Windows XP No Regedit, Task Manager , Antivirus...

Hello i 'm new and i have a problem.
In my pc with WinXP home, i can't launch or unistall Norton 2004. if i try to launch it in safe mode i can see a red urgent message about email, it says "error" and nothing else.
I 've thought to a virus, and to see any strange process in execution try to use Task manager, but "something " close it at once!
The same thing for regedit, so i can't do anything!

With HijackThis i saw that under HKLM....Microsoft\Windows\CurrentVersion\Run there are no strange values; my wirus should be use another trick to startup with windows (I think using the execution of whichever .exe).

Help me please, sorry for my bad english!!
I'm waiting....
Nanoweb
Mattia MinerviniAsked:
Who is Participating?
 
LucFEMEA Server EngineerCommented:
Ah, oops, my bad, I just now noticed some are duplicates, just to make it clear, here are all to remove:

O4 - HKLM\..\Run: [Services host] svchost.com
O4 - HKLM\..\Run: [Remote Procedure Calls] mswinrpc.exe
O4 - HKLM\..\Run: [Window Monitor] winmon32.exe
O4 - HKLM\..\RunServices: [Services host] svchost.com
O4 - HKLM\..\RunServices: [Remote Procedure Calls] mswinrpc.exe
O4 - HKLM\..\RunServices: [Window Monitor] winmon32.exe
O4 - HKCU\..\Run: [Services host] svchost.com
O4 - HKCU\..\Run: [Remote Procedure Calls] mswinrpc.exe
O4 - HKCU\..\Run: [svphost.exe] C:\WINDOWS\system32\svphost.exe
O4 - HKCU\..\Run: [Window Monitor] winmon32.exe
O4 - HKCU\..\RunServices: [Remote Procedure Calls] mswinrpc.exe
O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe

So yes, indeed all lines mentioning svchost.com, mswinrpc.exe or winmon32.exe

LucF
0
 
LucFEMEA Server EngineerCommented:
Hi nanoweb,

Why don't you post your logfile?
Or maybe first, get it analized online by http://www.hijackthis.de/index.php?langselect=english
although that page is not fail-proof, it'll give you at least an indication.

Greetings,

LucF
0
 
Mattia MinerviniAuthor Commented:
Hello LucF!
This is my indications and my attempts:
-Stinger:It discovered only a W32\Sdbot.worm.gen.h, but my problem is still there....
-HijackThis : How i 've just said nothing to erase in my registry, or better in the part of registry scanned by HijackThis     (When i connect again my pc to internet i'll post the log too) .
-SpyBot Search&Destroy: It deleted only a few simple tracker, like alexa....etc  
-While i'm writing , Antiviren 2004 is scanned my pc in safe mode.........we'll see


Bye
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
LucFEMEA Server EngineerCommented:
Ok, good luck, most likely there is still some kind of virus loose on your machine which is blocking Regedit, Task Manager ect.
For the registry editor, what you might want to try is to rename %windir%\regedit.exe to regedit.com and then start it.

LucF
0
 
Mattia MinerviniAuthor Commented:
Good trick...
But problem is, i have to look for a virus, but which virus?
I don't know what to do cause my Q is similar to many other speaking about Klez, Yaha viruses and so on... but not equal! It' s something different from most common viruses listed in EE solutions.

Boooooooo.....
0
 
LucFEMEA Server EngineerCommented:
nanoweb,

Please post the hijackhtis logfile and I'll take a look at it, that's a lot faster way of finding out what might be bugging you.

LucF
0
 
Mattia MinerviniAuthor Commented:
I tried ANTIVIREN 2004, that found this:

Win32 (Kav-Engin)   svchost.som  in    C:\windows\system32

but i don't know if ANTIVIREN cleaned it...

However, this is HijackThis log done in safe mode ( in normal mode it can't start).

Logfile of HijackThis v1.97.7
Scan saved at 19.07.24, on 05/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\win\Desktop\Mattia\BACKDOOR-TROJAN\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Programmi\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Services host] svchost.com
O4 - HKLM\..\Run: [Remote Procedure Calls] mswinrpc.exe
O4 - HKLM\..\Run: [Window Monitor] winmon32.exe
O4 - HKLM\..\RunServices: [Services host] svchost.com
O4 - HKLM\..\RunServices: [Remote Procedure Calls] mswinrpc.exe
O4 - HKLM\..\RunServices: [Window Monitor] winmon32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Services host] svchost.com
O4 - HKCU\..\Run: [Remote Procedure Calls] mswinrpc.exe
O4 - HKCU\..\Run: [svphost.exe] C:\WINDOWS\system32\svphost.exe
O4 - HKCU\..\Run: [Window Monitor] winmon32.exe
O4 - HKCU\..\RunServices: [Remote Procedure Calls] mswinrpc.exe
O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Help me boy, if u can....
Thanks
0
 
LucFEMEA Server EngineerCommented:
Yep... got it:

Tick the checkbox in front of the following lines:

O4 - HKLM\..\Run: [Services host] svchost.com
O4 - HKLM\..\Run: [Remote Procedure Calls] mswinrpc.exe
O4 - HKLM\..\RunServices: [Window Monitor] winmon32.exe
O4 - HKCU\..\Run: [Services host] svchost.com
O4 - HKCU\..\Run: [Remote Procedure Calls] mswinrpc.exe
O4 - HKCU\..\Run: [svphost.exe] C:\WINDOWS\system32\svphost.exe
O4 - HKCU\..\Run: [Window Monitor] winmon32.exe
O4 - HKCU\..\RunServices: [Remote Procedure Calls] mswinrpc.exe
O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe

Afterwards, click "fix checked"
Reboot the computer and delete the files mentioned.

Then, do another full systemscan to make sure you're clean.

LucF
0
 
LucFEMEA Server EngineerCommented:
Just a little note, just to be sure, after you've done all that, post a new logfile with the latest version of hijackthis, yours is a bit outdated:
http://www.aumha.org/freeware/freeware.php#hjt

Lucf
0
 
Mattia MinerviniAuthor Commented:
I'm doing all you said....wait please
0
 
LucFEMEA Server EngineerCommented:
Not a problem, take your time :)

LucF
0
 
Mattia MinerviniAuthor Commented:
Sorry LucF
I have in my first log many lines, Have I to delete all lines like ones u've posted before?
Better....i have to delete all the lines where i can read svchost.com,mswinrpc.exe and so on?
Or i have only to delete lines you wrote?
Sorry
0
 
Mattia MinerviniAuthor Commented:
u're my hero.....
only a few minutes!
0
 
Mattia MinerviniAuthor Commented:
winmon32.exe
mswinrpc.exe
svphost.exe
svchost.com
IT'S OK??

Logfile of HijackThis v1.98.2
Scan saved at 19.39.41, on 05/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\win\Desktop\Mattia\BACKDOOR-TROJAN\LastHijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Programmi\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

0
 
Mattia MinerviniAuthor Commented:
Sorry i posted only a piece of my message...
I was saying if i have to delete those 4 files under system32 folder before to reboot pc ( i've done last log with no rebooting..)?
0
 
LucFEMEA Server EngineerCommented:
Looks like a clean logfile to me, now please try booting normally and see if your problems are gone.

Don't forget to delete  winmon32.exe, mswinrpc.exe, svphost.exe, svchost.com, none of them can be confused with normal windows systemfiles, except maybe svchost.COM as svchost.EXE is a normal systemfile, make sure only to delete the .COM.

LucF
0
 
LucFEMEA Server EngineerCommented:
Missed your second post :)

>>i've done last log with no rebooting<<
Yes, now please reboot normally, not in safe mode and then create a new log.

LucF
0
 
Mattia MinerviniAuthor Commented:
Well LucF,
I've found in system 32 :
winmon32.exe, mswinrpc.exe, svphost.exe, svchost.com
+
 svphostu.exe (i'm cleaning this too).

Then i'll reboot and we'll see....if all programs go ...
wait again please
0
 
LucFEMEA Server EngineerCommented:
:)
0
 
Mattia MinerviniAuthor Commented:
YUHUUUUUUUUUUUUUU!!!!!
:)))

All seems to go now!!!!!!!

YES!!!!

LucF i'm performing a full system scan with norton 2004 just updated, but regedit and task manager are ok now!!!

What i have to do to reverse change made by virus?
I have to modify some registry entries?
And what u advise to me to protect my notebook for future?

0
 
LucFEMEA Server EngineerCommented:
>>What i have to do to reverse change made by virus?<<
Nothing, if you've allready deleted those files, you seem to be perfectly safe. It probably where some IRC bots or such.

>>I have to modify some registry entries?<<
That's what hijackthis is for, so nothing needed anymore :)

>>And what u advise to me to protect my notebook for future?<<
First thing, get yourself a firewall, or at least enable the winXP build in one.

And also, I see at least that your IE is up-to date, so you're fine with that, but make sure to also keep winXP up-to-date.
WinXP SP2 is out, and will soon appear for you in Italy. Make sure your computer is completely clean before starting the install, but it surely blocks a lot of extra security holes.
One little suggestion to keep you from getting ad/spyware, not as dangerous as virusses, but even more of an annoyance, get yourself another browser like Mozilla, I've been using it for some time now, and it's certainly as easy to use as IE and far more protected. (http://www.mozilla.org)

Anyway, great to hear your problems are solved!

LucF
0
 
Mattia MinerviniAuthor Commented:
Thanks for all...
I accepted ur answer, so u can obtain 50 points (but i didn't understand this system of points... )
If u'll come in italy, u've  a pizza+beer just payed from me!!!!!
I hope in future i should be profit for you, to solve ur problem.
(nanoweb@libero.it)
Sorry again for my english,
See u soon , thanks boy!!!
0
 
LucFEMEA Server EngineerCommented:
Glad to help :)
And thanks for the invitation, whenever I'm in Italy, I'll give you a call.

LucF

p.s. Just wondering, why the "B" grade?

0
 
LucFEMEA Server EngineerCommented:
And, btw, don't worry about your English, it's far better than the Italian people I've met until now :)
I'm also not a native English speaker, I live in the Netherlands.

LucF
0
 
Mattia MinerviniAuthor Commented:
I've seen u live in the netherlands, for this reason u speak english very well...
For "B" grade....can i correct in excellent in some way? i checked B but i understand now the real meaning of assign a grade, sorry.....
Bye then,nice to met u Luc!

p.s.
W MILAN football club!!!!

0
 
LucFEMEA Server EngineerCommented:
Thanks for the compliment :)

You can't change the grade yourself, you can ask a Moderator to do so by leaving a note at http:/Community_Support/ giving a link to this question (http:Q_21119694.html)

LucF

p.s. The only thing I know about football is that those neighbours of us (the Germans) always win :(
0
 
Mattia MinerviniAuthor Commented:
I leave a note for grade "A"....hope well...

Bye bye....
0
 
LucFEMEA Server EngineerCommented:
Ok, thanks.

take care,

LucF
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.