Cannot end some processes in Task Manager, cannot install & uninstall

[imranies]

Hello to the skilled members of techspot

This is my first post, so please pardon my mistakes if i accidently made some

Ok so I got this really nasty virus in my laptop (trojan I guess), it recently came about 2 days ago. Some of the problems:
- I can't end certain processes in task manager
- I can't install or uninstall (when the install/uninstall bar moves, it just froze for a loooong time)
- I can't seem to do online virus scans. when downloading the active X, the browser suddenly froze, or not responding
- Usually, most of the programs (window media player, search, browser, virus updates) also froze or not responding
- I can't shut down properly, always got to click the shut down button for 4 seconds. When I tried to shut down the normal way, it just no response, nothing happens
and more, i can't quite recall

Firstly I've tried everything I can to solve it, checking tons of websites, etc, but still cannot solve it. In finding the solutions, I feel that this site has the best people, so I decided to seek help here

Firstly, what I've tried...
- Scanned it with my symantec antivirus, found some trojans, deleted it, but the problems persist
- Checking the internet, found some relevant topics, but each of those solutions are specific to the problems of the poster. I've tried some of their methods, but still cannot find this virus or delete it
- Downloading and trying tons of stuffs. I even have tried your 8-step Viruses/Spyware/Malware Preliminary Removal Instructions; scanning with AVG, CCleaner, Malwarebytes, SuperAntiSpyware, (i can't update java due to the 'not responding' problem). Those softwares found some wares & trojans, deleted them, but the problem persist
- I can't uninstall symantec, and many other programs, because it just froze or no response
- tried to do online scans, but the browser suddenly froze or not responding

So those are pretty much what I did to solve this. I've done the 8-step Viruses/Spyware/Malware Preliminary Removal Instructions (my attachments are just below) and i really really hope you can help me.

(Btw, this is my first post, so if I accidently broke some rules of posting, I'm terribly sorry. Do tell what my mistakes are)

Thanks in advance!

 

[momok]

Hi, nice post!

No worries about mistakes; everybody makes them! What's more important is a great learning attitude that you have that makes volunteer work here so much more pleasurable =)

Firstly, you've got to run HijackThis in normal mode and fix these (they're all bad):

O2 - BHO: (no name) - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} - (no file)
O2 - BHO: (no name) - {74AA1867-4E01-EA40-371C-E1C3E52E43E8} - (no file)
O4 - HKLM\..\Run: [p2p networking] p2pnetworking.exe
O4 - HKLM\..\Run: [lbegrrlchwznr] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\grobmemfougbgugp.dll"
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/imranies/LOCALS~1/Temp/msohtml1/01/clip_image001.gif

Next, your SAS log show

Adware.Mirar/NetNucleus
C:\PROGRAM FILES\ADOBE\ADOBE PHOTOSHOP CS3\CRACK\CRACK.EXE

Please bear in mind TS has a strict policy on piracy. I would recommend you stop downloading these anyway; 99% of them out there contain nasties.

Thirdly, please see this following link on megaupload toolbar.
http://www.castlecops.com/tk30914-Megaupload_Toolbar.html

I personally would recommend uninstalling it because of the potential of ads/adware it brings. Do this only after the cleaning though.

When you are done with the HijackThis, be sure to post back with a fresh log from normal mode. =)

 

[imranies]

ok momok, i've done as requested...

hey momok,

here you go, i've attached the hijackthis log down here. the laptop looks better, i really hope that the worse is behind us

well, hope you'll check it out, and i'll be waiting patiently for your further instructions...

Btw, thank you very much for replying my emails before. i know i should not do that, but i cant login so i got no choice. i'm very relieved to know that you put higher priority in helping others, than following some of the rules

Regards,
imran

update,

internet explorer suddenly froze a while ago, and i tried to end process using task manager. the browser is gone, but the iexplore.exe process in the task manager is still there. when i used photoshop cs3 and tried to save, it also frozed. when i tried to play some music in wmplayer, it also frozed. Arrrggghhh, no music. lol

 

[momok]

Hi,

Apart from that how is your system running now? I noticed btw, that you have XP SP2 installed. Try to get SP 3.

Are there any error messages when your computer 'froze'? Was it intermittent, or only during certain actions? Does it freeze for good and you have to restart?

 

[imranies]

hmm,why do u recommend sp3?

Nop, there's no error message whatsoever. they just froze. it usually froze during certain actions...
- sometimes when i just run the program (a game for example) the game starts running, then immediately froze
- wmplayer froze when i go into the library, or start playing the next song, or when i check the properties of a certain song
- browser usually froze when i downloaded active X to do online scans, so i cannot do online scans. it also just suddenly froze for no reason

yes it froze for good. i tried to end it using task manager, but the task manager cant end that process! so the frozen programs just stays there, and i cant do anything about it.

and when i tried to restart, it just stops. its like something just stops the restart process. when we restart, the pc starts to close all programs, save settings, and restart right? but me, the restart process just close down couple of programs that it can close (it cannot close the frozen programs) and then the restart process just stops right there. so i got no choice but to click the shut down button 4 seconds

Please tell me what should i do....? Btw, have u checked out my hijackthis? i have also attach my combofix log here, just in case u need it

hey momok.

recently i've downloaded spybot search & destroy. when i finish scanning with it, it seems that it detected and deleted some warez. so i guess that maybe my registry was changed a little after that scan. here i give u my new hijackthis...

how do u guys read this hijack thing anyway? if i know how to read it, maybe i can help u guys a little

 

[momok]

Hi,

I'm thinking the freezing problems are more likely related to something else and not malware. However, your logs show you still need a last bit of cleaning. They also show you probably got infected through an external drive. Be sure to clean all external thumbdrives and hard disks you have when you are done.

Please temporarily disable SpyBot's teatimer function(in your windows system tray bottom right) before you commence with the following instructions.

1. Open notepad and copy/paste the text in the quote box below into it:
   
   

   File::
   C:\WINDOWS\Tasks\At1.job
   C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
   C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
   
   
   Registry::
   [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16200852-0bc2-11dc-b31b-0015c5255168}]
   [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1761c6c6-3e1c-11dc-b3d1-0015c5255168}]
   [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2badf416-c67d-11db-b23e-0015c5255168}][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57847ce8-fa77-11dc-b5f3-0015c5255168}]
   [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{605dcaa4-a478-11dc-b50d-0015c5255168}]
   [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7fc76ac2-1a58-11db-af59-0015c5255168}]
   [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85202718-5c94-11dd-b6d1-0015c5255168}]
   [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d2b71b0-5716-11dd-b6bd-0015c5255168}]
   [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7548702-02b6-11dc-b2fe-0015c5255168}]
   [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{efc51190-904f-11dd-b72b-0015c5255168}]

2. Save this as "CFScript.txt" on the desktop.
3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
   
   
   
   
4. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
   Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

Paste the new Combofix log in your next reply.


SP 3 is the latest updates from microsoft, and will have fixes to existing problems, security loopholes and bugs etc. That's why I recommend you update. Also, I just noticed you have AVG and Symantec Antivirus running. Thats not recommended as it will severely hog your system resources. Uninstall one of them.

how do u guys read this hijack thing anyway? if i know how to read it, maybe i can help u guys a little

There are several HijackThis tutorials out there. Here are some links:
http://www.bleepingcomputer.com/tutorials/tutorial42.html
http://www.castlecops.com/HijackThis.html

Reading logs and diagnosing problems usually take more experience. I won't recommend you help others until you are trained. If you wish to be trained, you can visit
Malware Removal University or
http://www.uniteagainstmalware.com/schools.php
But I won't recommend it if you are not determined to do so.

 

[imranies]

hey momok,

i've done the scan with combofix using the script...but i think i forgot to turn off the teatimer.exe, lol

is it ok? or should i do another scan? when i tried to do another scan, the script is already gone...

btw, this is the combofix log u want...

 

[momok]

Oh no I just realised I made a slight mistake to the instructions. Please download my attachment to use as the new script.

 

[imranies]

i'm currently installing Service Pack 3 from windows update. i'll do it as soon as i done.

do i need to turn off the teatimer.exe, and do the combofix scan like the above again?

 

[momok]

Yep ideally do so. Do note my edit and attachment in the above post.

 

[imranies]

hey momok,

hmm, this is odd...my combofix log is greater than 300kb, and i cannot attach it...how can i deliver this to u?

 

[momok]

If its only slightly larger, try splitting it into part 1 and part 2 txts.

 

[imranies]

hey,that's a good idea...why didn't i think of that?

ok,here they are...

by the way, i've just uninstalled both my antivirus, and install a new one called McAfee. what's your opinion about this antivirus?

 

[momok]

Hi,

Your log is large because you just installed SP3 and all the newly installed files and folders are listed. On a bright side, it looks clean.

Personally I opt for the free antiviruses either Avira or AVG. Gems like SpyBot and CCleaner are also necessities on my system. But no tool/software beats sensible user surfing habits. The best form of defence is still caution and care in online usage. =)

That said, are you facing any new problems so far?

 

[imranies]

hey momok,

hmm...it seems that everything was back to normal no more frozes, i can install/uninstall again, all programs are running normally and i can shut down really fast This is really relieving,lol. especially that i just got a new client for my web design biz

thank u very much momok for supporting, especially u do it voluntarily. i still cant believe u guys are willing to help others for free. i learned a lot from u i hope that somehow you guys will get big rewards in the future, for all these free support

last question, what softwares you recommend i download and use, so that i'll get max security when browsing the web? besides sensible surfing habits of course...

 

[momok]

Sure thing =)

When it comes to preventive measures, there's no 'one size fits all' actually. But generally, a decent setup usually has a few components:

Spy Bot Search & Destroy
Avira/Avast/AVG Antivirus (use only one. for more info to help you decide which suits you better, check this out.)
Comodo/Zonealarm firewall
CCleaner (use regularly)

Now that you're gd to go,

1. Please download and run CCleaner via step 3 of the instructions HERE.
   
   
2. Turn off system restore (XP/ME only). Learn how to do that HERE.
   This will remove all the remaining nasties from your old restore points.
   
   
3. After that turn system restore back on.
   This would have created a new safe and clean restore point for your system.
   
   
4. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
   May I recommend you to read this article.
   This can help to prevent future infections.

 

[imranies]

ok, i'll do that.

hmm...i've heard that a software called spywareblaster is a lot better than spybot, what do u think about this software?

also, i already got windows firewall, is it good enough?

and about ccleaner...is it safe to use it to fix or clean the registry as well? i saw a service called fix registry issue there...

 

[momok]

I personally haven't used that so I can't vouch for it. I've used SpyBot for 3 years though and its really great.

Firewall options are really up to your personal preference; I'd say at least google some comparisons between windows firewall and the existing free ones online to decide.

CCleaner fix registry can be used but do backup your registry before doing so.

 

[imranies]

i see...

well momok, thank you very much for helping me, i really appreciate it. i guess i'm gonna start exploring techspot a little & be a regular here, so maybe i'll see you around

 

[Blind Dragon]

Spyware Blaster and Spybot don't conflict they actually serve a different purpose, the only similarity they have is the hosts file.

Installing SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer/Firefox settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

 

[imranies]

hey blind dragon

hmm, so do u recommend me install them both? or just use one of them?

 

[Blind Dragon]

Like I said there is no conflict and it wont hurt you to run both, it will just give you an extra layer of protection while surfing the net.

Furthermore, if it were my system and you want to maximize performance, I would disable tea-timer altogether and use Winpatrol to monitor startup programs and changes to activeX, ect. It uses about 1/10th of the resources.

I run all 3, spybot (without teatimer), spyware blaster (for firefox and IE), and winpatrol (for monitoring startups/active X)

 

[imranies]

wow, that must be pretty heavy. if u look at my system spec, i only got a couple of MBRAM and small amount of Ghz after that i gotta run photoshop, n firewall, McAfee, etc

hmm,if i gotta choose between mcafee and AVG Free, which is better?

 

[Blind Dragon]

I run avira antivir and am very impressed with it, the next I would recommend is Avast, and the 3rd option would be AVG 8.

I don't recommend Mcafee or Norton.

I didn't look at your logs but you should also run a firewall for this I recommend zone alarm or comodo.

If you are worried about resources like I said - disable teatimer for good

Disable Teatimer

• Right click the Spybot -SD Resident Icon located in your system tray, Select Exit Spybot - S&D Resident
• Open Spybot S&D
• Click on Mode at the top and make sure that Advanced is checked
• Expand the Tools tab in the left pane
• Single click on the Resident Icon also in the left pane
• Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
• Close spybot

Use Winpatrol from my signature - you wont hardly notice it running other than the scotty dog in the system tray - for monitoring startups

======================================

Free Software

Firewalls
Here are some firewalls which are free for personal use and most commonly used:
Comodo <-Vista Compatible
Kerio (sunbelt <- vista compatible (didn't work well in my test of vista)
Online Armor
Zonealarm <-Vista Compatible

Anti-Virus
Avast Free
Avira Free <- My recommendation


Anti-Spyware
Malwarebytes' Anti-Malware
SUPERAntispyware


Additional Utilities
Winpatrol
Tutorial for Winpatrol

Spyware Blaster
Tutorial for Spyware Blaster

 

[momok]

Agreed with Blind Dragon on choosing between Avira and Mcafee. I'm thinking of swtching to it myself.

Would just like to add though, that there's some problems Zonealarm faces with Vista PCs that causes BSODs.. I personally encountered it some time back.