Virus that disables firewall, task manager an

June 8, 2009 at 12:31:24
Specs: Windows XP pro, 2gb

Recently my computer is infected with a diables task manger and registry editor also turns off windows firewall.

After trying scans like Malwarebytes, Combofix etc..i reformated the OS drive (i have 3 other drives which i cannot afford to format)
still the issue is same. its now not letting me to activate any antivirus software.

I tried booting in safemode but unabe to do so.

Can someone help me with this.

Note: i tried to check running processes using Process explorer and i dont find any malicous process tunning...and my efforts to enable task manger and registry editor end up in vain.

See More: Virus that disables firewall, task manager an

Report •

June 8, 2009 at 13:48:17
Run a full scan with
# Check the box next to YES, I accept the Terms of Use.
# Click Start
# When asked, allow the activex control to be installed.
# Click Start
# Check below options:

    * Remove found threats
    * Scan archives
    * Scan for potentially unwanted applications (Advance Settings).
    * Enable Anti-Stealth technology (Advance Settings).

# Click Scan
# Wait for the scan to finish
# When it finishes it will create a log file here: C:\Program Files\EsetOnlineScanner\log.txt
# Attach this logfile to your next message.

Illustrated tutorial:

PS: Make sure all your drives are selected when scanning.


Report •

June 8, 2009 at 14:10:29
Post you AV and Malwarebytes scan logs if you have any if don't follow above advice. You can't jump steps in malware removal. Since multiple things are required to remove malware.


Report •

June 8, 2009 at 21:39:59
Thanks for the reply friends...well i forgot add one point...the virus is not letting me to access antivirus software websites...

I ran one care safety which detected 3 trojans and removed but sti problem persists

Well i will give a try to ur suggestions and get back

Report •

Related Solutions

June 8, 2009 at 21:46:48
You can try. Transfer it via usb or burn it to disc.

Download and run Kaspersky AVP tool:
Once you download and start the tool:

# Check below options:

    * Select all the objects/places to be scanned. 
    * Settings > Customize > Heuristic analyzer > Enable deep rootkit search

# Click Scan
# Fix what it detects
# Attach Scan log/Summary to your next message.

Illustrated tutorial:


Report •

June 9, 2009 at 15:44:06
Thank u friend...i am out of station now...will post the logs in 3 days

Report •

June 9, 2009 at 15:46:38
No problem once you post the log we can look at other logs.

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

June 10, 2009 at 23:53:20

I am ading th Malwarebytes and hijackthis log files here

Malwarebytes' Anti-Malware 1.37
Database version: 2238
Windows 5.1.2600 Service Pack 2

6/10/2009 11:47:34 PM
mbam-log-2009-06-10 (23-47-34).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 155270
Time elapsed: 29 minute(s), 56 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
F:\Documents and Settings\Appu\Local Settings\Temp\winnbgum.exe (Trojan.Downloader) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
F:\Documents and Settings\Appu\Local Settings\Temp\winnbgum.exe (Trojan.Downloader) -> Delete on reboot.
f:\documents and settings\Appu\local settings\Temp\winsmclb.exe (Trojan.Downloader) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:26 PM, on 6/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\Program Files\Google\Google Talk\googletalk.exe
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
F:\Program Files\Vtune\TBPanel.exe
F:\Program Files\Internet Download Manager\IDMan.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\Program Files\CyberLink\Shared Files\RichVideo.exe
F:\Program Files\Sify Broadband\BBClient.exe
F:\Program Files\Sify Broadband\BBImpSec.exe
F:\Program Files\Internet Download Manager\IEMonitor.exe
F:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - F:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - F:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

By the way i tried super antispyware too but didn't help

Hope to get some positive reply

Report •

June 11, 2009 at 03:09:29
Do a scan again with Malwarebytes and see if the files "winnbgum.exe" and "winsmclb.exe" still exists. If they still exists that mean that are injected in some processes.
I can help you to recover your registry and task manager, but first tell me witch OS you use XP or Vista. Also I need to know witch is your default browser.About firewall, did you mean Windows firewall or other?
Best regards.

Report •

June 11, 2009 at 04:06:41
It is also a good idea to scan your computer with Spyware Doctor:
I have both malwarebytes and Spyware Doctor installed on my computer. And sometimes, Spyware Doctor finds more infections than malwarebytes anti-malware and contrariwise.

Report •

June 12, 2009 at 19:50:44

i tried enabling registry and taskmanager using command prompt....its getting enabled and disabled immediatly....and if u r familliar with Dial a fix i tried it to enable them but of no use.....

Do u hav any other way.....

Well winnbgum.exe & winsmclb.exe getting detected again.


Will try spyware doctor and get back to u...

Thanks for the response

With regards,

Report •

June 13, 2009 at 13:51:46
Hi Vinoth, if your anti virus system steal detect this two files, that mean that your system is steal infected.And like I say this two files are injected in some sys files.Spyware Doctor will not help you to remove that virus. You need some other tool.
Best regards

Report •

Ask Question