VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!

[SammEl]

Without meaning to start an argument or anything suggesting a reformat on a compromised system isn't stupid at all - you can't really be sure it's completely clean once malware has dug its heels is like Paul Adams explains in the post following yours. I wouldn't trust a system that had been badly infected without wiping it TBH and even if the malware was gone they usually cause all sorts of damage to the OS itself and it's usually just not worth the effort trying to sort it all out and far less painless and time consuming to simply reformat which will sort it all out. Which is why backups are important...

You know, if that was the case for all infections, Anti-Virus and Anti-Malware products wouldn't exist.

The worse infection I've had was on an old PC 5 years ago, and I had that for 3 or so years after the infection, I cleaned everything within 2 hours, and it was good as new, if not better.

Like I said, if an infection has damaged the Registry then a reinstall IS NEEDED, I had a small desktop PC which did get damaged completely and I had to format it, - I cleary stated that reinstalling is a must if that is the case in my original post. New software is pretty damn good at detections, even the free programs are better than Norton Anti Crapware.

[watercooled]

I believe his internet connectivity issues are fixed now? The winsock api was corrupt afaik.

Oh right didn't see that bit.

You know, if that was the case for all infections, Anti-Virus and Anti-Malware products wouldn't exist.

Not strictly true, I believe the main purpose of AV today is as a shield against malware - to detect and block it before it executes and causes any damage. Once it's in there's no telling what sort of damage it can cause and it's not uncommon for advanced malware to kill AV processes like Conficker does. Another important role is it lets you know when something's up, without it malware could be running in the background without you even knowing. And aside from that how many average computer users would want to go through the process of taking the PC to PC world or something every time a bit of malware found its way onto their system?

[Amitava83]

@CrazyMonkey:


I'll perform each and every instruction of yours now and post the results asap.

In the meantime,two new complications on XP.

1.Cntrl-Alt-Del is not working.I cannot bring up my Task manager.

2.When I tried to reinstall my Soundmax Audio Driver,XP froze.When I rebooted,a ping showed 'Destination Host Unreachable'(incredible as it sounds,it happened)..and I had to rerun the WinSock XP Program again to fix my Internet connection.

[CrazyMonkey]

@CrazyMonkey:


I'll perform each and every instruction of yours now and post the results asap.

In the meantime,two new complications on XP.

1.Cntrl-Alt-Del is not working.I cannot bring up my Task manager.

2.When I tried to reinstall my Soundmax Audio Driver,XP froze.When I rebooted,a ping showed 'Destination Host Unreachable'(incredible as it sounds,it happened)..and I had to rerun the WinSock XP Program again to fix my Internet connection.

Ok lets tackle to ctrl-alt-del problem first - are you able to access task manager by Start>Run> taskmgr.exe

Cheers.

[SammEl]

@CrazyMonkey:


I'll perform each and every instruction of yours now and post the results asap.

In the meantime,two new complications on XP.

1.Cntrl-Alt-Del is not working.I cannot bring up my Task manager.

2.When I tried to reinstall my Soundmax Audio Driver,XP froze.When I rebooted,a ping showed 'Destination Host Unreachable'(incredible as it sounds,it happened)..and I had to rerun the WinSock XP Program again to fix my Internet connection.

What programs are installed on your XP?

Download these following programs and run them.

MalwareBytes
Spybot Search and Destroy
Avira Free Anti Virus

These three programs SHOULD fix most or all of the mess, if Task Manager is not opening then it's possibly something blocking you from opening it (the whole point of most infections).

Run Spybot and Malwarebytes together, clean Spybot first, then Malware, and reboot.

Then load up Avira and do a full scan. If anything tries to open up during the scan, Avira will pick it up and ask you to Deny Access or Quarantine it - I'd do the latter.

Don't worry about any sound drivers yet, they are not important.

I'll be very surprised if doing the above doesn't get your PC working to how it was before.

Do that, and update us.

[SammEl]

Not strictly true, I believe the main purpose of AV today is as a shield against malware - to detect and block it before it executes and causes any damage. Once it's in there's no telling what sort of damage it can cause and it's not uncommon for advanced malware to kill AV processes like Conficker does. Another important role is it lets you know when something's up, without it malware could be running in the background without you even knowing. And aside from that how many average computer users would want to go through the process of taking the PC to PC world or something every time a bit of malware found its way onto their system?

A mate of mine did that last week, because AVG picked up some trojan, he paid £90 for a reinstall.

You can format, but I don't, and won't, unless I know that I have an infection and it's not going anywhere, or my PC has been totally screwed. I've had a few of the worst, and I've successfully got rid of them every single time, and not needed a reinstall once. I've never had any future problems, even with the .WMF virus.

[Amitava83]

Ok lets tackle to ctrl-alt-del problem first - are you able to access task manager by Start>Run> taskmgr.exe

Cheers.

Hi pal,
No I'm not able to access it by Start-->Run.Windows says it "cannot find taskmgr.exe.Make sure you typed the name correctly...blah blah blah.. "

[Amitava83]

What programs are installed on your XP?

Download these following programs and run them.

MalwareBytes
Spybot Search and Destroy
Avira Free Anti Virus

These three programs SHOULD fix most or all of the mess, if Task Manager is not opening then it's possibly something blocking you from opening it (the whole point of most infections).

Run Spybot and Malwarebytes together, clean Spybot first, then Malware, and reboot.

Then load up Avira and do a full scan. If anything tries to open up during the scan, Avira will pick it up and ask you to Deny Access or Quarantine it - I'd do the latter.

Don't worry about any sound drivers yet, they are not important.

I'll be very surprised if doing the above doesn't get your PC working to how it was before.

Do that, and update us.

Hi SammEl,

I have the first two programs.I'll download Avira...and perform full scans with all three and update you.

PS:This is my third night without sleep.....

[CrazyMonkey]

Ok -

Open notepad, paste this

Code:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000

Save the file as fix.reg (note .reg extension not .txt extension (may have to select all files when saving under notepad)

Double click fix.reg and allow it to import into the registry.
Reboot, try taskmanager now.

Also post the results of my steps in the last post when and if you have them.

I have the first two programs.I'll download Avira...and perform full scans with all three and update you.

If you do chose to do all 3 scans, make sure you do them one after the other, not 2 'together' as has been suggested.



Cheers.

[smargh]

Malwarebytes should've brought back task manager. I've not heard of malware deleting the .exe for it before. Hmmmmm. If the exe is there then perhaps %path% is buggered.

Run this and paste the output, perhaps checking that it doesn't contain anything confidential beforehand - your username etc:

Code:

cmd /c set > c:\set.txt && start notepad c:\set.txt

[Amitava83]

Ok, the svchost entry isnt too worrying as its a service trying to load an exe that has been deleted. (was malware)

Could you navigate to http://virusscan.jotti.org/en-GB and upload C:\Program Files\1239710008\Amitava1239710008L.exe for analysis please (if the file isnt too large)
Then post the results URL.

here it is:
http://virusscan.jotti.org/en-GB/sca...1771e04d4d1c31

No, good thinking. I'd search your entire drive for 'syre32.exe' (via windows search, ensuring hidden files and system files are checked in advanced search options.) Removing any it finds.

syre32.exe not found in entire system
But I found Found the following suspicious files in C:\WINDOWS\system32\:

31.exe
57.exe
65.exe
73.exe
85.scr
alg.exe
arp.exe

Good, that should have restored your internet connectivity.

Unfortunately not...Everytime I'm restarting XP,ping shows Destination Host Unreachable.And everytime I've to run winsockxpfix.exe to fix this....

To answer that question it's most likely performing a first time scan, is it still scanning? or has it hung/froze? Also on that note has it found anything so far?

Kaspersky is still continuing its scan since morning uninterrupted...No matter how many times I shut down XP,it is continuing its scan as before...

At the time of writing this post,it has scanned 75,100 files-- and detected three viruses and two Riskware Theats.

Can you please upload C:\WINDOWS\system32\nlssrv32.exe to virusscan.jotti.org as you did before (and post the results url).

here it is:

http://virusscan.jotti.org/en-GB/sca...25e7f8bf204a54

Try checking the below in hijackthis and clicking 'fix' as before. Leave the other entries until jotti has analysed them.

Code:

O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 172.16.0.1,202.54.1.63
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

Reboot, repost a hijackthis log and the jotti results urls.

O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)-----This entry is not getting fixed by Hijack This.

I rebooted,reran Hijack This and here is the latest Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:00 PM, on 4/24/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nlssrv32.exe
J:\amitdb\bin\nmesrvc.exe
J:\amitdb\bin\isqlplussvc.exe
J:\amitdb\BIN\TNSLSNR.exe
J:\amitdb\jdk\bin\java.exe
j:\amitdb\bin\ORACLE.EXE
C:\WINDOWS\system32\cmd.exe
J:\amitdb\perl\5.8.3\bin\MSWin32-x86-multi-thread\perl.exe
J:\amitdb\jdk\bin\java.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
J:\amitdb\bin\emagent.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [MDS_Menu] "F:\Program Files\CyberLink\MediaShow Espresso\MediaShow Espresso\MUITransfer\MUIStartMenu.exe" "F:\Program Files\CyberLink\MediaShow Espresso\MediaShow Espresso" UpdateWithCreateOnce "Software\CyberLink\MediaShow Espresso\5.5"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1259424836671
O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 172.16.0.1,202.54.1.63
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPE R~1\KASPER~1\kloehk.dll
O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HDD & SSD access service - Unknown owner - C:\Program Files\Common Files\BinarySense\disksvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: mysql - Unknown owner - F:\xampp\mysql\bin\mysqld.exe (file missing)
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: OracleDBConsoleamitdb - Oracle Corporation - J:\amitdb\bin\nmesrvc.exe
O23 - Service: OracleOraDb10g_home2iSQL*Plus - Oracle - J:\amitdb\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home2TNSListener - Unknown owner - J:\amitdb\BIN\TNSLSNR.exe
O23 - Service: OracleServiceAMITDB - Oracle Corporation - j:\amitdb\bin\ORACLE.EXE
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: PrTgressep - Unknown owner - C:\WINDOWS\system32\srvany.exe

--
End of file - 7687 bytes

Also do you run netware?? If not we can remove the 010 entry, which will need to be done via another program.

No I do not run NetAware



PS:Once again,I truly appreciate all the help you've been providing me so far.

Regards

[CrazyMonkey]

Ok thanks, im sure that took quite some time.

Are you able to manually delete the file - C:\Program Files\1239710008\Amitava1239710008L.exe ?

As for these files -
31.exe
57.exe
65.exe
73.exe
85.scr
alg.exe
arp.exe

I would upload these to jotti and delete them pending the results of the analysis. However some of these may well be legit programs (i know alg.exe is a legit windows file, however perhaps not in that directory)

Download - lsp fix -http://www.cexx.org/lspfix.htm

Run it and check 'I know what i am doing...'
On the keep side move nwprovau.dll to the remove side and click finish.

Post a fresh hijackthis log after doing the above.

[Amitava83]

Ok thanks, im sure that took quite some time.

Are you able to manually delete the file - C:\Program Files\1239710008\Amitava1239710008L.exe ?

Yes I have manually deleted it.

As for these files -
31.exe
57.exe
65.exe
73.exe
85.scr
alg.exe
arp.exe

I would upload these to jotti and delete them pending the results of the analysis. However some of these may well be legit programs (i know alg.exe is a legit windows file, however perhaps not in that directory)

Ok I'm starting with this.

Download - lsp fix -http://www.cexx.org/lspfix.htm

Run it and check 'I know what i am doing...'
On the keep side move nwprovau.dll to the remove side and click finish.

Post a fresh hijackthis log after doing the above.

I did exactly as you said and here is the latest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:36 AM, on 4/25/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nlssrv32.exe
J:\amitdb\bin\nmesrvc.exe
J:\amitdb\bin\isqlplussvc.exe
J:\amitdb\BIN\TNSLSNR.exe
J:\amitdb\jdk\bin\java.exe
j:\amitdb\bin\ORACLE.EXE
C:\WINDOWS\system32\cmd.exe
J:\amitdb\perl\5.8.3\bin\MSWin32-x86-multi-thread\perl.exe
J:\amitdb\jdk\bin\java.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
J:\amitdb\bin\emagent.exe
F:\Program Files\Irfanview\i_view32.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://us.rd.yahoo.com/customize/yco...tp://www.yahoo.

com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} -

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security

2010\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper -

{72853161-30C5-4D22-B7F9-0BBC1D38A37E} -

F:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} -

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security

2010\klwtbbho.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI

Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [MDS_Menu] "F:\Program Files\CyberLink\MediaShow

Espresso\MediaShow Espresso\MUITransfer\MUIStartMenu.exe" "F:\Program

Files\CyberLink\MediaShow Espresso\MediaShow Espresso"

UpdateWithCreateOnce "Software\CyberLink\MediaShow Espresso\5.5"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky

Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program

Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions

present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel

present
O8 - Extra context menu item: Add to Anti-Banner - C:\Program

Files\Kaspersky Lab\Kaspersky Internet Security

2010\ie_banner_deny.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver -

res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://F:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote -

{2670000A-7350-4f3c-8081-5663EE0C6C49} -

F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote -

{2670000A-7350-4f3c-8081-5663EE0C6C49} -

F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: &Virtual keyboard -

{4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky

Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263}

- F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck -

{CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky

Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}

- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl

Class) -

http://update.microsoft.com/windowsu.../en/x86/client

/wuweb_site.cab?1259424836671
O17 -

HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD

35}: NameServer = 172.16.0.1,202.54.1.63
O18 - Protocol: grooveLocalGWS -

{88FED34C-F0CA-4636-A375-3CB6248B04CD} -

F:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs:

C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~

1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program

Files\1239710008\Amitava1239710008L.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program

Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. -

C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -

C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab -

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security

2010\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision -

C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. -

C:\Program Files\Common Files\Macrovision Shared\FLEXnet

Publisher\FNPLicensingService.exe
O23 - Service: HDD & SSD access service - Unknown owner - C:\Program

Files\Common Files\BinarySense\disksvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun

Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program

Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: mysql - Unknown owner - F:\xampp\mysql\bin\mysqld.exe

(file missing)
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron

Ltd. - C:\WINDOWS\system32\nlssrv32.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure

Networks, Inc. - C:\Program Files\Pure Networks\Network

Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure

Networks, Inc. - C:\Program Files\Pure Networks\Network

Magic\nmsrvc.exe
O23 - Service: OracleDBConsoleamitdb - Oracle Corporation -

J:\amitdb\bin\nmesrvc.exe
O23 - Service: OracleOraDb10g_home2iSQL*Plus - Oracle -

J:\amitdb\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home2TNSListener - Unknown owner -

J:\amitdb\BIN\TNSLSNR.exe
O23 - Service: OracleServiceAMITDB - Oracle Corporation -

j:\amitdb\bin\ORACLE.EXE
O23 - Service: Power Manager (PowerManager) - Unknown owner -

C:\WINDOWS\svchost.exe (file missing)
O23 - Service: PrTgressep - Unknown owner -

C:\WINDOWS\system32\srvany.exe

--
End of file - 7707 bytes


Thanks & regards
AD

[Amitava83]

Malwarebytes should've brought back task manager. I've not heard of malware deleting the .exe for it before. Hmmmmm. If the exe is there then perhaps %path% is buggered.

Run this and paste the output, perhaps checking that it doesn't contain anything confidential beforehand - your username etc:

Code:

cmd /c set > c:\set.txt && start notepad c:\set.txt

I did this and here is the output:

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
CLIENTNAME=Console
com.adobe.versioncue.client.applocale=en_US
com.adobe.versioncue.client.appname=AdobeDrive
com.adobe.versioncue.client.appversion=1.0.0
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=AMITAVA-46ACD47
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\AMITAVA-46ACD47
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=J:\amitdb\bin;J:\oracle\product\10.2.0\db_1\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\Syste m32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Autodesk Shared\;C:\Program Files\backburner 2\;F:\Program Files\ATI Technologies\ATI.ACE\Core-Static
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PERL5LIB=J:\amitdb\perl\5.8.3\lib\MSWin32-x86;J:\amitdb\perl\5.8.3\lib;J:\amitdb\perl\5.8.3\lib\MSWin32-x86;J:\amitdb\perl\site\5.8.3;J:\amitdb\perl\site\5.8.3\lib;J:\amitdb\sysman\admin\scripts;J:\oracle \product\10.2.0\db_1\perl\5.8.3\lib\MSWin32-x86;J:\oracle\product\10.2.0\db_1\perl\5.8.3\lib;J:\oracle\product\10.2.0\db_1\perl\5.8.3\lib\MSWin3 2-x86;J:\oracle\product\10.2.0\db_1\perl\site\5.8.3;J:\oracle\product\10.2.0\db_1\perl\site\5.8.3\lib; J:\oracle\product\10.2.0\db_1\sysman\admin\scripts;
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 23 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=1706
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=AMITAVA-46ACD47
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


Thanks

[Amitava83]

Ok -

Open notepad, paste this

Code:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000

Save the file as fix.reg (note .reg extension not .txt extension (may have to select all files when saving under notepad)

Double click fix.reg and allow it to import into the registry.
Reboot, try taskmanager now.

I did as you said still Task manager is not coming up...

[CrazyMonkey]

Ok thanks,

Navigate to C:\Windows\System32 is taskmgr.exe present?

This may be why - C:\WINDOWS\Syste m32 the space? If you navigate to Control Panel, System, Environment, System/User Variables are you able to remove the space in syste m32?

Can you please repost a new hijackthis log (making sure it doesnt display funny when posting)

You can also try the steps manually -

1. Click Start

2. Click Run

3. Type REGEDIT

4. Click OK The Registry Editor will now open

5. Browse to the following key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system

6. In the right pane, look for the value: DisableTaskMgr

7. Right click DisableTaskMgr and select Delete. (When prompted with "Are you sure you want to delete this value", select Yes.

8. Now browse to the following key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

9. In the right pane, look for the value: DisableTaskMgr

10. Right click DisableTaskMgr and select Delete. (When prompted with "Are you sure you want to delete this value", select Yes.

11. Close the Registry by choosing File, Exit

12. You should now be able to access Task Manager. If not, reboot into Safe Mode and repeat the steps outlined above.

Cheers.