1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cannot use ctrl+alt+del

Discussion in 'Windows - Virus and spyware problems' started by delaluna, Oct 31, 2009.

  1. delaluna

    delaluna Member

    Joined:
    Oct 31, 2009
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    11
    Hi,

    My computer was affected by viruses and now I cannot use ctrl+alt+del.
    Here is what I've done so far.

    1. Ran Malwarebytes and found couple trojans and deleted.
    2. Ran ATF Cleaner and cleaned up everything.
    3. Used Ad-Aware and was able to detect and delete some infected files and .exe.
    3. Ran AVG Anti-Virus and everything seems to be okay, except for some cookies.
    4. Still cannot get ctrl+alt+del to work. I did some search on the net and found this tip. Start-Run-copy&paste this in: REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

    Still cannot get ctrl+alt+del to work.
    Is it possible that the task manager is deleted from my computer? How can I restore it?

    Would really appreciate your help!
    Jennie

    Oh, and here is the Hijack file.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:38:08, on 2009-10-31
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\CMBCHINA\WebProtect\WPService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\AVG\AVG9\avgam.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\conime.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    D:\My Documents\Downloads\HijackThis.exe

    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O2 - BHO: IE2EMBHO Class - {0A0DDBD3-6641-40B9-873F-BBDD26D6C14E} - C:\Program Files\easyMule\modules\IE2EM.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: WebProtect.IEHlpObj - {53763D1D-9CA8-4C7C-9756-A8E6B8FC063B} - C:\Program Files\CMBCHINA\WebProtect\WebProtect.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O2 - BHO: 中国工商银行BHO - {BB4491A2-D11A-4c6b-91C0-B53246A3122B} - C:\Program Files\ICBCEbankTools\ICBCAntiPhishing\Icbc_AntiPhishing.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O8 - Extra context menu item: Download by easyMule - D:\emule\easyMule\IE2EM.htm
    O8 - Extra context menu item: 使用电驴下载 - C:\Program Files\easyMule\IE2EM.htm
    O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://site.cmbchina.com/download/CMBEdit.cab
    O16 - DPF: {3AA9CF07-DF20-48FF-98BE-DED276E40146} (GDGetTokenInfo Class) - https://mybank.icbc.com.cn/icbc/GDReadPub.cab
    O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (EditCtrl Class) - https://img.alipay.com/download/2121/aliedit.cab
    O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://b2c.icbc.com.cn/icbc/newperbank/AXSafeControls.cab
    O16 - DPF: {B1FBC1AD-5644-4084-882A-0F8BA85E7506} (InfoSecICBCNetSign Class) - https://mybank.icbc.com.cn/icbc/ICBC_NetSign.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CBC05A96-A0D6-403E-8D45-0B7ACD216552}: NameServer = 124.74.213.68 202.96.209.133
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
    O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: Bonjour 服务 (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Cmb WebProtect Support (CMBWPS) - China Merchants Bank - C:\Program Files\CMBCHINA\WebProtect\WPService.exe
    O23 - Service: ICBC Daemon Service - Unknown owner - C:\Program Files\ICBCEbankTools\ICBCAntiPhishing\IcbcDaemon.exe
    O23 - Service: iPod 服务 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

    --
    End of file - 6263 bytes
     
  2. PeaInAPod

    PeaInAPod Active member

    Joined:
    Nov 28, 2005
    Messages:
    3,050
    Likes Received:
    0
    Trophy Points:
    66
    I am not sure why Task Manager won't open on your PC, but as a temporary or permanent fix here are 5 Task Manager alternatives.

    As for the HiJack this log, there are many entries that point towards a ICBC Bank. Which from what the log contains seems to be located in China. Judging from your typing/"language" I would guess your not from China. If you are correct me. But do you know of ICBC Bank?

    Also try booting into Safe Mode and re-running all the scans you mentied. Malwarebytes, Ad-Aware,etc. I would also recommend SUPER Anti-Spyware and SpyBot Search and Destroy be installed and used. You should only have 1 Anti-Virus installed but you can never have to many Anti-Spyware apps especially when dealing with a infection.

    Below are download links for SUPER and Spybot use these incase your browser is redirecting you:

    Super Ant-Spyware

    Spybot Seach and Destroy
     
  3. delaluna

    delaluna Member

    Joined:
    Oct 31, 2009
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    11
    Hi,

    Thanks a bunch for your reply.

    I am in China (from US), so no worries about the ICBC Bank.

    The thing is, I cannot reboot in safemode either. The F8 key doesn't work. I don't know if this is the result after the viruses? Yesterday I was able to reboot in safemoode by using Msconfig in the run tab. But I think I've made a mistake. Yesterday, I've also ran Combofix and the result shows that Combofix has deleted my Msconfig. Now I cannot find Msconfig on the computer. I've tried download an msconfig.exe from the internet (http://www.pcreview.co.uk/forums/thread-1735965.php) but it doesn't have the option for reboot in safemode as did before.

    What should I do?
     
  4. PeaInAPod

    PeaInAPod Active member

    Joined:
    Nov 28, 2005
    Messages:
    3,050
    Likes Received:
    0
    Trophy Points:
    66
    Unless F8 was they key you used to get into Safe Mode before you should try other keys as it may not be F8 maybe its F11 or F12 etc.
     
  5. scum101

    scum101 Guest

    virus is win32-parite .. it will be running a hidden webserver and set of files down below hide.exe .. search for that.. then you will have to boot to real dos and delete it and everything below it.. hide.exe in this way isn't actually a file, it's a wrapper for a whole hidden process. It disables task manager so you can't see the apache or ftp protocol it's running.. it also disables safe mode.

    so.. let everything start up normally.. pull internet plug to disable whatever web processes are connecting out.

    search for hide.*

    make a note of exactly where it is (was a post a long time ago on ozzu by me about manual removal of this thing) and then boot with any live cd or win98 boot floppy or something.. and go to the location... when you get there cd hide.exe and dir will bring up a whole heap of stuff... there is even a text file message for you from the malware writer spamming an irc channel... that you are better off avoiding XD

    delete the lot with dos ..

    old virus.. maybe newly skinned by somebody.
     
  6. delaluna

    delaluna Member

    Joined:
    Oct 31, 2009
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    11
    Hi,

    Thanks for the tip. Got into safemode, and ran Malwarebytes. But midway through a pop-up appeared saying "hard disk error" and after awhile, the blue screen flashed with the message "kernel_stack_inpage_error".
    0X00000077

    I rebooted again in safemode and ran AGV anti-virus. Again, after awhile the screen became blurry and the computer crashed.

    Any advice?
    Thanks!!!
    Jennie
     
  7. PeaInAPod

    PeaInAPod Active member

    Joined:
    Nov 28, 2005
    Messages:
    3,050
    Likes Received:
    0
    Trophy Points:
    66
    I won't go into detail about this Bluescreen Message since Microsoft does such a great job of it themselves! lol heres a link from Microsoft:

    http://support.microsoft.com/kb/315266

    Basically either you have a hardware failure occuring/approaching or you have one nasty virus that is affecting your main Hard Drives boot sector.


    @scum101 - Your post makes no sense. You say "virus is win32-parite". Yes a virus is a Win32 parasite but thats a general definition for anything malicious. Your advice is sketchy at best. And you prove how much you know by this line "pull internet plug to disable whatever web processes are connecting out". Disconnecting the ethernet plug from the computer won't disable any processes that are running. They will keep running they just won't be able to connect to the internet. And who even has a Windows 98 floppy anymore? Heck who even has a floppy drive? I'm normally a very pleasant person but your seemingly general lack of knowledge ticks me off since bad information give to a user could ruin there computer.
     
  8. delaluna

    delaluna Member

    Joined:
    Oct 31, 2009
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    11
    PeaInAPod,

    Suppose it is the hardware issue, do I have the reformat the computer?

    After reading http://support.microsoft.com/kb/315266, should I re-install the service pack?

    What should I do at this point?

    Thanks,
    Jennie
     
  9. delaluna

    delaluna Member

    Joined:
    Oct 31, 2009
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    11
    I think you might be right about the nasty virus that is affecting my hard drive. But what should I do?
     
  10. PeaInAPod

    PeaInAPod Active member

    Joined:
    Nov 28, 2005
    Messages:
    3,050
    Likes Received:
    0
    Trophy Points:
    66
    That article states that everything is either virus or hardware based. Since we have scanned with tons of programs and run HJT logs I will say if it is a virus we should reformat and reinstall.

    But lets try to do the Hardware fixes first. There are 3 options Microsoft lists but only 2 apply to us.

     
  11. delaluna

    delaluna Member

    Joined:
    Oct 31, 2009
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    11
    Hi,

    I did the Option 2: Manually run Chkdsk, and it worked out fine.

    Now what?
     
  12. PeaInAPod

    PeaInAPod Active member

    Joined:
    Nov 28, 2005
    Messages:
    3,050
    Likes Received:
    0
    Trophy Points:
    66
    Did Chkdsk report any errors with the file structure/actual files?
     
  13. delaluna

    delaluna Member

    Joined:
    Oct 31, 2009
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    11
    Nope, no error.
     
  14. delaluna

    delaluna Member

    Joined:
    Oct 31, 2009
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    11
    Also, at this stage, is it safe for me to do online shopping? (mostly entering passwords)

    What about checking emails?
     
  15. PeaInAPod

    PeaInAPod Active member

    Joined:
    Nov 28, 2005
    Messages:
    3,050
    Likes Received:
    0
    Trophy Points:
    66
    Peronsally I would always do a reformat and reinstall afterwards but otherwise I would say yes it seems like things have cleared up for you. Its always a good idea though even if your pc hasn't been infected to keep a close eye on your checking/credit card use. I have my Chase checking account set to email me every morning with every transaction that has gone through so if something was charged that I wasn't expecting I'll know the day it happens not when my next statement comes.
     
  16. scum101

    scum101 Guest

    PARITE .. built on CHN base but to run hidden services instead of destroying hardware.

    This seems like a new variant as trying to use silly windows tools to remove it appear to be causing bad sectors on the drive.. It's defending itself..

    that's more than enough info.. no more secrets.
     
  17. PeaInAPod

    PeaInAPod Active member

    Joined:
    Nov 28, 2005
    Messages:
    3,050
    Likes Received:
    0
    Trophy Points:
    66
    I stand correct on 1 issue. Win32/Parite is an actual infection and not Parasite misspelled.

    However there is still no reason to go through all the steps you listed scum101 since AVG the makers of delaluna's Antivirus program has a small program made just for the removal of the Win32/Parite infection. I would go further and guess that since AVG has a small removal tool for it there Antivirus should be able to catch it but who knows.


    Delaluna just to eliminate this possibility, download this program from AVG called rmparite.exe then disconnect your computer from the network, i.e. unplug the ethernet cable, and then run the rmparite.exe tool.
     
  18. delaluna

    delaluna Member

    Joined:
    Oct 31, 2009
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    11
    Hi,

    Ran rmparite.exe, no apparent infections found.

    Why do you say my computer appears to be okay? Just because chkdsk didn't yield errors? But what about the possibility of that "nasty virus" that lurks behind? I say this because:

    1. When in safemode, the virus scans (AVG, Malwarebytes, Ad-Aware, spybot, etc.) can't go through smoothly. The screen becomes blurry or freezes or shuts down.

    2. cannot do ctrl+shift+del
     
  19. PeaInAPod

    PeaInAPod Active member

    Joined:
    Nov 28, 2005
    Messages:
    3,050
    Likes Received:
    0
    Trophy Points:
    66
    More than likely your Windows installation is corrupted which could be the reason you experience these issues in Safe Mode and the reason your ctrl-alt-delete functionality no longer works. It could also be a due to a hardware failure.

    Since you said you had a virus previously it could be causing your issues, a corrupted Windows install could be the culprit, there are many possibilities. I would backup your data, and reinstall Windows. Now if the problem disappears after the reinstall of windows then it was either a virus or a corrupted Windows causing your problems. But if the problems with Safe Mode remain after a clean install of Windows then it must be a hardware failure.
     
  20. delaluna

    delaluna Member

    Joined:
    Oct 31, 2009
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    11
    Hi,

    I've never re-stalled windows myself. (Usually a computer technician did it for me.) Few questions...

    1. Is it difficult? How long is the process?
    2. Is this the same thing as reformatting the hard drive?
    3. All I need is a copy of Windows XP, right?

    Thanks!
     

Share This Page