TechSpot

Task manager disabled by administrator (yes another one of these D:)

By deadphanit
May 14, 2010
  1. hello,
    im facing a problem where when I alt+crtl+del a message saying "task manager disabled by administrator" pops out. I followed a guide on how to remove this and so on and it worked BUT my task manager auto-closes after 1 second. I tried restarting and Im back to square one with more consequences. Now, when i reach the start screen, i message saying "Drive not ready" appears while behind is just black screen. There's options to continue, retry and 1 more i forgot (im too afraid to restart now for fear of unable to use the comp anymore). But after clicking continue start screen appear like normal. I dunno if it has anything to do with the task manager problem. here's my HijackThis log.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:17:02 PM, on 5/14/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\SYSTEM32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Panda Security\Panda Internet Security 2010\PsCtrls.exe
    C:\WINDOWS\system32\PSIService.exe
    c:\program files\panda security\panda internet security 2010\firewall\PSHOST.EXE
    C:\Program Files\Panda Security\Panda Internet Security 2010\PskSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\WINDOWS\system32\ezSP_Px.exe
    C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
    C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\WINDOWS\system32\netsh.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?wa=...e.com/default.aspx&lc=1033&id=64855&mkt=en-US
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
    O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2010\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Internet Security 2010\Inicio.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [RRT-Auto] C:\Documents and Settings\Phanit\My Documents\Downloads\FIXING\RRT.exe auto
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://www.kongregate.com
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-MY/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{845EE3F7-9164-4DE2-9A35-65CD94AFCBEE}: NameServer = 202.188.1.5,202.188.0.133
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: {93ac7c30-3878-4eaa-9420-7977285df5b1} - cinnamomum - (no file)
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2010\PsCtrls.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: Panda Host Service (PSHost) - Panda Security International - c:\program files\panda security\panda internet security 2010\firewall\PSHOST.EXE
    O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2010\PskSvc.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2010\TPSrv.exe

    --
    End of file - 11248 bytes



    *oh. i know im supposed to fix the "O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1" but i click fix but nothing happens. Its still there. Thanks in advance.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please reopen HijackThis to 'do system scan only.' Check each of the following processes if present:

    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
    O4 - HKLM\..\Run: [RRT-Auto] C:\Documents and Settings\Phanit\My Documents\Downloads\FIXING\RRT.exe auto
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O15 - Trusted Zone: http://www.kongregate.com
    O22 - SharedTaskScheduler: {93ac7c30-3878-4eaa-9420-7977285df5b1} - cinnamomum - (no file)


    Close all Windows except for HJT and click on "Fix Checked."

    Please note: this is not going to removal any malware if malware caused these problems. but it should make the system more accessible.

    Follow this with the steps in our Preliminary Virus ad Malware Removal Thread HERE[/COLOR].

    Leave the requested logs for review when finished.

    NOTE: You can use HijackThis to temporarily stop some of the entries, but unless the cause is found, the problem is still on the system

    P2P or 'file sharing' Warning:
    I note you are using 2 file sharing programs:
    BitComet and Ares
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall both of them for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    If you choose not to uninstall either or both, please do not use them while I am helping clean the system.
     
  3. deadphanit

    deadphanit TS Rookie Topic Starter

    regarding BitComet and Ares i think i've deleted it a long time ago. It isnt in add/remove programs or C: Program Files either. BitComet's folder in program files does not contain its .exe file. It just contains a .dat and 3 .xml files. Do it just delete the whole folder? And i do have Bittorrent too so i removed it from my comp.

    Ok. I read the 8 steps ady. But i came to a hiccup at step one. Step 1: Antivirus scanning. I downloaded Avast 1st. but i think the virus in preventing me to run the setup as it closes after 1second. I tried renaming it but it made no difference. Next, I downloaded Avira. setup was also blocked so i renamed it and after that i could fully install it. BUT. i cant run the .exe program to do the scanning. it just closes after 1.5seconds or so. so i moved on with the other steps. but at Step 5: GMER. i could scan and everything, but since it took like a long time to complete i ran it overnight. but when i check the comp the next morning, my comp was as if it has been restarted. I thought mayb i might be one of my family members so i tried again another night and told them not to off. But the same thing happen the next morning. no sign of the GMER. so ill just post the malwarebytes and DDS logs.

    oh, i did some googling and i think the virus im facing is Vundo, if you already didnt know.
    and nowadays, my computer is crashing more frequent than ever. it just sometimes hangs and the monitor goes blank and a "going to sleep" sign appears which is the monitor thinking that the cpu is off. and when i on the comp wierd vertical yellow lines appears on the windows loading screen. If i let it continue loading it will just crash. So i off and restart. It takes me like 10+ times just to get it back to normal.

    i'll just attach the 3 logs. the post is already kinda lengthy sorry. And thanks :D
     

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Do you know that you are almost out of hard drive 'space: 76 GiB total, 2.56 GiB free. You should have as close to 80% as possible. You have 3.3%. Time to uninstall anything you don't use or need.

    Avira is still loading although it is outdated. Since you have Panda Internet Security, please remove Avira: To uninstall Avira:
    • Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)
    • Wait for the list of installed programs to load, then click the name of the Avira program.
    • Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
    • Press Yes, to confirm the removal and then OK.
    • . Click Next until Finish. The software is removed.
    =============================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ==================================
    After Combofix has been installed and scanned, do the following:
    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    Folder::
    
    DDS::
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
    uPolicies-explorer: NoViewOnDrive = 0 (0x0)
    uPolicies-system: DisableRegistryTools = 1 (0x1)
    uPolicies-system: DisableTaskMgr = 1 (0x1)
    mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
    mPolicies-explorer: NoViewOnDrive = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    dPolicies-system: DisableTaskMgr = 1 (0x1)
    dPolicies-system: DisableRegistryTools = 1 (0x1)
    DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
    Registry::
    
    Driver::
    
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Is this your ISP in Maylasia?
    inetnum: 202.188.1.0 - 202.188.1.127
    netname: INFRA-TMNET
    descr: TMNET
    country: MY
    ======================
    I'll have you run HijackThis again later. Please don't try to remove anything at this point.
     
  5. deadphanit

    deadphanit TS Rookie Topic Starter

    erm ok i removed avira through control panel. But the program files folder is still there. so i delete? AND when running combofix. They say my panda is running. BUT its not at the taskbar. I think the virus disabled it. I cant find the .exe file either. i thought the virus closed the program but according to combofix its still running. So what shld i do? let it run with panda still "on"?

    EDIT: oh. i found the exe. Its at control panel. But i still cant run it anyways. So i cant disable it. If it isnt already disabled :O

    erm. Im not sure. i duno how to check either. But yet, im unsing Tmnet. In malaysia.
    oh. and i use XP. Might make it easier for you. And do i need to back up my work files in an external hard drive about now? Or will the virus get transferred there too o.O?
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Yes, that is your ISP- it's the company you pay every month for the internet service.

    You can delete the Avira program folder.

    I do not recommend backing up now as ,yes, you can spread malware to the drive if it's in the files and folders you send there.

    Please leave the Combofix report generated after running the script.
     
  7. deadphanit

    deadphanit TS Rookie Topic Starter

    erm, Bobbye, i dont think you've answered one of my questions. Ty. and Sorry for the delay.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Just run Combofix.
     
  9. deadphanit

    deadphanit TS Rookie Topic Starter

    ok. i ran combofix. but the recovery console failed to install. moving on, i waiting and waited. but it was taking awhile. so i went to study 1st. i came up later, it was already preparing a log. then i went to toilet, came out. the window just closed. no log no nothing. After that, i dragged the CFScript.txt to combofix.exe and then it had to restart comp to do some system restore thingy. so i did, when restarted. just a black screen with the mouse pointer.
    haihz, i feel like i'm wasting your time. But i shall try again tonight.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You had or have a SpywareQuake malware infection. It is a rogue antispyware program.
    O22 - SharedTaskScheduler: {93ac7c30-3878-4eaa-9420-7977285df5b1} - cinnamomum - (no file)

    Please do the following:

    • [1]. Print out these instructions as we will need to close every window that is open later in the fix.
      [2]. Download SmitfraudFix.exe and save it to your desktop:
      [o] Confirm that the file SmitfraudFix.exe is resides on your desktop, but do not double-click on the icon as of yet. We will use it in later steps. The icon will look like the one below:
      [​IMG]
      [3].Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option the Windows Advanced Options menu appears, and then press ENTER
      [4]. Double-click on the SmitFraudfix icon on the desktop.
      [5] At the credits screen, press any key on your keyboard to get to the next screen. You will see a menu as shown in the image below:
      [​IMG]
      [6]. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
      [7]. The program will start cleaning your computer and go through a series of cleanup processes. When SmitFraudFix is done, it will automatically start the Disk Cleanup program: This program will remove all Temp, Temporary Internet Files, and other files that may be leftover files from this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically
      [8]. When Disk Cleanup is finished, you get option Do you want to clean the registry ? (y/n). Press Y> then Enter.
      [9]. When finished, you will get a red screen stating Computer will reboot now.
      [o] Close all applications.
      [o] Press the spacebar. A counter will appear stating that the computer will reboot in 15 seconds. Do not cancel this countdown and allow your computer to reboot.
      [10] After reboot, you get Notepad screen containing a log of all the files removed from your computer.
      [o]Save log. Include in next reply.
    Credits to BleepingComputer. (some editing)
    ==============================
    Rescan with HijackThis. Include new log with next reply.
     
  11. deadphanit

    deadphanit TS Rookie Topic Starter

    Erm. Houston, we have a problem. I cant boot into safe mode. It just run some checking drivers i think (not sure abt this, it just loads stuffs rather quickly) then it'll auto restart and take you back to the page either choosing safe mode, last known good conf, or start normally. And i looked around in the forums to the solution to my problem, and i found out there is another way, which will auto run my comp in safe mode everytime i on it if i enable it to do so. But there was a warning attached that says there might be a virus preventing the comp to run in safe mode and i wont be able to even start my comp. So i rather refer to you.
    Its like one problem after another. And sorry for the kinda late replies. Im having my examinations now T.T
     
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    There is a way to do this, but I don't like to use it because it's sometimes hard to get it back into Normal Mode.

    Is it doing a Chkdsk, then rebooting when finished? Do you know what the error checking (Chkdsk) screen looks like?

    You need to get the Recovery Console on the machine. If you disconnected from the internet before you started Combofix, you would not have been able to do it: From Microsoft:
     
  13. deadphanit

    deadphanit TS Rookie Topic Starter

    hey, just to cut in awhile. Yesterday i was using the comp, then i accidentally kicked the power plug and all the plugs offed as it was all connected to a splitter or some-sort. So then i restarted my comp. Tried to connect to the internet. Failed. I looked at me show all connections at Start Menu>Connect To. And realized i had no connectivity. I went to My Computer>Properties>Hardware>Device Manager and looked for the network adapter section and couldn't find my network card installed. I tried searching for new hardware under the network adapters drop section. But strangely they couldnt recognize the network card. So i unscrewed my CPU and unplugged it then replugged it. Then i tried installing it again. This time it recognized it but it just wouldn't work. there was a yellow "!". so i kept uninstall then reinstalling it for about 5 times. Then it finally worked. Then my comp crashed. i rebooted my comp. And i had to deal with the pesky yellow/green/red vertical lines during my loading like it used to. But this time it got a little worse. Normally if there were no lines during loading then its good to go. But this time, no lines, but still crash when i reach desktop screen. It took me 1 hour of non stop rebooting to finally stop it from crashing. I checked the network card. strangely it was back working again but it was too late and i went to sleep. Today, same thing happened. Network card just not cooperating.
    Is my problem because of this network card? If i recalled properly, after i bought this 2nd hand card, all this problems arised. Should i buy a new one? or can it be fixed? Or does it have nothing to do at all with the card.
    I shall install the recovery console tonight. Sorry and thanks once again
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Unfortunately I'm getting more words than results. Reformatting and reinstalling would probably be your best path. And unless you 1. get a larger hard drive or 2. remove a significant amount of programs, files and folders from the hard drive, don't expect much.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.