Task manager+regedit is closed

[chrisredfield]

hello guys
i have a big bad problem...i have a virus(trojan or a worm ) on my PC
that it close task manager and regedit...it also when i re-install my windows come again for first booting up windows...anyway i cant find some files that cause that....i cant setup anti-viruses or anti trojans...but if i can setup...then i can use it(
for example when i setup nod 32 i cant use it & after 5min this virus remove nod 32 from my hard......what should i do?!plz help me to fix this proble...i think if i can run registry maybe can fix this problem

 

[BlkHeartWolf]

Run thes 8 steps here if you can

get and run hijackthis and save and post the log file here
WOLF

 

[chrisredfield]

this is the log file of hijackthis
Logfile of Trend Micro HijackThis v2.0.2
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\wscntfy.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Internet Download Manager\IEMonitor.exe
G:\DOCUME~1\CRF\LOCALS~1\Temp\winwaql.exe
G:\DOCUME~1\CRF\LOCALS~1\Temp\winonmet.exe
G:\DOCUME~1\CRF\LOCALS~1\Temp\winnxys.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Internet Download Manager\IDMan.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - G:\Program Files\Internet Download Manager\IDMIECC.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKCU\..\Run: [IDMan] G:\Program Files\Internet Download Manager\IDMan.exe /onboot
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download all links with IDM - G:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - G:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - G:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{307A288B-504B-49E1-8444-7C7C74DEE2FE}: NameServer = 89.165.40.13 4.2.2.4

--
End of file - 2297 bytes

 

[BlkHeartWolf]

Run hijackthis and check this for fix
G:\Program Files\Internet Download Manager\IEMonitor.exe
G:\DOCUME~1\CRF\LOCALS~1\Temp\winwaql.exe
G:\DOCUME~1\CRF\LOCALS~1\Temp\winonmet.exe
G:\DOCUME~1\CRF\LOCALS~1\Temp\winnxys.exe
G:\Program Files\Internet Download Manager\IDMan.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - G:\Program Files\Internet Download Manager\IDMIECC.dll

O4 - HKCU\..\Run: [IDMan] G:\Program Files\Internet Download Manager\IDMan.exe /onboot
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download all links with IDM - G:\Program Files\Internet Download Manager\IEGetAll.htm

O8 - Extra context menu item: Download FLV video content with IDM - G:\Program Files\Internet Download Manager\IEGetVL.htm

O8 - Extra context menu item: Download with IDM - G:\Program Files\Internet Download Manager\IEExt.htm

if you have META Products read this for some conflict issues
http://www.metaproducts.com/forum/Forums_Message.asp?id=62251&pg=0

run hijack this and post a new log

 

[chrisredfield]

hijackthis-scan2

i think i cant fix them...................after another fast scan.....it show this result
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O17 - HKLM\System\CCS\Services\Tcpip\..\{26CAB041-0D67-4949-A688-1E854A7CFF1C}: NameServer = 89.165.40.13 4.2.2.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{26CAB041-0D67-4949-A688-1E854A7CFF1C}: NameServer = 89.165.40.13 4.2.2.4
the first line always be in results.........is there any way for changing value of reg files with dat files?!

 

[BlkHeartWolf]

yes there is
but if it comes back something must be changing it
an incomplete log does not help

 

[chrisredfield]

ty anyway but after all my big problem is that i cant run my windows in safe mode..and when i try it ...system was rebooted......

 

[CCT]

Download FixPolicies.exe by Bill Castner and save it to your desktop.

http://downloads.malwareremoval.com/BillCastner/FixPolicies.exe

Double click on FixPolicies.exe to run it.

Click on Install. It will create a folder named FixPolicies on your desktop.

Open the FixPolicies folder.

Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly; this is normal.

If that gets you operating, follow the 8 Step Virus Removal process.

 

[Darthvader101]

Be careful with that. Download the malware thing the other guy recommended. Worked for me!

 

[BlkHeartWolf]

Lets try this Disable All Protection software and un needed programs exit them.
Download SMITFRAUD Then Dissconnect from your network
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files, usually at C:\rapport.txt
Select 3 to remove trusted zones
Select 5 to try and remove the DNS redirects

Remember; Right Click on MyComputer icon and go to properties
Turn Off system restore
open IE and go to TOOLS OPTIONS delete temporary internet files and cookies
do a disk cleanup in your Start/accessories/system tools/ Menu

run hijackthis and malwarebytes at the same time
select any files and or keys in I posted below in hijackthis {KEEP IN MIND the temp files will have new} but on both maiwarebytes and hijackthis click fix at the same time.
then reboot immediatly.
once complete, run hijack this and post your log here again

G:\Program Files\Internet Download Manager\IEMonitor.exe
G:\DOCUME~1\CRF\LOCALS~1\Temp\winwaql.exe
G:\DOCUME~1\CRF\LOCALS~1\Temp\winonmet.exe
G:\DOCUME~1\CRF\LOCALS~1\Temp\winnxys.exe
G:\Program Files\Internet Download Manager\IDMan.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - G:\Program Files\Internet Download Manager\IDMIECC.dll

O4 - HKCU\..\Run: [IDMan] G:\Program Files\Internet Download Manager\IDMan.exe /onboot
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download all links with IDM - G:\Program Files\Internet Download Manager\IEGetAll.htm

O8 - Extra context menu item: Download FLV video content with IDM - G:\Program Files\Internet Download Manager\IEGetVL.htm

O8 - Extra context menu item: Download with IDM - G:\Program Files\Internet Download Manager\IEExt.htm
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O17 - HKLM\System\CCS\Services\Tcpip\..\{26CAB041-0D67-4949-A688-1E854A7CFF1C}: NameServer = 89.165.40.13 4.2.2.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{26CAB041-0D67-4949-A688-1E854A7CFF1C}: NameServer = 89.165.40.13 4.2.2.4