Tom's Guide | Tom's Hardware | Tom's Games | PC Safety Suite

Computing.Net > Forums > Security and Virus > Virus that disables firewall, task manager an

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Click here to start participating now! Also, check out the New User Guide.

Virus that disables firewall, task manager an

Reply to Message Icon

Name: Vinoth001
Date: June 8, 2009 at 12:31:24 Pacific
OS: Windows XP pro
CPU/Ram: 2gb
Subcategory: Viruses
Comment:

Hai,

Recently my computer is infected with a virus...it diables task manger and registry editor also turns off windows firewall.

After trying scans like Malwarebytes, Combofix etc..i reformated the OS drive (i have 3 other drives which i cannot afford to format)
still the issue is same. its now not letting me to activate any antivirus software.

I tried booting in safemode but unabe to do so.

Can someone help me with this.

Note: i tried to check running processes using Process explorer and i dont find any malicous process tunning...and my efforts to enable task manger and registry editor end up in vain.



Google Ads

Response Number 1
Name: jdk (by neoark)
Date: June 8, 2009 at 13:48:17 Pacific
+2
Reply:

Run a full scan with http://www.eset.eu/online-scanner

# Check the box next to YES, I accept the Terms of Use.
# Click Start
# When asked, allow the activex control to be installed.
# Click Start
# Check below options:

    * Remove found threats
    * Scan archives
    * Scan for potentially unwanted applications (Advance Settings).
    * Enable Anti-Stealth technology (Advance Settings).

# Click Scan
# Wait for the scan to finish
# When it finishes it will create a log file here: C:\Program Files\EsetOnlineScanner\log.txt
# Attach this logfile to your next message.

Illustrated tutorial: http://img155.imageshack.us/img155/...

PS: Make sure all your drives are selected when scanning.

-------------------------------------------------



Response Number 2
Name: jdk (by neoark)
Date: June 8, 2009 at 14:10:29 Pacific
+1
Reply:

Post you AV and Malwarebytes scan logs if you have any if don't follow above advice. You can't jump steps in malware removal. Since multiple things are required to remove malware.

-------------------------------------------------



Response Number 3
Name: Vinoth001
Date: June 8, 2009 at 21:39:59 Pacific
+1
Reply:

Thanks for the reply friends...well i forgot add one point...the virus is not letting me to access antivirus software websites...

I ran one care safety which detected 3 trojans and removed but sti problem persists

Well i will give a try to ur suggestions and get back



Response Number 4
Name: jdk (by neoark)
Date: June 8, 2009 at 21:46:48 Pacific
+2
Reply:

You can try. Transfer it via usb or burn it to disc.

Download and run Kaspersky AVP tool: http://devbuilds.kaspersky-labs.com...
Once you download and start the tool:

# Check below options:

    * Select all the objects/places to be scanned. 
    * Settings > Customize > Heuristic analyzer > Enable deep rootkit search

# Click Scan
# Fix what it detects
# Attach Scan log/Summary to your next message.

Illustrated tutorial: http://img32.imageshack.us/img32/76...

-------------------------------------------------



Response Number 5
Name: Vinoth001
Date: June 9, 2009 at 15:44:06 Pacific
+1
Reply:

Thank u friend...i am out of station now...will post the logs in 3 days



Related Posts

See More



Response Number 6
Name: jdk (by neoark)
Date: June 9, 2009 at 15:46:38 Pacific
+1
Reply:

No problem once you post the log we can look at other logs.

If I'm helping you and I don't reply within 24 hours send me a PM.



Response Number 7
Name: Vinoth001
Date: June 10, 2009 at 23:53:20 Pacific
+1
Reply:

Hai,

I am ading th Malwarebytes and hijackthis log files here

Malwarebytes
*******************
Malwarebytes' Anti-Malware 1.37
Database version: 2238
Windows 5.1.2600 Service Pack 2

6/10/2009 11:47:34 PM
mbam-log-2009-06-10 (23-47-34).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 155270
Time elapsed: 29 minute(s), 56 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
F:\Documents and Settings\Appu\Local Settings\Temp\winnbgum.exe (Trojan.Downloader) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
F:\Documents and Settings\Appu\Local Settings\Temp\winnbgum.exe (Trojan.Downloader) -> Delete on reboot.
f:\documents and settings\Appu\local settings\Temp\winsmclb.exe (Trojan.Downloader) -> Delete on reboot.

Hijackthis
*****************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:26 PM, on 6/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\RTHDCPL.exe
F:\WINDOWS\system32\RUNDLL32.exe
F:\Program Files\Google\Google Talk\googletalk.exe
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
F:\Program Files\Vtune\TBPanel.exe
F:\Program Files\Internet Download Manager\IDMan.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\CyberLink\Shared Files\RichVideo.exe
F:\Program Files\Sify Broadband\BBClient.exe
F:\Program Files\Sify Broadband\BBImpSec.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\Internet Download Manager\IEMonitor.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\WINDOWS\system32\wuauclt.exe
C:\software\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sify.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://search.sify.com/index2.php?u...
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - F:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - F:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.exe


By the way i tried super antispyware too but didn't help

Hope to get some positive reply



Response Number 8
Name: AlexK47
Date: June 11, 2009 at 03:09:29 Pacific
+1
Reply:

Do a scan again with Malwarebytes and see if the files "winnbgum.exe" and "winsmclb.exe" still exists. If they still exists that mean that are injected in some processes.
I can help you to recover your registry and task manager, but first tell me witch OS you use XP or Vista. Also I need to know witch is your default browser.About firewall, did you mean Windows firewall or other?
Best regards.
Alexk



Response Number 9
Name: ignys
Date: June 11, 2009 at 04:06:41 Pacific
+1
Reply:

It is also a good idea to scan your computer with Spyware Doctor: http://www.2-spyware.com/review-spy...
I have both malwarebytes and Spyware Doctor installed on my computer. And sometimes, Spyware Doctor finds more infections than malwarebytes anti-malware and contrariwise.



Response Number 10
Name: Vinoth001
Date: June 12, 2009 at 19:50:44 Pacific
+1
Reply:

@alex

i tried enabling registry and taskmanager using command prompt....its getting enabled and disabled immediatly....and if u r familliar with Dial a fix i tried it to enable them but of no use.....

Do u hav any other way.....

Well winnbgum.exe & winsmclb.exe getting detected again.

@Ignys

Will try spyware doctor and get back to u...

Thanks for the response

With regards,
Vinoth



Response Number 11
Name: AlexK47
Date: June 13, 2009 at 13:51:46 Pacific
+1
Reply:

Hi Vinoth, if your anti virus system steal detect this two files, that mean that your system is steal infected.And like I say this two files are injected in some sys files.Spyware Doctor will not help you to remove that virus. You need some other tool.
Best regards
AlexK



Google Ads
Reply to Message Icon

Google links opening in n... csrcs.exe - Virus! Help!



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Google Ads


Results for: Virus that disables firewall, task manager an
Virus that disables everything www.computing.net/answers/security/virus-that-disables-everything/24468.html

task manager wont open! www.computing.net/answers/security/task-manager-wont-open/12698.html

cpu virus won't open task manager www.computing.net/answers/security/cpu-virus-wont-open-task-manager/15295.html