Solved

Windows XP No Regedit, Task Manager , Antivirus...

Posted on 2004-09-05
29
780 Views
Last Modified: 2013-12-04
Hello i 'm new and i have a problem.
In my pc with WinXP home, i can't launch or unistall Norton 2004. if i try to launch it in safe mode i can see a red urgent message about email, it says "error" and nothing else.
I 've thought to a virus, and to see any strange process in execution try to use Task manager, but "something " close it at once!
The same thing for regedit, so i can't do anything!

With HijackThis i saw that under HKLM....Microsoft\Windows\CurrentVersion\Run there are no strange values; my wirus should be use another trick to startup with windows (I think using the execution of whichever .exe).

Help me please, sorry for my bad english!!
I'm waiting....
Nanoweb
0
Comment
Question by:Mattia Minervini
  • 15
  • 13
29 Comments
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11984699
Hi nanoweb,

Why don't you post your logfile?
Or maybe first, get it analized online by http://www.hijackthis.de/index.php?langselect=english
although that page is not fail-proof, it'll give you at least an indication.

Greetings,

LucF
0
 

Author Comment

by:Mattia Minervini
ID: 11984750
Hello LucF!
This is my indications and my attempts:
-Stinger:It discovered only a W32\Sdbot.worm.gen.h, but my problem is still there....
-HijackThis : How i 've just said nothing to erase in my registry, or better in the part of registry scanned by HijackThis     (When i connect again my pc to internet i'll post the log too) .
-SpyBot Search&Destroy: It deleted only a few simple tracker, like alexa....etc  
-While i'm writing , Antiviren 2004 is scanned my pc in safe mode.........we'll see


Bye
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11984821
Ok, good luck, most likely there is still some kind of virus loose on your machine which is blocking Regedit, Task Manager ect.
For the registry editor, what you might want to try is to rename %windir%\regedit.exe to regedit.com and then start it.

LucF
0
 

Author Comment

by:Mattia Minervini
ID: 11984853
Good trick...
But problem is, i have to look for a virus, but which virus?
I don't know what to do cause my Q is similar to many other speaking about Klez, Yaha viruses and so on... but not equal! It' s something different from most common viruses listed in EE solutions.

Boooooooo.....
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11984872
nanoweb,

Please post the hijackhtis logfile and I'll take a look at it, that's a lot faster way of finding out what might be bugging you.

LucF
0
 

Author Comment

by:Mattia Minervini
ID: 11984913
I tried ANTIVIREN 2004, that found this:

Win32 (Kav-Engin)   svchost.som  in    C:\windows\system32

but i don't know if ANTIVIREN cleaned it...

However, this is HijackThis log done in safe mode ( in normal mode it can't start).

Logfile of HijackThis v1.97.7
Scan saved at 19.07.24, on 05/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\win\Desktop\Mattia\BACKDOOR-TROJAN\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Programmi\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Services host] svchost.com
O4 - HKLM\..\Run: [Remote Procedure Calls] mswinrpc.exe
O4 - HKLM\..\Run: [Window Monitor] winmon32.exe
O4 - HKLM\..\RunServices: [Services host] svchost.com
O4 - HKLM\..\RunServices: [Remote Procedure Calls] mswinrpc.exe
O4 - HKLM\..\RunServices: [Window Monitor] winmon32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Services host] svchost.com
O4 - HKCU\..\Run: [Remote Procedure Calls] mswinrpc.exe
O4 - HKCU\..\Run: [svphost.exe] C:\WINDOWS\system32\svphost.exe
O4 - HKCU\..\Run: [Window Monitor] winmon32.exe
O4 - HKCU\..\RunServices: [Remote Procedure Calls] mswinrpc.exe
O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Help me boy, if u can....
Thanks
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11984927
Yep... got it:

Tick the checkbox in front of the following lines:

O4 - HKLM\..\Run: [Services host] svchost.com
O4 - HKLM\..\Run: [Remote Procedure Calls] mswinrpc.exe
O4 - HKLM\..\RunServices: [Window Monitor] winmon32.exe
O4 - HKCU\..\Run: [Services host] svchost.com
O4 - HKCU\..\Run: [Remote Procedure Calls] mswinrpc.exe
O4 - HKCU\..\Run: [svphost.exe] C:\WINDOWS\system32\svphost.exe
O4 - HKCU\..\Run: [Window Monitor] winmon32.exe
O4 - HKCU\..\RunServices: [Remote Procedure Calls] mswinrpc.exe
O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe

Afterwards, click "fix checked"
Reboot the computer and delete the files mentioned.

Then, do another full systemscan to make sure you're clean.

LucF
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11984929
Just a little note, just to be sure, after you've done all that, post a new logfile with the latest version of hijackthis, yours is a bit outdated:
http://www.aumha.org/freeware/freeware.php#hjt

Lucf
0
 

Author Comment

by:Mattia Minervini
ID: 11984946
I'm doing all you said....wait please
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11984950
Not a problem, take your time :)

LucF
0
 

Author Comment

by:Mattia Minervini
ID: 11984965
Sorry LucF
I have in my first log many lines, Have I to delete all lines like ones u've posted before?
Better....i have to delete all the lines where i can read svchost.com,mswinrpc.exe and so on?
Or i have only to delete lines you wrote?
Sorry
0
 
LVL 32

Accepted Solution

by:
Luc Franken earned 50 total points
ID: 11984978
Ah, oops, my bad, I just now noticed some are duplicates, just to make it clear, here are all to remove:

O4 - HKLM\..\Run: [Services host] svchost.com
O4 - HKLM\..\Run: [Remote Procedure Calls] mswinrpc.exe
O4 - HKLM\..\Run: [Window Monitor] winmon32.exe
O4 - HKLM\..\RunServices: [Services host] svchost.com
O4 - HKLM\..\RunServices: [Remote Procedure Calls] mswinrpc.exe
O4 - HKLM\..\RunServices: [Window Monitor] winmon32.exe
O4 - HKCU\..\Run: [Services host] svchost.com
O4 - HKCU\..\Run: [Remote Procedure Calls] mswinrpc.exe
O4 - HKCU\..\Run: [svphost.exe] C:\WINDOWS\system32\svphost.exe
O4 - HKCU\..\Run: [Window Monitor] winmon32.exe
O4 - HKCU\..\RunServices: [Remote Procedure Calls] mswinrpc.exe
O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe

So yes, indeed all lines mentioning svchost.com, mswinrpc.exe or winmon32.exe

LucF
0
 

Author Comment

by:Mattia Minervini
ID: 11984986
u're my hero.....
only a few minutes!
0
 

Author Comment

by:Mattia Minervini
ID: 11985013
winmon32.exe
mswinrpc.exe
svphost.exe
svchost.com
IT'S OK??

Logfile of HijackThis v1.98.2
Scan saved at 19.39.41, on 05/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\win\Desktop\Mattia\BACKDOOR-TROJAN\LastHijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Programmi\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:Mattia Minervini
ID: 11985023
Sorry i posted only a piece of my message...
I was saying if i have to delete those 4 files under system32 folder before to reboot pc ( i've done last log with no rebooting..)?
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11985030
Looks like a clean logfile to me, now please try booting normally and see if your problems are gone.

Don't forget to delete  winmon32.exe, mswinrpc.exe, svphost.exe, svchost.com, none of them can be confused with normal windows systemfiles, except maybe svchost.COM as svchost.EXE is a normal systemfile, make sure only to delete the .COM.

LucF
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11985036
Missed your second post :)

>>i've done last log with no rebooting<<
Yes, now please reboot normally, not in safe mode and then create a new log.

LucF
0
 

Author Comment

by:Mattia Minervini
ID: 11985044
Well LucF,
I've found in system 32 :
winmon32.exe, mswinrpc.exe, svphost.exe, svchost.com
+
 svphostu.exe (i'm cleaning this too).

Then i'll reboot and we'll see....if all programs go ...
wait again please
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11985055
:)
0
 

Author Comment

by:Mattia Minervini
ID: 11985070
YUHUUUUUUUUUUUUUU!!!!!
:)))

All seems to go now!!!!!!!

YES!!!!

LucF i'm performing a full system scan with norton 2004 just updated, but regedit and task manager are ok now!!!

What i have to do to reverse change made by virus?
I have to modify some registry entries?
And what u advise to me to protect my notebook for future?

0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11985092
>>What i have to do to reverse change made by virus?<<
Nothing, if you've allready deleted those files, you seem to be perfectly safe. It probably where some IRC bots or such.

>>I have to modify some registry entries?<<
That's what hijackthis is for, so nothing needed anymore :)

>>And what u advise to me to protect my notebook for future?<<
First thing, get yourself a firewall, or at least enable the winXP build in one.

And also, I see at least that your IE is up-to date, so you're fine with that, but make sure to also keep winXP up-to-date.
WinXP SP2 is out, and will soon appear for you in Italy. Make sure your computer is completely clean before starting the install, but it surely blocks a lot of extra security holes.
One little suggestion to keep you from getting ad/spyware, not as dangerous as virusses, but even more of an annoyance, get yourself another browser like Mozilla, I've been using it for some time now, and it's certainly as easy to use as IE and far more protected. (http://www.mozilla.org)

Anyway, great to hear your problems are solved!

LucF
0
 

Author Comment

by:Mattia Minervini
ID: 11985137
Thanks for all...
I accepted ur answer, so u can obtain 50 points (but i didn't understand this system of points... )
If u'll come in italy, u've  a pizza+beer just payed from me!!!!!
I hope in future i should be profit for you, to solve ur problem.
(nanoweb@libero.it)
Sorry again for my english,
See u soon , thanks boy!!!
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11985142
Glad to help :)
And thanks for the invitation, whenever I'm in Italy, I'll give you a call.

LucF

p.s. Just wondering, why the "B" grade?

0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11985148
And, btw, don't worry about your English, it's far better than the Italian people I've met until now :)
I'm also not a native English speaker, I live in the Netherlands.

LucF
0
 

Author Comment

by:Mattia Minervini
ID: 11985179
I've seen u live in the netherlands, for this reason u speak english very well...
For "B" grade....can i correct in excellent in some way? i checked B but i understand now the real meaning of assign a grade, sorry.....
Bye then,nice to met u Luc!

p.s.
W MILAN football club!!!!

0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11985190
Thanks for the compliment :)

You can't change the grade yourself, you can ask a Moderator to do so by leaving a note at http:/Community_Support/ giving a link to this question (http:Q_21119694.html)

LucF

p.s. The only thing I know about football is that those neighbours of us (the Germans) always win :(
0
 

Author Comment

by:Mattia Minervini
ID: 11985226
I leave a note for grade "A"....hope well...

Bye bye....
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11985239
Ok, thanks.

take care,

LucF
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now