Task manager and other admin stuff blocked, and occasional web site re-direction

By watty
Oct 26, 2009
  1. hello all,

    I'm new to this, and don't really know what I'm doing, but I am desperate to fix this thing.

    A little over a month ago I got a virus called Windows Protection Suite. I surfed around a bit and found Malwarebytes Anit-Malware was recommended and that fixed most of the big problems with that virus. I was using NOD 32 at the time, that expired and I'm now on AVG Free 9.0.

    Last few days I've tried several programs to fix this and came across your 8 step

    I still have two really problematic syptoms
    1) Certain administrator functions that would seem to be helpful in the removal of this thing are blocked. I don't get a message or anything, I just try to start task manager and it doesn't happen. It seems like it tries to start and gets killed. Other admin problems that I know of include blocked from editing hosts list and blocked from initiallizing Spyware Doctor (although other programs haven't posed this problem). I was also blocked from updating Superantivirus database, I don't know if that is related. I can change date/time, so I am still the administrator...

    2) There's some redirecting when I try to go to sites via Google search results. Most are fine, and it seems random which sites get hijacked, but the AVG knows and doesn't give a green check to those listings. Redirection goes to Gala search engine and other bogus shopping directory type search lists.

    I am attaching the Hijack This log and the SuperAntivirus scan log and the most recent Malwarebytes log. The Hijack This log clearly has some issues I need help with. The others are only finding cookies at this point.

    And thanks in advance for your time!

    PS I put on the COMODO firewall as part of step one and so far it is really annoying with permissions and seems to have really slowed things there a better option?
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Yes I see you have tried a few tools, all of the following are installed:

    COMODO Internet Security
    IObit Security 360
    Spyware Doctor

    Your HJT log shows redirect of your Hosts file (01 Entries - all of them)
    But any amount of the above programs could be stopping any change to your Hosts file

    I would suggest that you run HJT scan only and place a tick against every 01 entry then select fix
    Then Restart and start uninstalling the above programs
    Note: does your "COMODO Internet Security" also come with Antivirus scanning? If so then you need to uninstall AVG and then run the >> Remover Tool

    I think its just one of your installed programs stopping these changes
    I also note that Malwarebytes was not updated. If after removing the above not required programs (the ones you don't want anymore) You can then update Malwarebytes and run a Quick scan only. Removing any found Malwares at the end of the scan

    Then restart, and post another HJT log (ie hopefully its cleaner ;))
  3. watty

    watty TS Rookie Topic Starter

    Thanks for quick reply kimsland,

    Well, I got rid of everything that was extra....there shouldn't be any symantec, that was uninstalled years ago. What's left is what was recommended on this site, except I kept the AVG as anti-virus because the COMODO is only the firewall.

    I rebooted and I ran CCleaner again after all the removals.

    I did get Superantispyware to update, and ran a full scan and it found absolutely nothing.

    I can't update Malwarebyte's, I get an error code 732 (0, 0)

    And hijack this can't fix the hosts problem because that's part of the administrators rights that I'm locked out of...a big part of my infection problem.

    So I reran the scan, and am attaching the most recent log...but I don't think there is too much difference. Still have all the same problems.
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Restart your computer to Safe Mode with Networking
    By pressing F8 key, before Windows starts loading, then selecting Safe Mode with Networking
    Download Combofix from HERE
    Run it, accepting any prompts along the way
    Combofix will scan your system for some known Malwares and then remove them for you

    Restart back to Normal mode (Combofix may have done this automatically for you)
    Then locate and run Combofix again
    Save the logfile to be attached to a new reply

    You can also download the manual update file for Malwarebytes HERE
    Download; Run it; then open Malwarebytes and run a quick scan
    Remove all found Malwares at the end of the scan

    Uninstall SuperAntispyware from Add/Remove Programs in Control Panel

    Run CCleaner once more
    Then, still in CCleaner, click on the "Registry" button, and scan/fix all issues (you may need to run this a few times until all issues are fixed - no backup required)

    Download and run Startup Control Panel
    Unzip and run
    Click on each Tab , and deselect any known startups that you don't want starting with Windows
    I've mentioned this one, only because you have quite a few automatic startups, I presently have one.


    Run another HJT scan and logfile and attach it to a new reply
    I'm hoping things may seem a bit better after this as well (but not finalized yet ;))
  5. watty

    watty TS Rookie Topic Starter

    Finally! some evidence of healing! Task manager is back in business anyways
    Thank you!

    I'm not sure if that means all my administrator privileges are back, I'm not sure how to test that. Perhaps we'll find out as we try to fix the host file!

    So, still have the google results re-direct problem. Ran HJT again and attached the log below. Doesn't look any cleaner to me! Hope it does to you. When HJT runs the scan it suggests that it may not be able to fix the hosts problem and then it suggests deleting the host file...don't know what that means...

    Thanks again,
    I hope we're almost there!
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Please disable AVG Watchdog service by clicking Start > Run > Services.msc > ok
    Locate: "AVG Free9 Watchdog" service > Double click on it:
    > "Stop" it
    > Change "Automatic" to "Disable"
    > Apply
    > Ok
    Close Services Window

    Open "COMODO Internet Security" and disable the protection in there as well
    Note: You may be able to right click on the tray icon to do this.

    Right click on AVG icon and select Disable (or close or exit - basically I don't use or like AVG, so a little unsure)

    Run Combofix again
    Save the log file to be included in your next reply


    Download this > Hosts file
    Unzip it
    Run "mvps.bat"
    click on Start > Run > Services.msc > ok
    Locate: "AVG Free9 Watchdog" service > Double click on it:
    > Change "Disable" to "Automatic"
    > "Start" it
    > Apply
    > Ok

    Still in Services Window:
    Locate: "DNS Client" service > Double click on it:
    > Change "Automatic" to "Manual"
    > Apply
    > Ok
    Close Services Window

    Run a HJT Scan only
    Place a tick next to the following entries and select Fix:
    Restart again

    Run a HJT scan and log file
    Attach this log file and the Combofix log to a new reply
  7. watty

    watty TS Rookie Topic Starter

    OK...I'm a little freaked out at the moment, cause internet explorer is suddenly getting stalled on opening, considers that last session ended unexpectedly...although I closed it normally...and then goes 'not responsive', needs to be stopped...did I screw something up?

    Anyways, following your info, here we are..looks to me like there is still a hosts issue and still a redirect problem in google.
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Are you running "Systems Management Server"

    Within the last 30 days a file was installed: c:\windows\_MSRSTRT.EXE that states you are.
    Here's another: c:\windows\system32\deploytk.dll

    You have: c:\program files\BitComet installed
    This is a P2P file sharing program, that needs to be fully uninstalled

    You have Windows Media Player streaming videos installed
    You need to install this security update to stop remote code execution:

    You have WiseCustomCalla1. in Windows, looks like to be Malware that should have been picked up by Malwarebytes or your Antivirus


    I tell you what, do this:

    Go to Add/Remove Programs, and uninstall:

    Systems Management Server (you may need to search through the installed list for this)
    BitComet (obviously ;))
    AVG9 (you can re-install it later if you like, although it hasn't protected you here)

    Then before restarting run the AVG Remover:


    Download and run Avira free Antivirus:
    Update it and run a full scan
    Provide this log file (of Avira) in a new reply
  9. watty

    watty TS Rookie Topic Starter

    I look everywhere I could to uninstall this SMS thing, it's not in the list, unless it goes by another name. I certainly didn't intentionally install it. A quick google search suggests that some virus is using this name as an alias...? does that make sense?

    I did uninstall Bit comet as part of my 8 steps before posting, I swear :confused:
    I guess it left some files behind, can I just delete those program files?

    I don't seem to know how to get the actual update for media player from that I need to be installing the Microsoft Updater program it refers to? doesn't Microsoft already automatically install it's updates?

    Anways, I did my best to remove AVG. To be fair it was Nod 32 that let me down intially here...I just switched it for AVG last week because it was recommended and I liked the way it checks search engine results for safe passage.

    Now...I got Avira...but I can't update it either! I'm banging my head against the table as we speak. I'm attaching both the avira scan log and the failed update log in case there's anything there you can see.

    Thanks again for you time...I can't believe what a mess I've made of this.
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    The issue is (as you know) the hosts file entries
    And whats stopping it from being cleaned

    Programs that can stop this are:
    Your Comodo Internet Security
    Windows Defender
    Spybots S&D
    Other live protecting softwares (not Avira though)

    What I'd like you to do is uninstall any/all of these programs in add/emove programs (note: we have already tried disable - it didn't work!)

    Uninstall Comodo and any others
    Then run HJT scan only
    Tick every "01" entry, and select Fix

    Run HJT Scan only, and they should be removed (I expect)
    If so, then update Avira (note the first update is slow and big - just like all other programs that update for the first time)

    Please try that
  11. kritius

    kritius TS Guru Posts: 2,084

    Hi Kimsland,

    Sorry to butt in.

    The problem is not the resident protection, the hosts file is completely corrupt.

    Best bet would be to completely remove it, reboot and then install the new one.

    1. Please download The Avenger by Swandog46 to your Desktop.
    • Right click on the folder and select "Extract All..."
    • Follow the prompts and extract the avenger folder to your desktop
    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

    Begin copying here:
    Files to delete:

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
    • Right click on the window under Input script here:, and select Paste.
    • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
    • Click on Execute
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\
    5. Please copy/paste the content of c:\avenger.txt into your reply

    Post a new HijackThis log after.
  12. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Oh, I knew that we could just delete the file
    But I thought that the backup of Hosts file would just come back, or that possibly one of the resident protection programs had secured it somehow

    If its just the easy process of deleting the hosts file, that will be good
    Note: I did get the OP to replace and install a new one already with mvps.bat, why didn't that just do it?

    kritius, what is this symbol in you post? (in the word: "Avenger s")
  13. kritius

    kritius TS Guru Posts: 2,084

    Only shows up on this forum, everywhere else is fine. (vbforum software, go figure, patchy at best)

    This infection is a sticky one, it may well be that it is blocking the hosts file from being changed at all. Key thing is after this to see if the redirects are happening, not just if it is still showing in the logs.
  14. watty

    watty TS Rookie Topic Starter

    I am going to try kritius's avenger thing. This problem with not being able to affect the host file was definitly a key part of this infection, it was there before all these attempts at security and removal began.

    Wish me luck.
  15. watty

    watty TS Rookie Topic Starter

    pasting avenger results now...

    Logfile of The Avenger Version 2.0, (c) by Swandog46

    Platform: Windows XP


    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger


    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!

    File "C:\windows\System32\drivers\etc\hosts" deleted successfully.

    Completed script processing.


    Finished! Terminate.

    The redirects don't seem to be happening from the google homepage anymore (YAY) but oddly still get sent to awful Gala search engine shopping results when I use the little google search bar the explorer has up beside the address bar!?!
  16. watty

    watty TS Rookie Topic Starter

    don't abandon me now guys!

    Don't i need a host file? if i just deleted it do i need to put something back in its place?
  17. kritius

    kritius TS Guru Posts: 2,084

    Redo the hosts file install that kimsland asked earlier
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...