see what is on the logs
     
  5. pmhalloran

    pmhalloran TS Rookie Topic Starter

    log for malware

    Malwarebytes' Anti-Malware 1.11
    Database version: 604

    Scan type: Full Scan (C:\|)
    Objects scanned: 108826
    Time elapsed: 22 minute(s), 13 second(s)

    Memory Processes Infected: 2
    Memory Modules Infected: 4
    Registry Keys Infected: 28
    Registry Values Infected: 5
    Registry Data Items Infected: 1
    Folders Infected: 4
    Files Infected: 34

    Memory Processes Infected:
    C:\WINDOWS\system32\lenyfani.exe (Trojan.FakeAlert) -> Unloaded process successfully.
    C:\Documents and Settings\All Users\Application Data\tsfgtmtc\lonmvwly.exe (Trojan.FakeAlert) -> Unloaded process successfully.

    Memory Modules Infected:
    C:\WINDOWS\system32\opnnMffD.dll (Trojan.Vundo) -> Unloaded module successfully.
    C:\WINDOWS\Resources\ChkRom.dll (Trojan.Clicker) -> Unloaded module successfully.
    C:\WINDOWS\temlxopqmlf.dll (Trojan.FakeAlert) -> Unloaded module successfully.
    C:\WINDOWS\qdnkewfa.dll (Trojan.FakeAlert) -> Unloaded module successfully.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{397e0ef6-58e8-4dfb-8167-a21eb22a1cdc} (Trojan.Vundo) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{397e0ef6-58e8-4dfb-8167-a21eb22a1cdc} (Trojan.Vundo) -> Delete on reboot.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Delete on reboot.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Delete on reboot.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{3b144680-469b-4e96-bd3c-258c04f726e7} (Trojan.Clicker) -> Delete on reboot.
    HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorertoolbar (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{3808c05f-cfb0-4c9b-858d-851cc3ebb3bc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3808c05f-cfb0-4c9b-858d-851cc3ebb3bc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{1ffb714f-d38c-4f16-8b0e-341af41cef1f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webvideo (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\vnbptxlf.bnqf (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\vnbptxlf.ToolBar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\MSVPS.MSVPSApp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin (Trojan.Fakealert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gcdjdrhv (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vNbXFulpmh (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ChkRom (Trojan.Clicker) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\qdnkewfa (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\opnnmffd -> Quarantined and deleted successfully.

    Folders Infected:
    C:\WINDOWS\mslagent (Adware.EGDAccess) -> Quarantined and deleted successfully.
    C:\Program Files\akl (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Documents and Settings\receptionist\Desktopvirii (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

    Files Infected:
    C:\WINDOWS\system32\opnnMffD.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\DffMnnpo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\DffMnnpo.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lenyfani.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\tsfgtmtc\lonmvwly.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\receptionist\Local Settings\Temp\EXPLOR~1.EXE.bak (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\Web\def.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\mslagent\2_mslagent.dll (Adware.EGDAccess) -> Quarantined and deleted successfully.
    C:\WINDOWS\mslagent\mslagent.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
    C:\WINDOWS\mslagent\uninstall.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
    C:\Program Files\akl\akl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Program Files\akl\akl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Program Files\akl\uninstall.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Program Files\akl\unsetup.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Documents and Settings\receptionist\Desktopvirii\Trojan-Downloader.Win32.Agent.bl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Documents and Settings\receptionist\Desktopvirii\Trojan-Downloader.Win32.Agent.p.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Documents and Settings\receptionist\Desktopvirii\Trojan-Downloader.Win32.Agent.r.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Documents and Settings\receptionist\Desktopvirii\Trojan-Downloader.Win32.Agent.t.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Documents and Settings\receptionist\Desktopvirii\Trojan-Downloader.Win32.Agent.v.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\Resources\ChkRom.dll (Trojan.Clicker) -> Delete on reboot.
    C:\WINDOWS\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\iTunesMusic.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\rs.txt (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\temlxopqmlf.dll (Trojan.FakeAlert) -> Delete on reboot.
    C:\WINDOWS\qdnkewfa.dll (Trojan.FakeAlert) -> Delete on reboot.
    C:\WINDOWS\apoxqwfv.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\receptionist\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\receptionist\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\receptionist\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\receptionist\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\receptionist\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\receptionist\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
     
  6. pmhalloran

    pmhalloran TS Rookie Topic Starter

    in addition my symantic anti virus is going crazy. i had to restart b/c my computer locked up when DL combofix. will try again now. but its end of work day. crap!
     
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    You need to disable your real time protection with Norton, but not the firewall.

    Then proceed with Combofix instructions. To uninstall and and start over:

    Go to start -> Run -> type combofix /u then restart with the above instructions
     
  8. pmhalloran

    pmhalloran TS Rookie Topic Starter

    still need some help maybe

    here is my combofix log. i cannot disable auto protect.

    .
     
  9. pmhalloran

    pmhalloran TS Rookie Topic Starter

    the good news

    is i can open my task manager now.
     
  10. kritius

    kritius TS Guru Posts: 2,084

    COMBOFIX-Script

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      File::
      C:\WINDOWS\vnbptxlf.dll
      
      Folder::
      C:\Documents and Settings\All Users\Application Data\tsfgtmtc
      
      Registry::
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
      "{49D8D988-6D77-4E24-8A27-914FBCCC782F}"=-
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
      "{49D8D988-6D77-4E24-8A27-914FBCCC782F}"=-
      [HKEY_CLASSES_ROOT\clsid\{49d8d988-6d77-4e24-8a27-914fbccc782f}]
      [HKEY_CLASSES_ROOT\vnbptxlf.1]
      [HKEY_CLASSES_ROOT\TypeLib\{92BB994E-B563-4281-BBC0-29A3D32BE7C0}]
      [HKEY_CLASSES_ROOT\vnbptxlf]
      
          
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Attach the log in your next reply along with a fresh HijackThis log.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...