Help- task manager disabled by "administrator," enlfxgw

  • MarxPayne337
  • Born
  • Born
  • MarxPayne337
  • Posts: 3

Post 3+ Months Ago

Alright- I recently got hit with some sort of spyware, and it added a fake toolbar to my browser as well as disabling task manager, and not quite sure what else. I believe it's something known as enlfxgw [at least that's what the toolbar was listed as]. At first I couldn't delete it, until I cut>paste into the recycle bin, and then emptied, but the problem still exists I believe even though the file is gone.
Does anyone know how to fix this?
I can post a hijackthis log if needed.
Thanks!
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6252
  • Loc: Seattle, WA

Post 3+ Months Ago

Yes, please make sure you're using the latest version of HijackThis and post a lot.
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8388
  • Loc: USA

Post 3+ Months Ago

Post a hijackthis log so we can check it.

http://www.pctools.com/spyware-doctor/? ... lgodPS5MyA
  • MarxPayne337
  • Born
  • Born
  • MarxPayne337
  • Posts: 3

Post 3+ Months Ago

I fixed the task manager issue, though I continue to get the pop up windows, fake shortcuts on my desktop, and it continually changes the home page. I know that I have to fix the top one to fix the homepage issue- what else should I fix?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:40 PM, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\LEXBCES.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\system32\LEXPPS.EXE
G:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
G:\Program Files\QuickTime\QTTask.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
G:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
G:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
G:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
G:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
G:\Program Files\Bonjour\mDNSResponder.exe
G:\Program Files\Common Files\LightScribe\LSSrvc.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Viewpoint\Common\ViewpointService.exe
G:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\WINDOWS\system32\wscntfy.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm ... Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RDL Rolex - {1F7CAFA7-9AB3-4198-A8B4-671DD6A73153} - G:\WINDOWS\dkxrstqdgn.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - G:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - g:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [OSSelectorReinstall] G:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Dell AIO Printer A920] "G:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] G:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "G:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [swg] G:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "G:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "G:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - G:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - G:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - G:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: apdqnxp - {E8560A35-2026-4193-8364-B557982C220C} - G:\WINDOWS\apdqnxp.dll
O21 - SSODL: btrklfr - {EA0984AD-995F-41EF-A0EC-01FD095CE7EF} - G:\WINDOWS\btrklfr.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - G:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - G:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - G:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - G:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - G:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - file:///G:\WINDOWS\privacy_danger\index.htm

--
End of file - 6114 bytes
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8388
  • Loc: USA

Post 3+ Months Ago

Go into safe mode before doing any of the following steps to assure quality

TO get into safe mode press F8 at the windows logo screen (or continue to press F8 if previous fails).

Download smitfraudfix and run option 1 and 2 in safe mode

About your hijackthis log... remove the following before you run smitfraudfix...

Looks like you got the nasty netsky worm :(

Quote:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm ... Ojg5&lid=2

O2 - BHO: RDL Rolex - {1F7CAFA7-9AB3-4198-A8B4-671DD6A73153} - G:\WINDOWS\dkxrstqdgn.dll

O21 - SSODL: apdqnxp - {E8560A35-2026-4193-8364-B557982C220C} - G:\WINDOWS\apdqnxp.dll

O21 - SSODL: btrklfr - {EA0984AD-995F-41EF-A0EC-01FD095CE7EF} - G:\WINDOWS\btrklfr.dll

O24 - Desktop Component 0: Privacy Protection - file:///G:\WINDOWS\privacy_danger\index.htm
  • MarxPayne337
  • Born
  • Born
  • MarxPayne337
  • Posts: 3

Post 3+ Months Ago

That worked well- thank you very much for your help.
I had Acronis running before the boot screen, where I partitioned my main harddrive into XP and OSX- for some reason that won't show up any more [not that I have any complaints, I don't use OSX often]- would reinstalling it fix the issue with that?
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8388
  • Loc: USA

Post 3+ Months Ago

Yes, reinstalling that should fix it. If you know that you need it.
  • kingh
  • Born
  • Born
  • kingh
  • Posts: 1

Post 3+ Months Ago

Hello
I have the same Problem and i had hijack with normal mode and safe mode Chinge my antiviruos etc.. and the Task Manger stell locked
here the log of hijack even i had allready Fix files thro safe Mode and stell the same
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 07:43:59, on 11/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Download Master\dmaster.exe
C:\Downloads\Программы\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Закачать ВСЕ при помощи Download Master - C:\Program Files\Download Master\dmieall.htm
O8 - Extra context menu item: Закачать при помощи Download Master - C:\Program Files\Download Master\dmie.htm
O16 - DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} (AcceptWM Class) - https://w3s.webmoney.ru/WMAcceptor.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE369196-251C-4B84-973B-3631AB5E97AB}: NameServer = 217.30.253.245,217.30.252.242
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 2895 bytes


PS : Sorry about my bad english

Post Information

  • Total Posts in this topic: 8 posts
  • Users browsing this forum: No registered users and 119 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.