Can't open taskmanager, cmd prompt, regedit, msconfig

[bleepit]

Can't open taskmanager, cmd prompt, regedit, msconfig.

I Have used a lot of programs to detect/clean (spybot,adaware,avg,ewido,hijackthis,cc,websearch) in safe mode with sys restore off.

The only thing that could not be deleted was 2 instances one is DisableTaskMgr and the other one is DisableRegistryTools found by adaware. I've tried almost every possible way to delete those two but they keep showing up.

I managed to enter the registry and delete those two with third party registry editor, but after reboot disabletaskmgr and disableregistrytools magically appears again!!!




Can someone please help me get back my control of my machine?

 

[howard_hopkinso]

Hello and welcome to Techspot.

Go HERE and follow the instructions in the order they are given.

Post a fresh HJT log as an attachment, only after doing the above.

Regards Howard :wave: :wave:

 

[bleepit]

Went through all and finally I can access regedit, taskmanager e.t.c

Here is a fresh log from hijackthis:

-verbose HJT removed-

Please re-read Howards post above and spot where you went wrong - .txt attachment. ---Spike

 

[howard_hopkinso]

Thanks Spike.

bleepit: See these instructions HERE on how to post a HJT log as a .txt attachment.

Regards Howard

 

[bleepit]

Sorry... here is the attachement.

 

[howard_hopkinso]

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Click start/run and type regsvr32 /u C:\WINDOWS\SYSTEM32\hblogon.dll into the run box and press the enter key.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

winupdates

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

Keygen-Serial.exe

Close task manager.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [rmalt] C:\Program Files\winupdates\Keygen-Serial.exe

O20 - Winlogon Notify: hblogon - C:\WINDOWS\SYSTEM32\hblogon.dll

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files(if there).

C:\Program Files\winupdates\Keygen-Serial.exe
C:\WINDOWS\SYSTEM32\hblogon.dll

Reboot into normal mode and turn system restore back on.


Regards Howard

 

[Vigilante]

I agree with Howard, this is the primary culprit right now:

O20 - Winlogon Notify: hblogon - C:\WINDOWS\SYSTEM32\hblogon.dll

Being that it is a Notify entry, it even runs in safe mode, so it may be difficult for you to delete it.
If all the instructions don't seem to work, you can do 1 of 2 things:

1) Use a program to delete the file upon restart.

2) Go into Recovery Console and delete hblogon.dll from there. Then restart back into Safe Mode and remove the notify entry with HJT.

Hope you get it taken care of

 

[howard_hopkinso]

Hi Vigilante.

These are both baddies.

C:\Program Files\winupdates\Keygen-Serial.exe
C:\WINDOWS\SYSTEM32\hblogon.dll

For the attention of Vigilante only. HJT has a feature that allows a file to be deleted on reboot.

If you run HJT and click on the config button, followed by the Misc Tools button. You will see amongst other things a button that says Delete file on reboot. If you click on this, a windows appears, where you can browse to the file you wish to delete. Open the file and HJT will ask you if you want to restart your computer. Click yes. The file should now be gone.

Regards Howard

 

[bleepit]

Hi again, I used killbox to delet hblogon.dll on restart cause hjt could not delete it (didn't know until now that HJT could do the same thing).

How does it look now?

 

[howard_hopkinso]

Your HJT log is now clean. Well done.

Regards Howard

 

[bleepit]

I really appreciate your help Howard I would be in a dark tunnel without it.

thanks a lot!

Also thanks to Vigilante.

Do you have a recommendation on which software to have running so I'm protected in general by almost everything including malware, spyware, trojans and such.

Right now I have zone alarm (free), avg (free), I update those two automatically every night, and ewido which will expire pretty soon (trial).

And I also run once in a while adaware and spybot.

 

[howard_hopkinso]

Even when Ewido expires, you can stll use it. It`s just that you lose one or two features that`s all.

Take a look at Spike`s thread HERE. It will help you to keep your system more secure.

Regards Howard

 

[bleepit]

thanks again, will go over that link.

 

[Vigilante]

Thanks howard, I never used the HJT file deleter deal, I'll sure try it next time. I HATE those notify entries!

 

[bleepit]

Sorry to bug you again, but there seems to be something strange. I went into my Administrator acount to change my User account privileges to 'Limited' but it is grayed out. only Administrator is available and selected.

I have three accounts:

Administrator
User1 (Limited is grayed out administrator is selected and only available)
Guest

I tried the same in all accounts in safe mode but same there. 'limited' is grayed out.

Is this a left over from some malware?

 

[altheman]

Sorry to bug you again, but there seems to be something strange. I went into my Administrator acount to change my User account privileges to 'Limited' but it is grayed out. only Administrator is available and selected.

I have three accounts:

Administrator
User1 (Limited is grayed out administrator is selected and only available)
Guest

I tried the same in all accounts in safe mode but same there. 'limited' is grayed out.

Is this a left over from some malware?

this is the same for me. i dont thinks it malware, but probably there has to be at least one admin account the can be run from outside off safe mode. probably a winxp "feature".

 

[Vigilante]

I just did a quick test, was able to create an administrative account and then back it down to limited. I was thinking maybe you can't change admin to limited, but I guess you can.

I think you need one admin account. But that usually is the hidden, built-in "administrator" user.
I would just create a brand new account, limited. And leave yourself at least one password-protected admin account besides administrator.

 

[bleepit]

Thanks for all replies I surely think it is something fishy, I'll probably do a format.