Task Manager/Regedit blocked by Trojan, need help to remove
February 9th, 2020
Scan in safe mode with Kaspersky ;>
already tried other virus scanners, they found the trojan, removed it, but still int reinstalled itself, well gonna try kaspersky and report back here
ok well, for some reason my pc wont run itself in safe mode (it reboots after i choose this option)
Please don't double-post, use the edit button instead. Members are allowed to double or triple post only if their previous post has exceeded the maximum characters limit.
Kindly visit our rules:
www..org/rules
id just go for a fresh install. backing up all important data and reinstall the OS. Much less trouble than looking around for what can be causing the prob. at least IMO. Nowadays u can install an OS and all apps in 1~2 hours so shouldnt be that long i think
Format on system partition didnt help, and I dont feel like burning 300+ GB of files or transferring then anywhere else to format whole hdd, providing that I have no freaking idea where the trojan is located so I can basically just copy it back after I reinstall the system lolz
Malwarebytes?
tried, doesnt work
Download and run DDS, post the contents of DDS.txt back here ( please don’t upload to any file host just paste the contents)
download.bleepingcomputer.com/sUBs/dds.scr
http://wklejtekst.pl/mylogs
here u go, i pasted it there so its easier for u to read
Well you can see the reg edited here
uPolicies-explorer: NoAutoUpdate = 0 (0x0)
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
I am aware of that, but since I cant acces the regedit I cant do anything about it. Its the &%*(*$ trojan that disables all that, prolly called ‘hijack.taskmanager’ and ‘hijack.regedit’
Disable or close any on-access scanners (Kaspersky,etc) Download Combofix to your desktop and run it. Close any open applications and run Combofix. Do not perform other operations until it finishes. It may ask for a reboot, allow it to do so. After it is done, it will produce a log. Paste back the contents ( Pastebin you are using has a problem with word wrap, lines weren’t split properly) directly to the forum or upload the file to mediafire.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Btw what is tlen (it looks like an IM client, but I’m not sure) ?
Combofix log:
http://wklejtekst.pl/combofixlog
Yes, Tlen is IM client
Task Manager/Regedit blocked by Trojan, need help to remove, as it says
•Click Start •Click Run •Enter gpedit.msc in the Open box and click OK •In the Group Policy settings window •Select User Configuration •Select Administrative Templates •Select System •Select Ctrl+Alt+Delete options •Right Click Remove Task Manager •Edit
Task Manager/Regedit blocked by Trojan, need help to remove, as it says
�Click Start �Click Run �Enter gpedit.msc in the Open box and click OK �In the Group Policy settings window �Select User Configuration �Select Administrative Templates �Select System �Select Ctrl+Alt+Delete options �Right Click Remove Task Manager �Edit
it just changes again after few seconds or next reboot, this method doesnt work
Open notepad and paste what is between the dashed lines (don’t include dashed lines)
—————————————————————————————————-
KILLALL::
FILE::
d:\program files\Common Files\userInit.dll
d:\program files\Common Files\logonInit.dll
d:\windows\S86B33832.tmp
D:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\winefgom.exe
————————————————————————————-
Save it as CFScript (So the file should be CFScript.txt !)
Drag CFScript onto the Combofix icon, Combofix will run again. Post back the resulting log
Also upload this to virustotal and gave back the report link
d:\windows\HideWin.exe
Task Manager/Regedit blocked by Trojan, need help to remove, as it says
•Click Start •Click Run •Enter gpedit.msc in the Open box and click OK •In the Group Policy settings window •Select User Configuration •Select Administrative Templates •Select System •Select Ctrl+Alt+Delete options •Right Click Remove Task Manager •Edit
it just changes again after few seconds or next reboot, this method doesnt work
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
Save the above as a *.reg file in notepad. Double click to add to registry. Then navigate to the following string
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies\ System
On the right side, delete the DisableTaskMgr
http://wklejtekst.pl/newcombofixlog
Virustotal site doesnt load for me, dunno why, so I cant scan the file, should I upload it for u somewhere else ?
Try one of the sites below
virscan.org
http://virusscan.jotti.org/en/
neither works , check ur pm i uploaded the file so maybe u can scan it if possible
Chances are if you got an un removabale trojan you got other stuff that you dont know about. Reformat is the best option in my opinion.
1.Do a quick scan with malwarebytes, fix anything it finds and paste back the resulting log.
2.Download RSIT to your desktop and run it. Press continue (1 month) and paste back contents of resulting log.txt
http://images.malwareremoval.com/random/RSIT.exe
Use pastebin for the log
pastebin.com
RSIT log:
http://pastebin.com/m1638f85d
MALWAREBYTES log:
http://pastebin.com/m5d3dd156
1) Safe Mode
2) Download: http://go.trendmicro.com/free-tools/hijackthis/HijackThisInstaller.exe
3) Run
4) Create Log
5) Find whats causing issue and check it
6) Hit fix issues at bootom
7) reboot into safe mode
8) do full spyware check (preferably with spybot)
If you dont know what the log is, post it here and ill take a look…
As I wrote before, safe mode does not work for me, PC just reboots itself again when i choose to run in safe mode
As I wrote before, safe mode does not work for me, PC just reboots itself again when i choose to run in safe mode
do it out of safe mode then. Hijackthis is the best tool to delete things ever, also points to malicious files loactions which is usefull.
Do it now and post the log pwease
here u go CurtGuven:
http://pastebin.com/d6242e90c
also waiting for `s reply
Remove this, check and fix:
D:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\winuntbm.exe
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?vname=WORM_ZOTOB.E
otherwise submit your log for anaylsis with Trend there may be stuff I missed but its unlikely, im always on mine lol. Check and fix, then do a full AV sweep and malwarebytes or spybot as well..
so i shall remove the the file, then check and fix with malware bytes or what ? Please be more specific, I am a noob
aha, check in hijackthis, then fix. Then navigate to the DIR (so take a note before you fix) and see if its still there, shouldn’t be. Then do a spybot / malwarebytes check
do you have any new users in the mgmt counsel? or any additional folders in my documents?
the file wont let me delete itself
Get ATF Cleaner here
http://www.atribune.org/ccount/click.php?id=1
In main tab, tick select all and press empty selected. Close ATF Cleaner
Do a scan with HiJackThis! and tick the following lines
O2 – BHO: FlashGetBHO – {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} – D:\Documents and Settings\Administrator\Dane aplikacji\FlashGetBHO\FlashGetBHO3.dll (file missing)
O4 – HKCU\..\RunOnce: [WiseStubReboot] MSIEXEC /quiet SKIP_PPU_DRIVER_INSTALL=1 /I “D:\Program Files\Common Files\Wise Installation Wizard\WISC5C1C0F0D62F4DBF81D4D7EF397C228B_9_09_0814.MSI” TRANSFORMS=”D:\Program Files\Common Files\Wise Installation Wizard\WISC5C1C0F0D62F4DBF81D4D7EF397C228B_9_09_0814.MST” WISE_SETUP_EXE_PATH=”d:\nvidia\displaydriver\195.62\winxp\international\PhysX_9. 09.0814_SystemSoftware.exe”
O7 – HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 – Winlogon Notify: LogonInit – logonInit.dll (file missing)
Press fix selected.
Do a new HiJackThis! and post back the log.
Also please open D:\rollback.ini with notepad and post the contents here
O7 – HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 How i managed to miss that I don’t know! Sorry I can be of no more help – on my iPhone as of now.
http://pastebin.com/m696175
seems that i cant remove that 07 thing, also, the rollback.ini is empty
It seems something is restoring executables to temp, which keep changing registry keys. Download Hitman Pro and scan. It uses various AV engines, let’s hope it finds what I am missing
http://download.softpedia.com/dl/b2682cd1ffb9ff0a554ae9c23cac76b9/4b4a44a5/100043800/software/antispy_popup/HitmanPro35.exe