|
cannot use ctrl+alt+del
|
|
|
delaluna
Newbie
|
31. October 2009 @ 07:40 |
Link to this message
|
Hi,
My computer was affected by viruses and now I cannot use ctrl+alt+del.
Here is what I've done so far.
1. Ran Malwarebytes and found couple trojans and deleted.
2. Ran ATF Cleaner and cleaned up everything.
3. Used Ad-Aware and was able to detect and delete some infected files and .exe.
3. Ran AVG Anti-Virus and everything seems to be okay, except for some cookies.
4. Still cannot get ctrl+alt+del to work. I did some search on the net and found this tip. Start-Run-copy&paste this in: REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
Still cannot get ctrl+alt+del to work.
Is it possible that the task manager is deleted from my computer? How can I restore it?
Would really appreciate your help!
Jennie
Oh, and here is the Hijack file.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:38:08, on 2009-10-31
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CMBCHINA\WebProtect\WPService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
D:\My Documents\Downloads\HijackThis.exe
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: IE2EMBHO Class - {0A0DDBD3-6641-40B9-873F-BBDD26D6C14E} - C:\Program Files\easyMule\modules\IE2EM.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: WebProtect.IEHlpObj - {53763D1D-9CA8-4C7C-9756-A8E6B8FC063B} - C:\Program Files\CMBCHINA\WebProtect\WebProtect.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: 中国工商银行BHO - {BB4491A2-D11A-4c6b-91C0-B53246A3122B} - C:\Program Files\ICBCEbankTools\ICBCAntiPhishing\Icbc_AntiPhishing.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: Download by easyMule - D:\emule\easyMule\IE2EM.htm
O8 - Extra context menu item: 使用电驴下载 - C:\Program Files\easyMule\IE2EM.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://site.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {3AA9CF07-DF20-48FF-98BE-DED276E40146} (GDGetTokenInfo Class) - https://mybank.icbc.com.cn/icbc/GDReadPub.cab
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (EditCtrl Class) - https://img.alipay.com/download/2121/aliedit.cab
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://b2c.icbc.com.cn/icbc/newperbank/AXSafeControls.cab
O16 - DPF: {B1FBC1AD-5644-4084-882A-0F8BA85E7506} (InfoSecICBCNetSign Class) - https://mybank.icbc.com.cn/icbc/ICBC_NetSign.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBC05A96-A0D6-403E-8D45-0B7ACD216552}: NameServer = 124.74.213.68 202.96.209.133
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour 服务 (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cmb WebProtect Support (CMBWPS) - China Merchants Bank - C:\Program Files\CMBCHINA\WebProtect\WPService.exe
O23 - Service: ICBC Daemon Service - Unknown owner - C:\Program Files\ICBCEbankTools\ICBCAntiPhishing\IcbcDaemon.exe
O23 - Service: iPod 服务 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
--
End of file - 6263 bytes
|
|
Advertisement
|
 |
|
|
AfterDawn Addict
1 product review
|
31. October 2009 @ 09:47 |
Link to this message
|
I am not sure why Task Manager won't open on your PC, but as a temporary or permanent fix here are 5 Task Manager alternatives.
As for the HiJack this log, there are many entries that point towards a ICBC Bank. Which from what the log contains seems to be located in China. Judging from your typing/"language" I would guess your not from China. If you are correct me. But do you know of ICBC Bank?
Also try booting into Safe Mode and re-running all the scans you mentied. Malwarebytes, Ad-Aware,etc. I would also recommend SUPER Anti-Spyware and SpyBot Search and Destroy be installed and used. You should only have 1 Anti-Virus installed but you can never have to many Anti-Spyware apps especially when dealing with a infection.
Below are download links for SUPER and Spybot use these incase your browser is redirecting you:
Super Ant-Spyware
Spybot Seach and Destroy
"Some people have no damn sense." - Nephilim, March 27 2007 @ 18:08 |
|
delaluna
Newbie
|
31. October 2009 @ 21:50 |
Link to this message
|
|
Hi,
Thanks a bunch for your reply.
I am in China (from US), so no worries about the ICBC Bank.
The thing is, I cannot reboot in safemode either. The F8 key doesn't work. I don't know if this is the result after the viruses? Yesterday I was able to reboot in safemoode by using Msconfig in the run tab. But I think I've made a mistake. Yesterday, I've also ran Combofix and the result shows that Combofix has deleted my Msconfig. Now I cannot find Msconfig on the computer. I've tried download an msconfig.exe from the internet (http://www.pcreview.co.uk/forums/thread-1735965.php) but it doesn't have the option for reboot in safemode as did before.
What should I do?
|
AfterDawn Addict
1 product review
|
31. October 2009 @ 21:55 |
Link to this message
|
|
Unless F8 was they key you used to get into Safe Mode before you should try other keys as it may not be F8 maybe its F11 or F12 etc.
"Some people have no damn sense." - Nephilim, March 27 2007 @ 18:08
|
|
scum101
Suspended due to non-functional email address
|
31. October 2009 @ 22:58 |
Link to this message
|
virus is win32-parite .. it will be running a hidden webserver and set of files down below hide.exe .. search for that.. then you will have to boot to real dos and delete it and everything below it.. hide.exe in this way isn't actually a file, it's a wrapper for a whole hidden process. It disables task manager so you can't see the apache or ftp protocol it's running.. it also disables safe mode.
so.. let everything start up normally.. pull internet plug to disable whatever web processes are connecting out.
search for hide.*
make a note of exactly where it is (was a post a long time ago on ozzu by me about manual removal of this thing) and then boot with any live cd or win98 boot floppy or something.. and go to the location... when you get there cd hide.exe and dir will bring up a whole heap of stuff... there is even a text file message for you from the malware writer spamming an irc channel... that you are better off avoiding XD
delete the lot with dos ..
old virus.. maybe newly skinned by somebody.
|
|
delaluna
Newbie
|
1. November 2009 @ 00:14 |
Link to this message
|
|
Hi,
Thanks for the tip. Got into safemode, and ran Malwarebytes. But midway through a pop-up appeared saying "hard disk error" and after awhile, the blue screen flashed with the message "kernel_stack_inpage_error".
0X00000077
I rebooted again in safemode and ran AGV anti-virus. Again, after awhile the screen became blurry and the computer crashed.
Any advice?
Thanks!!!
Jennie
|
AfterDawn Addict
1 product review
|
1. November 2009 @ 00:25 |
Link to this message
|
I won't go into detail about this Bluescreen Message since Microsoft does such a great job of it themselves! lol heres a link from Microsoft:
http://support.microsoft.com/kb/315266
Basically either you have a hardware failure occuring/approaching or you have one nasty virus that is affecting your main Hard Drives boot sector.
@scum101 - Your post makes no sense. You say "virus is win32-parite". Yes a virus is a Win32 parasite but thats a general definition for anything malicious. Your advice is sketchy at best. And you prove how much you know by this line "pull internet plug to disable whatever web processes are connecting out". Disconnecting the ethernet plug from the computer won't disable any processes that are running. They will keep running they just won't be able to connect to the internet. And who even has a Windows 98 floppy anymore? Heck who even has a floppy drive? I'm normally a very pleasant person but your seemingly general lack of knowledge ticks me off since bad information give to a user could ruin there computer.
"Some people have no damn sense." - Nephilim, March 27 2007 @ 18:08
|
|
delaluna
Newbie
|
1. November 2009 @ 00:45 |
Link to this message
|
PeaInAPod,
Suppose it is the hardware issue, do I have the reformat the computer?
After reading http://support.microsoft.com/kb/315266, should I re-install the service pack?
What should I do at this point?
Thanks,
Jennie
|
|
delaluna
Newbie
|
1. November 2009 @ 00:51 |
Link to this message
|
|
I think you might be right about the nasty virus that is affecting my hard drive. But what should I do?
|
AfterDawn Addict
1 product review
|
1. November 2009 @ 01:01 |
Link to this message
|
That article states that everything is either virus or hardware based. Since we have scanned with tons of programs and run HJT logs I will say if it is a virus we should reformat and reinstall.
But lets try to do the Hardware fixes first. There are 3 options Microsoft lists but only 2 apply to us.
Quote:
Option 2: Manually run Chkdsk
If Autochk does not automatically run, you can manually run the Chkdsk disk scanner. To do this, follow these steps:
Click Start, click Run, type chkdsk /f /r, and then click OK.
At the command prompt, type Y to let the disk scanner run the next time you restart the computer.
Restart your computer now to initiate the scan.
Chkdsk will run.
If the computer did not restart successfully
If the computer did not restart successfully, manually run the Chkdsk disk scanner from the Recovery Console. To do this, follow these steps:Restart the computer.
When the Welcome to Setup screen appears, press R to start the Recovery Console.
If you have a dual-boot or a multiple-boot computer, select the installation that you need to access.
When you are prompted, type the administrator password. If the administrator password is blank, press ENTER.
At the command prompt, type chkdsk /r, and then press ENTER.
When Chkdsk has finished running, read the results, and then take any steps that are required to complete the process. For example, you may be prompted to run chkdsk /f to fix certain problems.
Restart the computer.
"Some people have no damn sense." - Nephilim, March 27 2007 @ 18:08
|
|
delaluna
Newbie
|
1. November 2009 @ 01:34 |
Link to this message
|
|
Hi,
I did the Option 2: Manually run Chkdsk, and it worked out fine.
Now what?
|
AfterDawn Addict
1 product review
|
1. November 2009 @ 01:38 |
Link to this message
|
|
Did Chkdsk report any errors with the file structure/actual files?
"Some people have no damn sense." - Nephilim, March 27 2007 @ 18:08
|
|
delaluna
Newbie
|
1. November 2009 @ 04:24 |
Link to this message
|
|
Nope, no error.
|
|
delaluna
Newbie
|
1. November 2009 @ 05:15 |
Link to this message
|
|
Also, at this stage, is it safe for me to do online shopping? (mostly entering passwords)
What about checking emails?
|
AfterDawn Addict
1 product review
|
1. November 2009 @ 10:03 |
Link to this message
|
Peronsally I would always do a reformat and reinstall afterwards but otherwise I would say yes it seems like things have cleared up for you. Its always a good idea though even if your pc hasn't been infected to keep a close eye on your checking/credit card use. I have my Chase checking account set to email me every morning with every transaction that has gone through so if something was charged that I wasn't expecting I'll know the day it happens not when my next statement comes.
"Some people have no damn sense." - Nephilim, March 27 2007 @ 18:08
|
|
scum101
Suspended due to non-functional email address
|
1. November 2009 @ 16:18 |
Link to this message
|
|
PARITE .. built on CHN base but to run hidden services instead of destroying hardware.
This seems like a new variant as trying to use silly windows tools to remove it appear to be causing bad sectors on the drive.. It's defending itself..
that's more than enough info.. no more secrets.
|
AfterDawn Addict
1 product review
|
1. November 2009 @ 17:17 |
Link to this message
|
I stand correct on 1 issue. Win32/Parite is an actual infection and not Parasite misspelled.
However there is still no reason to go through all the steps you listed scum101 since AVG the makers of delaluna's Antivirus program has a small program made just for the removal of the Win32/Parite infection. I would go further and guess that since AVG has a small removal tool for it there Antivirus should be able to catch it but who knows.
Delaluna just to eliminate this possibility, download this program from AVG called rmparite.exe then disconnect your computer from the network, i.e. unplug the ethernet cable, and then run the rmparite.exe tool.
"Some people have no damn sense." - Nephilim, March 27 2007 @ 18:08
|
|
delaluna
Newbie
|
1. November 2009 @ 20:09 |
Link to this message
|
Hi,
Ran rmparite.exe, no apparent infections found.
Why do you say my computer appears to be okay? Just because chkdsk didn't yield errors? But what about the possibility of that "nasty virus" that lurks behind? I say this because:
1. When in safemode, the virus scans (AVG, Malwarebytes, Ad-Aware, spybot, etc.) can't go through smoothly. The screen becomes blurry or freezes or shuts down.
2. cannot do ctrl+shift+del
|
AfterDawn Addict
1 product review
|
1. November 2009 @ 20:20 |
Link to this message
|
|
More than likely your Windows installation is corrupted which could be the reason you experience these issues in Safe Mode and the reason your ctrl-alt-delete functionality no longer works. It could also be a due to a hardware failure.
Since you said you had a virus previously it could be causing your issues, a corrupted Windows install could be the culprit, there are many possibilities. I would backup your data, and reinstall Windows. Now if the problem disappears after the reinstall of windows then it was either a virus or a corrupted Windows causing your problems. But if the problems with Safe Mode remain after a clean install of Windows then it must be a hardware failure.
"Some people have no damn sense." - Nephilim, March 27 2007 @ 18:08
|
|
delaluna
Newbie
|
1. November 2009 @ 20:53 |
Link to this message
|
|
Hi,
I've never re-stalled windows myself. (Usually a computer technician did it for me.) Few questions...
1. Is it difficult? How long is the process?
2. Is this the same thing as reformatting the hard drive?
3. All I need is a copy of Windows XP, right?
Thanks!
|
AfterDawn Addict
1 product review
|
1. November 2009 @ 21:03 |
Link to this message
|
I've done it a few times so I know the process now, but even still the process is very straightforward. To answer your questions:
1)All you really have to do is click Next, select the Date and Time, and enter your Serial #. The time to reinstall is dependent on numerous factors. I just reinstalled my OS a few weeks ago and the process didn't take more than 30-45 minutes.
2)Reformatting the hard drive is part of the install process.
3)Since you never installed a Operating Systen (OS) yourself I feek its safe to assume you bought a PC at a store. A store bought PC has two possible ways to reinstall Windows. When you turn it on you may have a "Recovery Console" option or something similarly named that wehn selected will boot into a special enviroment that can be used to reinstall Windows. Or more commonly the company (HP,Dell,etc) may have included "Restoration Discs" that you boot the computer from/to that allow you to reinstall Windows. Both methods are pretty straightforward.
Backup all your data before doing anything. Reinstalling Windows may seem like a daunting task but it is actually quite manageable.
2. Is this the same thing as reformatting the hard drive?
3. All I need is a copy of Windows XP, right?
Thanks!
"Some people have no damn sense." - Nephilim, March 27 2007 @ 18:08
|
|
delaluna
Newbie
|
1. November 2009 @ 21:33 |
Link to this message
|
Hi,
Thanks for your thorough explanation. I just called a technician friend of mine and he says that if I were to reinstall windows XP, I might encounter possible errors? He says that I wouldn't know which drivers to install, is this true?
Also, right now my computer has 2 drives. C drive and D drive. I install all my applications on C, and store data on D. When I re-install windows, will it wipe away all my D drive as well?
|
AfterDawn Addict
1 product review
|
2. November 2009 @ 11:15 |
Link to this message
|
|
To answer those questions tell me do you have restore cd's? Or when you turn your computer on is there a "Windows XP" option and a "XP Recovry" (or similar recovery option) when booting?
"Some people have no damn sense." - Nephilim, March 27 2007 @ 18:08
|
|
delaluna
Newbie
|
2. November 2009 @ 21:36 |
Link to this message
|
Hi,
I don't have the restore CD right now. (Do you mean the Windows XP SP3 installation CD?)
"Or when you turn your computer on is there a "Windows XP" option and a "XP Recovry" (or similar recovery option) when booting?" Nope, when I turn on the computer, there is no XP Recovery, it goes straight to Windows XP screen.
|
|
Advertisement
|
|
|
AfterDawn Addict
1 product review
|
2. November 2009 @ 22:00 |
Link to this message
|
Yes the installation CD. And since your boot process doesn't have the option of recovery then the XP installation CD will be what you use to reformat and reinstall.
As for drivers I can find those for you to make it easy. What is hte make and model of your pc? Example a (make) HP (model) v18z9 etc.
With the make and model I can find the drivers quickly and easily that match your pc.
"Some people have no damn sense." - Nephilim, March 27 2007 @ 18:08
|
