1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Task Mngr/Add/Remove Gone - HJT log -Thank you!

Discussion in 'Virus & Other Malware Removal' started by canoli, Apr 26, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. canoli

    canoli Thread Starter

    Joined:
    Apr 26, 2010
    Messages:
    75
    THANK YOU VERY MUCH for taking the time to look at my post. Any help at all will be appreciated.

    At 6:37pm last evening I was surfing the net, clicked on a dumb site and up popped what appeared to be a Microsoft alert...the browser window closed and since then I've had all kinds of problems: no task manager, no add/remove programs - every time I want to run a program "Open With" dialog pops up... even when I try to install HJT - but right-clicking and choosing START worked, so I was able to get this log.

    I unplugged my cable line to stop the internet and have kept it off most of the time since last night. I've heard a strange "clicking" about every 5 or 10 seconds, that happened for a few minutes - then when away.

    I did a scan with UnHackMe and have 4 or 5 virus names that it found and supposedly deleted - actually maybe that was the Avast scan that told me the names. I can't remember now. I took pictures of my screen as the scan was going along, then later went to the Event Viewer and got this info:

    here's the viruses I have according to the Event Viewer

    Win32:JunkPoly (Cryp)
    Win32:Ertfor(Trj)
    Win32:Malware-gen
    Win32:Qandr (Rtk)
    Win32:patched-MA(Trj)

    I can tell you the locations they were found in as well if you want - some were in the Temp folder, most in sys32.

    Here's my HJT log - and THANK YOU SO INCREDIBLY MUCH for taking the time to help me - if you can...I'm really hoping to avoid the Recovery Console on this laptop, as I have many programs installed, some big ones too - like Adobe CS4 and Office, and a ton of smaller ones as well. Anyway - whatever it takes! Thanks again!!

    XP Pro sp3 on a Lenovo T500 laptop - about 16 months old. No prior infections. Avast subscription and Windows Firewall and Spybot are the extent of my protection from viruses/malware/etc. Up till now it's been sufficient. Thanks again!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:25:43 AM, on 4/26/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17023)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    C:\WINDOWS\system32\ASTSRV.EXE
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Program Files\FolderSize\FolderSizeSvc.exe
    C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
    C:\WINDOWS\system32\PSIService.exe
    c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Pen_Tablet.exe
    c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    C:\WINDOWS\System32\TPHDEXLG.exe
    C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
    C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
    c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
    C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
    C:\WINDOWS\system32\Pen_Tablet.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\System32\dmadmin.exe
    C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
    c:\program files\lenovo\system update\suservice.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    C:\Documents and Settings\RKC\Desktop\procexp.exe
    C:\Documents and Settings\RKC\Desktop\windows-kb890830-v3.6.exe
    z:\5569a77aee76ea27b465e6bd82bf\mrtstub.exe
    C:\WINDOWS\system32\MRT.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lenovo.com/welcome/thinkpad
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O2 - BHO: Password Manager Browser Helper Object - {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
    O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
    O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\ServicePackFiles\i386\msconfig.exe /auto
    O4 - HKCU\..\Run: [Active Desktop Calendar] C:\PROGRAM FILES\XEMICOMPUTERS\ACTIVE DESKTOP CALENDAR\ADC.EXE
    O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
    O4 - HKCU\..\Run: [Stickies] C:\Program Files\Bret Taylor\Stickies\Stickies.exe
    O4 - HKCU\..\Run: [Kana Reminder] "C:\Documents and Settings\RKC\Desktop\Reminder.exe"
    O4 - HKCU\..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\DOCUME~1\RKC\LOCALS~1\TEMP\NVSVC32.EXE
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\DOCUME~1\RKC\LOCALS~1\Temp\cmd.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Startup: AutorunsDisabled
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
    O4 - Global Startup: ProfileReminder.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe
    O4 - Global Startup: WinColor.exe.lnk = C:\Program Files\Pro Imaging Powertoys\Microsoft Color Control Panel Applet for Windows XP\WinColor.exe
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - AutorunsDisabled - (no file)
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: (no name) - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
    O9 - Extra 'Tools' menuitem: Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1252886731015
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
    O20 - Winlogon Notify: ATFUS - C:\WINDOWS\system32\FpWinLogonNp.dll
    O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
    O23 - Service: Nalpeiron Licensing Service (ASTSRV) - Nalpeiron Ltd. - C:\WINDOWS\system32\ASTSRV.EXE
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: AuthenTec Fingerprint Service (ATService) - Unknown owner - C:\WINDOWS\system32\AtService.exe (file missing)
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
    O23 - Service: Google Update Service (gupdate1c9bebe93c143b0) (gupdate1c9bebe93c143b0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
    O23 - Service: LKQCZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\RKC\LOCALS~1\Temp\LKQCZ.exe
    O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
    O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
    O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
    O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
    O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
    O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
    O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
    O23 - Service: TSS Core Service (TSSCoreService) - Lenovo - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
    O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
    O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
    O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe

    --
    End of file - 13489 bytes
     
  2. canoli

    canoli Thread Starter

    Joined:
    Apr 26, 2010
    Messages:
    75
    Can't tell if things are getting better or worse. Microsoft's Malware Removal tool didn't find anything but Avast keeps saying there's a virus, wants to shut down and do a scan. I did that but it didn't find anything. As I said earlier, Avast found 5 or 6 virus/trojans/malware the first time I scanned, right after the symptoms started.

    Still can't get to Task Mngr or Add/Remove or Windows Firewall, and every app I click brings up the "Open With" dialog box. On the good side, the C: and the E: drive (E is a 5GB Lenovo "Recovery Partition") are now showing up in Disk Mngmt, which they weren't before (though all my other drives were - I have 3 ext HDDs)

    Anyway just thought I'd keep a running account of what's going on with this computer...boy this will teach me to surf indiscriminately, just clicking on anything and everything... I thought I was protected with Windows Firewall and an updated Avast but I guess not.

    just got the Avast popup - it says it found File Name: SVC: PRAGMAfpyycwxbvf - Type: Hidden services - lets me choose Delete or Ignore. I deleted it last time it came up, about 10 minutes ago and followed Avast's recommendation to do a boot scan, but it didn't find anything.
     
  3. canoli

    canoli Thread Starter

    Joined:
    Apr 26, 2010
    Messages:
    75
    Just another update - Avast found the virus again while I was online, recommended I do a boot scan so I did. This time it found C:\WINDOWS\PRAGMAfpyycwxbvf\PRAGMAd.sys is infected by win32:Rootkit-gen [Rtk]

    So I deleted it.

    Still no Task Mngr, Add/Remove/Windows Firewall...etc. "Open With" still pops up whenever I try to launch a program.

    Thanks again for your time!
     
  4. canoli

    canoli Thread Starter

    Joined:
    Apr 26, 2010
    Messages:
    75
    another update - Task Manager is back. Still can't get to System Restore though. can't Right-Click on My Computer and get to Properties, or go to Programs>Accessories>System Tools - says that the C:\system32\rundll32.exe - Application not found.

    anyway - got the Task Manager back - hopefully that means Progress! also, the C: and E: drives are showing up now in Disk Mngmt.
     
  5. canoli

    canoli Thread Starter

    Joined:
    Apr 26, 2010
    Messages:
    75
    update again - I booted into Safe Mode and was able to run regedit - didn't do anything, just wanted to see if I could get access and I did.

    still most of the same problems though - no System Restore "Turned off by Group Policy - see Administrator" - and of course I am logged in as Administrator. In Safe Mode I was able to right-click on My Computer but the System Restore tab is missing - I was able to access everything else, including Device Manager.

    also - does the context (right-click) menu normally have the word "start" in it? For applications I mean. I don't recall seeing that before, though I never looked one way or the other.

    Thanks again for you help!
     
  6. canoli

    canoli Thread Starter

    Joined:
    Apr 26, 2010
    Messages:
    75
    and yet another update (sorry if this is all useless - figure the more info the better)

    Things seem to be getting back to normal. UnHackMe still doesn't like something and pops up a message but most stuff is working normally. It "feels" like I'm getting closer to cleaning out whatever grabbed me - did Housecall, Spybot (which found a bunch of stuff - I have a list if you're interested), Avast a few times, UnHackMe a bunch of times. So between all that, some in Safe Mode, some not, almost all with the Cable feed unplugged, I've got what appears to be a working computer again.

    But there are still some ominous signs. Like a "Windows detected a corrupt file on volume 3" something-something...And another thing that's odd is that System Restore came back - it's on, monitoring - but the Turn Off System Restore option is grayed out. In parenthesis (also grayed out) it says "Disabled By Group Policy".

    I did go to grpedit.msc but I didn't change anything. And I didn't change anything in the registry.

    Also that word "start" that was in my context menu of program icons - that's gone. had a feeling it wasn't there before this mess. I'm sure by using it I screwed up things even more but that was the only way to open firefox and practically anything else.

    Anyway - like I said - sorry if this is OVERKILL on the information - and THANK YOU VERY MUCH whoever you may be who comes to my rescue! :)
     
  7. canoli

    canoli Thread Starter

    Joined:
    Apr 26, 2010
    Messages:
    75
    ran Malwarebytes - found a bunch of stuff - deleted it - set a Restore Point first.

    googled "system restore turned off by Group Policy" and found a registry fix - followed the instructions (backed up the key first) and "Turn off System Restore" is no longer grayed out.

    Feels like I'm getting there but I wish I could be sure. Hopefully there's still some help you can give me. I can always post another HJT log if you think that'll be useful.

    Thanks again!
     
  8. canoli

    canoli Thread Starter

    Joined:
    Apr 26, 2010
    Messages:
    75
    Avast keeps popping up with a Suspicious File - but it's weird because their advice is to Ignore it. You can choose Ignore or Delete and they recommend "Ignore." Doesn't that seem a little strange? It's starts with PRAGMA- and then a bunch of what appear to be random letters. I tried deleting it and I've ignored (but I didn't check "Don't tell me about this threat again" so I guess that's why it keeps popping up. No location - Avast says it's a Hidden Service...

    Hope someone can take a look and help me out - THANKS!
     
  9. canoli

    canoli Thread Starter

    Joined:
    Apr 26, 2010
    Messages:
    75
    help...?

    I know it says to be patient, and I am....seems like I'm getting buried in newer posts....
     
  10. canoli

    canoli Thread Starter

    Joined:
    Apr 26, 2010
    Messages:
    75
    Avast keeps popping up with a Suspicious File- PRAGMAffyy....more letters....

    Don't know what to do here - I'm sure this computer is still infected ...

    Please help if you can - Thanks...
     
  11. canoli

    canoli Thread Starter

    Joined:
    Apr 26, 2010
    Messages:
    75
    almost 3 days now...can someone tell me whether I should keep waiting or...should I post this again somewhere else?

    If you don't think I need help or whatever then please just tell me and I can search elsewhere.

    Thanks!
     
  12. canoli

    canoli Thread Starter

    Joined:
    Apr 26, 2010
    Messages:
    75
    wow - totally ignored. I didn't expect that.
     
  13. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, canoli

    Welcome.

    Sorry for the delay. You are never ignore, but our trained personnel is very busy.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
    1. If you are using Firefox, make sure that your download settings are as follows:
      • Tools->Options->Main tab
      • Set to "Always ask me where to Save the files".
    2. During the download, rename Combofix to Combo-Fix as follows:

      [​IMG]

      [​IMG]

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      -----------------------------------------------------------​
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
        -----------------------------------------------------------​
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      -----------------------------------------------------------​
    7. Double click on combo-Fix.exe & follow the prompts.
    8. Install the Recovery Console if prompted.
    9. When finished, it will produce a report for you.
    10. Please post the "C:\Combo-Fix.txt" .
    **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

    Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.
     
  14. canoli

    canoli Thread Starter

    Joined:
    Apr 26, 2010
    Messages:
    75
    JS -

    Thanks so much for your reply.

    I wanted to ask you a question before I run Combofix . My computer is 99% back to normal.
    All is well except for one thing. Whenever I boot up Avast pops up a window that says:

    Warning: Suspicious File Found.

    File name SVC: "PRAGMAfpycwxbvf...."
    Type Hidden services

    Avast lets you choose "Delete" or "Ignore" and the recommendation from Avast is to "Ignore."
    It also lets you choose "Do not tell me about this file in the futures." I won't do that until I'm sure this file can safely be ignored.

    So anyway my question is, should I still go through the process with Combofix and whatever else is after that?

    Thanks again JS for your reply, and thank you very much for your help. It is very much appreciated.
     
  15. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    It is one of the Backdoor Trojans. Combofix should help you remove it.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Task Mngr Remove
  1. Dano2
    Replies:
    0
    Views:
    433
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/919288

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice