Solved

Regedit,msconfig,task list  now you see-now you don't on my XP

Posted on 2004-09-17
19
639 Views
Last Modified: 2010-04-11
Hi,
  I've seen this posting somewhere and I was also hit recently. For a week already, the computer suffered on this unknown virus. I've been working on it for hours and late nights. But somehow, it won;t go away.
I ran spybot,ad-aware and AV and still won't go away.
Here is my problem right  now.
There is an entry in my Registry under current version/ run that won't go away even I delete it. It kept on coming back.
I downloaded process explorer and I went thru the files many nights.
I found out that what cause my Regedit and Msconfig not to show up was a file name zoomplayer.exe. If I delete this file using proces explorer, I was able to open the regedit. so I went and delete zoomplay.exe.
I went to start up programs but it is not there. I don;t know what fires this exe again...
If I reboot thie file again show up.

Can someone direct me how I can permanently deal with this problem?
0
Comment
Question by:zachvaldez
  • 11
  • 8
19 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12089839
Hello zachvaldez =)

Check this first !!

Task Manager, MSCONFIG, or REGEDIT disappears while opening:
http://www.mvps.org/sramesh2k/ToolsQuit.htm
( site credit goes to Ramesh >> http://www.experts-exchange.com/M_926622.html :)

CHECK FOR ONLINE VIRUS SCAN:
--------------------------------------
1. http://us.mcafee.com/root/mfs/default.asp?cid=9059
2. http://security.symantec.com/
3. http://housecall.trendmicro.com/
4. http://www.pandasoftware.com/activescan/com/activescan_principal.htm
5. http://www.pcpitstop.com/antivirus/default.asp
Stinger >> http://vil.nai.com/vil/stinger
0
 

Author Comment

by:zachvaldez
ID: 12089933
By the way I checked this posting and was able to make copies of my registry-ergedit,msconfig.

But what should I do next?
Every time I reboot that zoomplay.exe always comes back. I am using process ex[plorer to kill the process. But I would like to get rid of it permanently. Can't run internet...
Luckily I have this other PC to communicate with EE..
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12089948
hmmmmmmm some weird stuff is present on ur system,,,,,, can u do this,,,,  Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://www.spychecker.com/program/hijackthis.html

Then Post that log at this site to analyse >> http://www.hijackthis.de/index.php?langselect=english
Does it show u anything as NASTY ??
0
 

Author Comment

by:zachvaldez
ID: 12090155
Here it is: Please analyze.
What I've done so far..
I placed sp2 this AM. I thought it would fixed it. I just turned off system restore..

Logfile of HijackThis v1.97.7
Scan saved at 9:56:35 PM, on 9/17/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [Zoom Video Player] ZOOMPLAY.EXE
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: BrowserVillage (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Chikka Text Messenger - http://java.chikka.com/library/chikkaLIB_v2.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 500 total points
ID: 12090213
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKCU\..\RunOnce: [Zoom Video Player] ZOOMPLAY.EXE
===============================

check these entires, and click on Fix Checked !!
reboot in safemode, and delete that zoomplaye.exe file manually from its location !!
run the AV and spwyare removal tools once more to make sure ur system is clean now !!
then restart in Normal Mode and check if it has come again or not ??
0
 

Author Comment

by:zachvaldez
ID: 12090277
What spy removal do you recommend for this? and AV too?
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12090284
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
and Stinger >> http://vil.nai.com/vil/stinger

when u install Adaware and Spybot, first update them and then run them in safemode with Stinger !!
0
 

Author Comment

by:zachvaldez
ID: 12090347
How can I update it if the machine cannot connect to the internet. I can download it using this PC but can I upate them though?
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12090377
>> But I would like to get rid of it permanently. Can't run internet...

ok i didn't see that line, u can run them without update then, what else =\
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:zachvaldez
ID: 12090427
Thanks!
I ran ad-aawre. It found 543 criticals and I quarantined them.
I ran SPYbot and out of 13775 files found 13 problems. I chose FIX Selected and some errors appeared as follows:
 1.  WTKERNEL0100.DLL not found. Reinstalling the application may fix the problem.

 2. Dll or App C:\Windows\wt\webdriver.dll is not a valid windows image. Please check this against installation diskette.

 3. Application failed to start because WDEngine.dkk was not found. Re-installing the application may fix the problem.

4. C:\windows\wt\wtupdates\webd\4.1.1\files\legacy\webdriver.sll is not a valid windows image.

Am about to run stinger. PLease advise ASAP

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12090467
very good.... u were having these much junks, and u never thought abt running those removal tools.... and i think that u are running them for the first time..... =\

Add these tools also in the list of tools which u have to run.... ur system is the Home of malwares\trojans\viruses.... =\

SpySweeper ==> http://www.spychecker.com/program/spysweeper.html
SpywareBlaster ==> http://www.spychecker.com/program/spywareblaster.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html

and leave those ones which they cannot delete, we can try to delete them afterwards manually !!
Im leaving for the other town right now,,,, will be unable for the next 12 hours approx. so sorry for that.... =\
But will be there after to know the progress of this war between u and those junks, Good Luck :)
0
 

Author Comment

by:zachvaldez
ID: 12090485
Thanks for your help despite your busy schedule. Maybe it's time for you to take  a break!
But at any rate stinger is still running. Will let you know how it went.

Have a nice time for the next 12 hours!!!

Do you think I can open my internet on that PC again???
0
 

Author Comment

by:zachvaldez
ID: 12091811
I got resolved this problem this morning Sheh. You may be surprised how I did it!
My regedit, config is back and my PC is back to what it supposed to do!!

Solution:(This maybe a case to case basis or may not apply to everyone. For e.g. the file involved may be different in yours or to everyone. In my case it was zoomplay.exe(which cause me the whole week adn long night hours to debug it!)

following all of Sheh's advice- IN Safe MODE

Run AdAware
Run spybot
Run stinger

HERE: IF YOU KNOW OR IDENTIFIED WHICH ONE IS PREVENTING YOUR REGEDIT TO SHOW AND DISSAPPEAR-DELETE IT.
IN MY CASE IT WAS ZoomPlay.exe. and it is located in teh RUN directory under Currentversion

Run your AV

Run in normal mode:

Still the Zoomplay.exe still appeared in the Registry under RUN folder

Download Process explorer (This is a beauty! Higly Recommended!!) I was able to monitor the Handle,DLL and where is it located. It was at Windows/system32  but you cannot see it there because that file was HIDDEN.

The KEY was to go back to Process explorer and select the Zoomplay.exe -Go to properties and unchecked the hidden property.
Go back to Windows/system32  and RENAME the file to something like xzoomplay or anything...

Reboot your machine under Safemode
GO to Windows/system32  and Delete the file or if zoomplay.exe is there yet delete it.

Clean your recycle bin.

Reboot to normal mode.- YOu know what, zoomplay was still there:)

HERE : IF YOU CAN AND IF YOU CAN GO TO OPEN REGEDIT OR MSCONFIG... In the Startup tab unchecked Zooomplay.



FOR SOME REASON, THE GOOD ANGEL IS STILL AT MY SIDE! IWAS ABLE TO CONNECT TO INTERNET.

i UPDATED ALL AV,ADAWARE AND SPYBOT...

THE ONLY QUESTION NOW IS HOW COME I CANNOT DELETE THE ZOOMPLAY.EXE.
AND WHY IS IT OVERWRITING OR TAKING DOMINANCE AGAINST THE REGEDIT,MSCONFIG..

Yes I am up and running,(yes, after unchecking the zoomplay.exe in the msconfig) I can't get rid of the file...


0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12093480
hmmmmmm im back, hope u will mind that much delay =\

so u did manage to fool this file, and got msconfig, regedit and internet running, Good Job !!  :)
the only problem left is, u cannot delete this file, even after renaming or deleting it recreates itself in C:\Windows\System32 folder, right ??

tell me when u right click this file and chek its properties, what are the details, i mean any company information or unknown !!
second thing.... when u open regedit, and hit F3 and search for zoomplay.exe, what results does it come with ??

0
 

Author Comment

by:zachvaldez
ID: 12095540
there is no company information. The company info column for this file is blank.
0
 

Author Comment

by:zachvaldez
ID: 12095657
BTW, I am using XP home edition.
Also I think I noticed is that I don't see the Security Policy icon in the Administrative tools folder.
Was this probably renamed by the virus/

Sorry for the delay too!
0
 

Author Comment

by:zachvaldez
ID: 12096370
I also saw a posting that security Policy is not available with the XP Home edition among others that the professional edition has.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12096434
hmmmmmmmm u are right, XP Home edition has no Local Security Policy(secpol.msc), so no need to worry on it !!  :)

but that zoomplay.exe is something that is really baffling me =\
there is no information on this file anywhere,,,, and neither its listed in those viruses description which are known to make regedit, msconfig and task manager disappear :-/

tell me one thing,,,, in ur log file of hijackthis, did u removed the other processes urself, or did it really generate that Single process, hijackthis.exe ??

coz if still soemthing junk is running in ur task manager in background, that can cause such problems.... i dont know but im too confused abt this file...... im facing this darn thing for the first time in my life, and this idiot thing looks like an innocense Video Player >:(
0
 

Author Comment

by:zachvaldez
ID: 12108324
Right now I'm happy out of the woods! As long as I updat my AV and Ad Awares and Spybots I'll be allright!
thanks for your help and excellent advice.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now