Multiple problems

[hiwass]

I had pop-up problems but i think it is resolved. However, my desktop is all red-colored and i can't access the Task Manager "Task Manager has been disabled by the administrator", and i'm the admin. Here's what Kaspersky detected but after i neutralize them and restart it seems the same objects are being detected. I've also paste the Hijackthis scan. Thanks for any help.

Infected: Trojan program Trojan.Win32.Qhost.it C:\WINDOWS\system32\KB52358626.exe 208 KB
Infected: Trojan program Trojan.Win32.Agent.vk C:\Documents and Settings\username\Local Settings\Temporary Internet Files\Content.IE5\8LYN09QB\sv4u[1] 22.8 KB
Infected: Trojan program Trojan-Downloader.Win32.Agent.brk C:\Documents and Settings\username\Local Settings\Temporary Internet Files\Content.IE5\D4WRHXCH\exe[2].php 19.5 KB
Infected: malware not-virus:Hoax.Win32.Renos.fn msorcl32.exe\msorcl32.exe 1 MB
Infected: Trojan program Trojan.Win32.DNSChanger.jb C:\Documents and Settings\username\Local Settings\Temporary Internet Files\Content.IE5\GXY3SPQZ\web-codec1176[1].exe 227.8 KB
Infected: Trojan program Trojan-Downloader.Win32.Agent.bnf C:\WINDOWS\system32\KB93736873.exe 45.5 KB



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:53:04 AM, on 6/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\logon.scr
C:\Program Files\htj\jtjscan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://vcdz.info/nzb/index.php?&dire...rectory=Series
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\sw g.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9 FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Online Services\proprygefsi.html

--
End of file - 3708 bytes

[TurcoLoco]

Hi Hiwass,

I am not the person who usually deals with the Spyware issues but since she is out on vacation, I will try to help out.

First of, were you remoted into this machine via 'Remote Desktop' cause I noticed the process rdpclip.exe listed in the running process list.

Another system process listed was logonui.exe which would normally disappear right after the login process so depending on how fast you ran HijackThis, the file could be the authentic Windows system file or the irc.zcrew.b trojan.

If you indeed have the admin privileges yet you can't run Task Manager, a malicious process could be the cause, the workaround? Try ProcessExplorer which display a ton more info about the processes and their linked sub-process and threads, etc.
If you can run ProcessExplorer than the cause could be a malicious process indeed by examining the currently running process in detail you should be able to spot the actual hidden process, kill and then delete it.

One other thing that caught my attention is the name of HijackThis.exe file which is the original name of the executable, on yours it was jtjscan.exe but everything else looked normal so I am guessing you renamed it as a precautionary measure?

What I would recommend is, if you have not yet gone thru the steps in this sticky then please do so asap.

To delete the infected files, download CleanupXP+ to your desktop, then reboot your system in SAFE MODE and run the tool. When prompted for deleting a file or folder, enter the full file name KB52358626.exe and the tool should take care of the rest. Once the same prompt comes up, enter the file msorcl32.exe next. The other location will be cleaned up automatically. Once those two files are deleted, reboot your system in Normal mode to check.


~TL

[hiwass]

TurcoLoco,

I went through all those steps you posted but the Task Manager is still not accessible. Any other suggestions?

Thanks

[TurcoLoco]

TurcoLoco,

I went through all those steps you posted but the Task Manager is still not accessible. Any other suggestions?

Thanks

Well, have you tried downloading and running ProcessExplorer to see if it worked?