Taskmgr, Regedit, and Cmd won't open: Logs Attached

Status
Not open for further replies.

bend.your.mind

Posts: 13   +0
Hi! I noticed about two days ago that my task manager would not come up when I typed cntrl alt delete. I looked around the web and tried other various methods like typing taskmgr into the Run box. When I entered that into the Run box the message "another program is currently using this" popped up. I searched around some more and found a way to locate taskmanager in the windows folder. When double clicking on this I relieved the same message. I found out that this might be able to be fixed by using regedit or cmd but when typing those into the Run box I received the same notation "another program is currently using this".

I came across your forum and went though the "Viruses/Spyware/Malware, preliminary removal instructions" completing them as best I could and read through the "What to do about Task Manager problems". By going through all the steps various problems were deleted but none seemed to fix my problem.

Also, my virus program eTrust ezAntivirus popped up a few times telling me that two files were infected. These could very well be what are causing the problems but for some reason my virus program won't delete them and no other programs have detected them. The infections are called "Win 32/Clspring.GN" and "Win32/Clspring.GK". I will attach my log files for HijackThis and AVG Antispyware. Thank you for your time!
 

howard_hopkinso

Posts: 21,238   +17
Hello and welcome to Techspot.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Delete all files in AVG Antispyware quarantine.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

AWS
WeatherBug

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

Weather.exe
dllhost.exe
ALCMTR.EXE
logonui.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {94397232-EEFE-9821-A4DB-C7DEB4C058BF} - C:\WINDOWS\system32\vte.dll (file missing)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKCU\..\Run: [Lhti] "C:\WINDOWS\system32\YSTEM3~1\logonui.exe" -vt yazb

O4 - Global Startup: dllhost.exe

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZSzeb008ADUS_blank

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe
C:\Program Files\AWS<Delete the entrire folder.
C:\WINDOWS\system32\YSTEM3~1<Delete the entire folder.
C:\windows\ALCMTR.EXE

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log and let me know if you`re still having problems.

Regards Howard :wave: :wave:

This thread is for the use of bend.your.mind only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 

bend.your.mind

Posts: 13   +0
Fixed!

Thank you so much! I followed your steps and now everything is working! Attached is my new HJT log. Thank you again! :giddy:
 

howard_hopkinso

Posts: 21,238   +17
Your HJT log is now clean.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of bend.your.mind only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 

howard_hopkinso

Posts: 21,238   +17
Hello and welcome to Techspot.

HJT=HijackThis.

See HERE for more info.

If you have a virus/spyware problem, you should open a new thread in this forum. As stated in the red text at the bottom of this post.

Regards Howard :wave: :wave:

This thread is for the use of bend.your.mind only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 

bend.your.mind

Posts: 13   +0
New Problems...

Hi! The same thing happened to me (regedit and taskmgr not opening) so I went into safe mode and checked to see if any of the files I had deleted the last time had reappeared. The file C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe had reappeared so I promptly deleted it. I then ran a AVG AntiSpyware and a Hijack this.

When I rebooted into normal mode I checked to see if the taskmgr, regedit, and cmd were working again. They were. It seems deleting the C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe did the trick.

My question was if there are any further problems with my HJ report and if there are further steps I should take.

Thank you for your time and help!
 

howard_hopkinso

Posts: 21,238   +17
Your HJT log is clean.

However, AVG Antispyware has picked up a Trojan on your system, so let`s get rid of it.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

wcpsvsu.exe

Close task manager.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\wcpsvsu.exe

Reboot into normal mode and rehide your protected OS files.

Run the Ccleaner programme as per the instructions in step9 of this thread HERE.

Run a fresh AVG Antispyware scan and post the log, if it finds anything.

Regards Howard :)

This thread is for the use of bend.your.mind only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 

howard_hopkinso

Posts: 21,238   +17
All it`s found is a few tracking cookies and a trojan in a system restore point.

Ccleaner should get rid of the tracking cookies.

In order to get rid of the restore point trojan, do the following.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of bend.your.mind only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 

bend.your.mind

Posts: 13   +0
Computer running slowly

Hi. I don't have a major problem but I was just curious if I had any bugs because in the past week my computer has been running slower. I ran Anti-spyware and HJT. The logs are attached.

Thanks again!
 

howard_hopkinso

Posts: 21,238   +17
Your system is infected with a variety of malware and you`re running an outdated version of HijackThis.

All items in your AVG Antispyware log say "No Action Taken". That`s because you haven`t told AVG Antispyware to quarantine it`s results as per the instructions. See this pictorial guide.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Mywebsearch.

Close control pane.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :)

This thread is for the use of bend.your.mind only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 

bend.your.mind

Posts: 13   +0
Completed Removal Process- Logs attached

I completed the virus removal process and have attached the combofix, HJT, and AVG Antispyware logs. I ran the AVG antirootkit scan and have not root kits.

Thanks!
 

howard_hopkinso

Posts: 21,238   +17
Delete all files in AVG Antispyware quarantine.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as fresh HJT and Combofix logs.

Regards Howard :)

This thread is for the use of bend.your.mind only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 

howard_hopkinso

Posts: 21,238   +17
Instead of attaching the Avenger log, you`ve attached the Avenger script file that I gave you lol. I have therefore removed your logfiles so that you can reattach them. This is the Avenger log I need to see c:\avenger.txt.

Regards Howard :)

This thread is for the use of bend.your.mind only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 

howard_hopkinso

Posts: 21,238   +17
Sorry for the delay in getting back to you. To be honest, I`d completely forgotten about this thread. ;)

Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZS

O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab

Click on the fix checked button.

Close HJT and reboot your system.

Post a fresh HJT log and let me know if you`re still having problems.

Regards Howard :)

This thread is for the use of bend.your.mind only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 

bend.your.mind

Posts: 13   +0
I followed those instructions. I'm posting my HJT again because my monitoring virus scanner picked this up: c:\avenger\backup.zip <avenger/uy.exe> Win32/Malum.CZAK.

Thanks!
 

howard_hopkinso

Posts: 21,238   +17
Your HJT log is clean.

You can safely delete the Avenger backups.

Locate and delete the following bold files and/or directories(if there).

c:\avenger\backup.zip<There are infected files in the .zip file, but they are completely harmless as long as ther stay zipped up. That`s just the Avenger programme doing it`s job and is nothing to worry about.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of bend.your.mind only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.