TechSpot

Task manager and regedit are being used by another file?

By bluepopsicles
Aug 4, 2008
  1. Yesterday, I started getting a problem...my icon tray (the thing next to the clock) wouldn't show any icons; the arrow was there but icons such as the volume and internet connection weren't there. I tried to fix this somehow and noticed that my task manager was being used by another file. I've been online trying to figure out how to fix my task manager and icons and everything and i have no idea. Also, Norton seems to say that HTTP Trojan Vundo Activity is going on. I have no idea what that means. I ran AVG several times and got rid of anything that came up but i'm still having a problem.
    Help, please!
     
  2. adu123

    adu123 TS Maniac Posts: 301

    Are you able to open Task Manager (Ctrl + Alt + Delete)?

    Following the instructions here, and attach the requested logs:)
     
  3. bluepopsicles

    bluepopsicles TS Rookie Topic Starter Posts: 16

    I did the malware bytes anti malware stuff and it found some viruses and deleted them. it also said that some things could not be deleted and then told me to restart my computer and it would delete them that way. After restarting my computer, my system tray was working and so was task manager, etc.
    I'm guessing that all the viruses are gone but i'm not sure so ill attach the log for it.
    thanks so much!
    =)
     

    Attached Files:

  4. adu123

    adu123 TS Maniac Posts: 301

    Glad to hear that :)

    To make sure there aren't any infection left, please attach Hijackthis log for analysis.
     
  5. bluepopsicles

    bluepopsicles TS Rookie Topic Starter Posts: 16

    okay sure.
    it's attached.
     

    Attached Files:

  6. adu123

    adu123 TS Maniac Posts: 301

    Open HijackThis, place a checkmark next to these entries:

    O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
    O16 - DPF: {8FEED82A-42A6-4117-A803-7EC3EB9339E0} (ClientControl Class) - http://192.168.0.103:83/plugin/client.cab

    and click "fix".

    Delete this file: C:\WINDOWS\system32\ctfmona.exe

    Your Java version is out of day, many types of malware like to exploit out of date Java versions!
    Update your Java Runtime Environment:

    • Click Start -> Control Panel -> Double click Java
    • Select the Update Tab at the top of the Java console
    • Click the Check for Updates button at the bottom
    • When it finds the newer version - Follow the on screen instructions (uncheck the yahoo toolbar option)
    • After it installs the newest version Go back to Start -> Control Panel -> Add/remove programs (programs and features in vista)
    • Uninstall any older versions of Java except the most current update that you just installed

    You've saved HJT in the wrong location, please follow these instructions to re-install it:
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.Please don't change the directory!.
    • After installing, the program launches automatically, select Scan now and save a log.


    Post a fresh HJT log in your next reply:)
     
  7. bluepopsicles

    bluepopsicles TS Rookie Topic Starter Posts: 16

    I did what all you said but when i went to delete C:\WINDOWS\system32\ctfmona.exe it wasnt there. i did a search for it and it said it wasnt found.
    and a new HJT log is attached
    thank you!
     

    Attached Files:

  8. adu123

    adu123 TS Maniac Posts: 301

    ok, we will deal with it later, but first:

    • Please go to Jotti's malware scan
    • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:
    • C:\WINDOWS\system32\MPK\MPK.exe
    • Click on the submit button
    • Post the result in your next reply
     
  9. bluepopsicles

    bluepopsicles TS Rookie Topic Starter Posts: 16

    Scan taken on 05 Aug 2008 17:00:18 (GMT)
    A-Squared
    Found nothing
    AntiVir
    Found nothing
    ArcaVir
    Found nothing
    Avast
    Found nothing
    AVG Antivirus
    Found nothing
    BitDefender
    Found nothing
    ClamAV
    Found nothing
    CPsecure
    Found nothing
    Dr.Web
    Found nothing
    F-Prot Antivirus
    Found nothing
    F-Secure Anti-Virus
    Found nothing
    Fortinet
    Found nothing
    Ikarus
    Found nothing
    Kaspersky Anti-Virus
    Found nothing
    NOD32
    Found nothing
    Norman Virus Control
    Found nothing
    Panda Antivirus
    Found nothing
    Sophos Antivirus
    Found nothing
    VirusBuster
    Found nothing
    VBA32
    Found nothing


    yay!
     
  10. adu123

    adu123 TS Maniac Posts: 301

    Good, now download Killbox, and save it to your desktop.

    Boot into safe mode, see how here
    Turn on "Show all files and folders, including hidden and system". see how here

    Double cilck Killbox.exe to run it, copy & paste C:\WINDOWS\system32\ctfmona.exe into the Full Path of File to Delete box, select Standard File Kill, and then click the Delete File button (looks like a red circle with a white X), your taskbar and desktop will disappear for a brief period which is normal.

    After you've done that, rehide your protected OS files.

    Post a fresh HJT log in your next reply:)
     
  11. bluepopsicles

    bluepopsicles TS Rookie Topic Starter Posts: 16

    I did the kill box thing and it said that the file didn't exist.
    and a new log is attached.
    =)
     

    Attached Files:

     
  12. adu123

    adu123 TS Maniac Posts: 301

    That's ok, your log is clean:)

    How's your computer running now?
     
  13. bluepopsicles

    bluepopsicles TS Rookie Topic Starter Posts: 16

    It's wonderful. I haven't been using it the past couple days but now it's perfect. Thank you!
     
  14. adu123

    adu123 TS Maniac Posts: 301

    Good, but we are not done yet.

    I see that you have two AVs programs installed, AVG8 & Norton AntiVirus, having two AVs programs can causes confiict and slow your computer dramatically, please uninstall one of them. If you decide to uninstall Norton Anti-virus, follow the full Removal Tool Instructions here

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    Did you set this on puropose? Or you used Spybots Home Page and Option Lock down features in the Mode -> Advanced Mode -> Tools -> IE Tweaks section.? If you aren't acknowlege any of this, fix it

    Paste this into notepad

    Locate the file and double-click to run it

    Post a fresh HJT log in your next reply.
     
  15. bluepopsicles

    bluepopsicles TS Rookie Topic Starter Posts: 16

    I did all that you said but I have no idea what you're talking about with the pasting into note pad and deleting..im totally lost
    new HJT is attached.
     
  16. adu123

    adu123 TS Maniac Posts: 301

    No problem, I'll walk you through it:)

    First open Notepad, then copy the codes belows in the quote box:

    then paste them into the notepad file, name the file fix.cmd and change the "Save as Type" to "All File", then save it to your desktop.

    Locate the file you just created on the desktop, and double-click to run it.

    Post a fresh log in your next reply.
     
  17. bluepopsicles

    bluepopsicles TS Rookie Topic Starter Posts: 16

    thank you =)
    can i delete that file off of my desktop after i've run it?
    and log is attached.
     
  18. adu123

    adu123 TS Maniac Posts: 301

    Sorry, I think I've putted the wrong codes in the quote box :eek:, let's try this again:
    • First open Notepad, then copy the codes belows in the quote box:
    • then paste them into the notepad file, name the file service.cmd and change the "Save as Type" to "All File", then save it to your desktop.
    • Locate the file you just created on the desktop, and double-click to run it.
     
  19. bluepopsicles

    bluepopsicles TS Rookie Topic Starter Posts: 16

    okay.
    log is attached.
     
  20. adu123

    adu123 TS Maniac Posts: 301

    Very good, now you can delete that service.cmd file.
    I recommend you keep MBAM as one of the protection programs, update/run it regularly.

    Also:
    Firewall :<= A firewall is definatley a must have. Two good free versions are Comodo and ZoneLabs


    You are good to go, surf safely:)
     
  21. bluepopsicles

    bluepopsicles TS Rookie Topic Starter Posts: 16

    alrighty, ill definitely do that. and im downloading right now.
    thank you!
     
  22. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,214

    just to make it nice and clean open hijackthis and remove the 2 items below if they are still there

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Amanullah Sajwani\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
     
  23. bluepopsicles

    bluepopsicles TS Rookie Topic Starter Posts: 16

    okay.
    btw, i downloaded the firewall but it just cut off my internet
    i use network magic so that might be the problem?
     
  24. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,214

    which firewall
     
  25. bluepopsicles

    bluepopsicles TS Rookie Topic Starter Posts: 16

    kerio...the free trail
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.