Administrator has disabled Task Manager...I'm the Administrator!!

[chad]

Hi all

How bizarre... 4 weeks after a wicked upgrade and all is running sweet. Except today, trying CTRL-ALT-DEL to end a process, my computer tells me that my Administrator has disabled Task Manager! I only have one account on my PC, me, and I'm the admin of course and I have not changed any settings recently.

Sounds like a virus? Well I just downloaded latest definitions and ran a full scan, not a bug to be seen. Spybot and Spywareblaster find nothing either... although I did have a virus quarantined last week called Zlob or something?

Does this sound strange or maybe it's familiar to someone? I can't get rid of it!

[Deerpark]

The disabled task manager may simply be a leftover from your zlob infection.
But just to be safe I think you should go through the steps below and post the required logs. One of our malware experts will then be able to tell you if you're clean or not.
http://www.computerhope.com/forum/index.php/topic,46313.0.html

[chad]

Thanks Deerpark... upon using Superantispyware the Zlob virus reared again... I've quarantined and deleted it by Symantec but it keeps appearing. Is AVG a better prog? The Symantec alert is the first post below, then super anti spy log and hijack this. Dr Web CureIt found absolutely nothing in either scan. A few darkhorses in both that I'd like to deal with but I'll wait to hear from you or your Malware team before I proceed.

Questions... should I bother with Spybot and SpywareBlaster now? They were both great programs but does SuperAntispyware supercede?

Should I discard Symantec for AVG or another? If Symantec can't detect Zlob in a full scan, surely there's a shortcoming there?

I thank you for your time as always, and look forward to your ideas!

Symantec alert:

Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: Downloader.Zlob!gen.2
File:  C:\System Volume Information\_restore{0E7E6A2F-4669-42DC-AE2F-DEF594E59145}\RP31\A0007086.dll
Location:  Quarantine
Computer:
User:
Action taken:  Quarantine succeeded : Access denied
Date found: Saturday, 12 April 2008  7:13:00 PM


Super Anti Spy log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/12/2008 at 07:54 PM

Application Version : 4.0.1154

Core Rules Database Version : 3437
Trace Rules Database Version: 1429

Scan type       : Complete Scan
Total Scan Time : 00:22:47

Memory items scanned      : 406
Memory threats detected   : 1
Registry items scanned    : 4359
Registry threats detected : 31
File items scanned        : 31474
File threats detected     : 12

Trojan.Downloader-Oreon-A/Resident
   C:\WINDOWS\RESOURCES\DRIVEKERNEL.DLL
   C:\WINDOWS\RESOURCES\DRIVEKERNEL.DLL

Adware.Vundo Variant
   HKLM\Software\Classes\CLSID\{A04FEAC5-E67D-4CDC-A767-A54CD429BBBC}
   HKCR\CLSID\{A04FEAC5-E67D-4CDC-A767-A54CD429BBBC}
   HKCR\CLSID\{A04FEAC5-E67D-4CDC-A767-A54CD429BBBC}
   HKCR\CLSID\{A04FEAC5-E67D-4CDC-A767-A54CD429BBBC}\InprocServer32
   HKCR\CLSID\{A04FEAC5-E67D-4CDC-A767-A54CD429BBBC}\InprocServer32#ThreadingModel
   HKCR\CLSID\{A04FEAC5-E67D-4CDC-A767-A54CD429BBBC}\ProgID
   HKCR\CLSID\{A04FEAC5-E67D-4CDC-A767-A54CD429BBBC}\Programmable
   HKCR\CLSID\{A04FEAC5-E67D-4CDC-A767-A54CD429BBBC}\TypeLib
   HKCR\CLSID\{A04FEAC5-E67D-4CDC-A767-A54CD429BBBC}\VersionIndependentProgID
   C:\WINDOWS\TEMLXOPQBFE.DLL
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A04FEAC5-E67D-4CDC-A767-A54CD429BBBC}

Unclassified.Unknown Origin
   HKLM\Software\Classes\CLSID\{CDC026C8-91A1-410F-B59D-7C2582A81271}
   HKCR\CLSID\{CDC026C8-91A1-410F-B59D-7C2582A81271}
   HKCR\CLSID\{CDC026C8-91A1-410F-B59D-7C2582A81271}
   HKCR\CLSID\{CDC026C8-91A1-410F-B59D-7C2582A81271}\InprocServer32
   HKCR\CLSID\{CDC026C8-91A1-410F-B59D-7C2582A81271}\InprocServer32#ThreadingModel
   HKCR\CLSID\{CDC026C8-91A1-410F-B59D-7C2582A81271}\ProgID
   HKCR\CLSID\{CDC026C8-91A1-410F-B59D-7C2582A81271}\Programmable
   HKCR\CLSID\{CDC026C8-91A1-410F-B59D-7C2582A81271}\TypeLib
   HKCR\CLSID\{CDC026C8-91A1-410F-B59D-7C2582A81271}\VersionIndependentProgID
   C:\WINDOWS\VNBPTXLF.DLL
   HKLM\Software\Microsoft\Internet Explorer\Toolbar#{CDC026C8-91A1-410F-B59D-7C2582A81271}
   HKCR\vnbptxlf.1
   HKCR\vnbptxlf
   HKCR\TypeLib\{AFFB5711-58CC-4A99-88DD-DC49D22F7B41}
   HKCR\TypeLib\{AFFB5711-58CC-4A99-88DD-DC49D22F7B41}\1.0
   HKCR\TypeLib\{AFFB5711-58CC-4A99-88DD-DC49D22F7B41}\1.0\0
   HKCR\TypeLib\{AFFB5711-58CC-4A99-88DD-DC49D22F7B41}\1.0\0\win32
   HKCR\TypeLib\{AFFB5711-58CC-4A99-88DD-DC49D22F7B41}\1.0\FLAGS
   HKCR\TypeLib\{AFFB5711-58CC-4A99-88DD-DC49D22F7B41}\1.0\HELPDIR

Adware.Tracking Cookie
   C:\Documents and Settings\Chad\Cookies\[email protected][2].txt
   C:\Documents and Settings\Chad\Cookies\[email protected][1].txt
   C:\Documents and Settings\Chad\Cookies\chad@1067710504[1].txt
   C:\Documents and Settings\Chad\Cookies\[email protected][1].txt
   C:\Documents and Settings\Chad\Cookies\[email protected][2].txt
   C:\Documents and Settings\Chad\Cookies\[email protected][1].txt
   C:\Documents and Settings\Chad\Cookies\[email protected][1].txt

Trojan.Net-MSV/VPS
   HKCR\MSVPS.MSVPSApp
   HKCR\MSVPS.MSVPSApp\CLSID
   HKCR\MSVPS.MSVPSApp\CurVer

BearShare File Sharing Client
   C:\PROGRAM FILES\BEARSHARE APPLICATIONS\BEARSHARE\BEARSHARE.EXE

Trojan.Unclassified/Multi-Dropper (Packed)
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{0E7E6A2F-4669-42DC-AE2F-DEF594E59145}\RP31\A0007087.EXE



Finally, HijackThis log;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:02 PM, on 12/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://employment.byron.com.au/jobs.html?source=GoogleAdWordsSearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cjb.net:8118
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EPSON Stylus CX3700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /P26 "EPSON Stylus CX3700 Series" /O6 "USB001" /M "Stylus CX3700"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Kremlin Sentry.lnk = C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: DriveKernel - {0c5d28af-8215-4417-a770-100821472089} - C:\WINDOWS\Resources\DriveKernel.dll (file missing)
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

[Broni]

Dr. Web CureIt log is needed, and fresh HJT log WHEN YOU'RE DONE with Dr. Web CureIt.

[chad]

Cheers Broni

Just run Dr Web again, nothing at all found again, does not allow me to save a report as there is nothing to report, so that option is not clickable. I have run HJT again just in case something may have changed, report attached.

Thanks, look forward to hearing back!

c






[recovering space - attachment deleted by admin]

[Broni]

*** Disable TeaTimer, as it'll interfere with the cleaning process:
Right click Spybot's TeaTimer System Tray Icon.
Click Exit Spybot-S&D Resident.
TeaTimer closes.

1. Print this post out, since you won't have an access to it, at some point.

2. Close all windows, except for HijackThis.

3. Put a checkmark next to the following HijackThis entries:

- R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://employment.byron.com.au/jobs.html?source=GoogleAdWordsSearch
- *O4 - HKLM\..\Run: [EPSON Stylus CX3700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /P26 "EPSON Stylus CX3700 Series" /O6 "USB001" /M "Stylus CX3700"
- *O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe


4. Click on "Fix checked" button.

5. Restart computer.

6. Post new HijackThis log.

[chad]

Hi Broni,

I have since removed Spybot and it's Teatimer so I can't disable. (Is SuperantiSpyware your recommendation for anti SW program?)

New log below.

Why did you ask me to 'fix' the start page setting? Can SW infect this? Could be something I can keep an eye on in future if I know more about it...

Look forward to hearing back.. Thank you!

c





[recovering space - attachment deleted by admin]

[Broni]

Why did you ask me to 'fix' the start page setting?

I think, I jumped the gun. It looked suspicious to me, but, if it's your home page, you can set it back.

Yes, Superantispyware is a very good program, and you can keep it for future random scans.

Now...

HJT log is clean.

1. Download, and install CCleaner: http://www.ccleaner.com/download/builds. Get "Slim" version.
Read CCleaner instruction here: http://www.jahewi.nl/ccleaner/ccleaner.html.
Run CCleaner.

2. Turn off System Restore:

- Windows XP:
   1. Click Start.
   2. Right-click the My Computer icon, and then click Properties.
   3. Click the System Restore tab.
   4. Check "Turn off System Restore".
   5. Click Apply.   
   6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
   7. Click OK.
- Windows Vista:
   1. Click Start.
   2. Right-click the Computer icon, and then click Properties.
   3. Click on System Protection under the Tasks column on the left side
   4. Click on Continue on the "User Account Control" window that pops up
   5. Under the System Protection tab, find Available Disks
   6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
   7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
   8. Click OK

3. Restart computer.

4. Turn System Restore on. Create new Restore Point.

5. Download, and install CCleaner: http://www.ccleaner.com/download/builds. Get "Slim" version.
Read CCleaner instruction here: http://www.jahewi.nl/ccleaner/ccleaner.html, and run CCleaner

6. Download, and install free ThreatFire: http://www.threatfire.com/, which will give you real-time protection against malwares.
It won't interfere with your antivirus, nor firewall.

7. Let me know, how your computer is doing.

[chad]

Broni,

I have CC and use it regularly. Shall I still take these steps?

Will these other steps clean up the 'infection' I have that does not allow me to use CTRL-ALT-DEL ? A Zlob virus message came up last week and was quarantined and deleted but reared again during my first Super Anti SW sweep. Since then, nothing, but CTRL-ALT-DEL is still apparently 'disabled by my administrator'. This is the only sign that something is not quite right.

cheers,

c

[Broni]

Since you have CCleaner, just run it after completing steps 1-4.

Will these other steps clean up the 'infection' I have that does not allow me to use CTRL-ALT-DEL ?

Your computer is clean. No more infection.
We'll worry about other issue, when you're done with all steps.

[chad]

Broni,

Ok brilliant... new System Restore point created after restart (i guess this is automatic once system restore is turned back on?) and CCleaner run again...

where to now? Computer is running fine, task manager still disabled.

c

[Broni]

Try fix #113, first, or, if it doesn't work, fix #51 from here: http://www.kellys-korner-xp.com/xp_tweaks.htm

[chad]

Well that's fixed it! I think it was fix #51, as I tried each one and restarted, the problem existed still after fix #113 but disappeared after fix #51.

My partner recently played around with screen savers... could this be part of the problem?

Also, the Super Anti-SW log above, is there anything in there to cause alarm? such as Trojan.Downloader-Oreon-A/Resident or Adware.Vundo Variant? Or shall I leave it all alone now it's working well?

Thanks again!

c

[Broni]

Nice job

My partner recently played around with screen savers... could this be part of the problem?

If 3rd party screensaver, possible, but I'd rather blame it on infections, you had. Malwares like to disable Task Manager, so you have harder time to kill them.

Also, the Super Anti-SW log above, is there anything in there to cause alarm?

Whatever it found, it cured, so, nothing to worry about.

[chad]

Thanks heaps, seriously it's so good to have some people who know what they're doing help you out. If I had even tried taking this to a local pc outlet... blank stares all round.

Last thing, I just quarantined those things found in Super Anti SW, should I go fix them? They're still there, not quite 'cured' just quarantined...

cheers!

c