zachvaldez
asked on
Regedit,msconfig,task list now you see-now you don't on my XP
Hi,
I've seen this posting somewhere and I was also hit recently. For a week already, the computer suffered on this unknown virus. I've been working on it for hours and late nights. But somehow, it won;t go away.
I ran spybot,ad-aware and AV and still won't go away.
Here is my problem right now.
There is an entry in my Registry under current version/ run that won't go away even I delete it. It kept on coming back.
I downloaded process explorer and I went thru the files many nights.
I found out that what cause my Regedit and Msconfig not to show up was a file name zoomplayer.exe. If I delete this file using proces explorer, I was able to open the regedit. so I went and delete zoomplay.exe.
I went to start up programs but it is not there. I don;t know what fires this exe again...
If I reboot thie file again show up.
Can someone direct me how I can permanently deal with this problem?
I've seen this posting somewhere and I was also hit recently. For a week already, the computer suffered on this unknown virus. I've been working on it for hours and late nights. But somehow, it won;t go away.
I ran spybot,ad-aware and AV and still won't go away.
Here is my problem right now.
There is an entry in my Registry under current version/ run that won't go away even I delete it. It kept on coming back.
I downloaded process explorer and I went thru the files many nights.
I found out that what cause my Regedit and Msconfig not to show up was a file name zoomplayer.exe. If I delete this file using proces explorer, I was able to open the regedit. so I went and delete zoomplay.exe.
I went to start up programs but it is not there. I don;t know what fires this exe again...
If I reboot thie file again show up.
Can someone direct me how I can permanently deal with this problem?
ASKER
By the way I checked this posting and was able to make copies of my registry-ergedit,msconfig.
But what should I do next?
Every time I reboot that zoomplay.exe always comes back. I am using process ex[plorer to kill the process. But I would like to get rid of it permanently. Can't run internet...
Luckily I have this other PC to communicate with EE..
But what should I do next?
Every time I reboot that zoomplay.exe always comes back. I am using process ex[plorer to kill the process. But I would like to get rid of it permanently. Can't run internet...
Luckily I have this other PC to communicate with EE..
hmmmmmmm some weird stuff is present on ur system,,,,,, can u do this,,,, Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://www.spychecker.com/program/hijackthis.html
Then Post that log at this site to analyse >> http://www.hijackthis.de/index.php?langselect=english
Does it show u anything as NASTY ??
http://www.spychecker.com/program/hijackthis.html
Then Post that log at this site to analyse >> http://www.hijackthis.de/index.php?langselect=english
Does it show u anything as NASTY ??
ASKER
Here it is: Please analyze.
What I've done so far..
I placed sp2 this AM. I thought it would fixed it. I just turned off system restore..
Logfile of HijackThis v1.97.7
Scan saved at 9:56:35 PM, on 9/17/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\downloads\HijackThis.ex e
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-7 6E68DC4AB2 E} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7 695ECA0567 0} - C:\PROGRA~1\Yahoo!\COMPAN~ 1\Installs \cpn\ycomp 5_3_12_0.d ll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E 1B4C16F92E B} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\PROGRA~1\Yahoo!\COMPAN~ 1\Installs \cpn\ycomp 5_3_12_0.d ll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9 EE0F344C38 5} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-9 05236F6F65 5} - c:\progra~1\mcafee.com\vso \mcvsshl.d ll
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA \cdaEngine 0400.dll", cdaEngineM ain
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\age nt\mcregwi z.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vs o\mcmnhdlr .exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vs o\mcvsshld .exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\age nt\mcagent .exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\age nt\mcupdat e.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt r\Binaries \MSConfig. exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - HKCU\..\RunOnce: [Zoom Video Player] ZOOMPLAY.EXE
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: BrowserVillage (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Chikka Text Messenger - http://java.chikka.com/library/chikkaLIB_v2.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D 3488ABDDC6 B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4 4455354000 0} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-0 0A0C970049 8} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-F A1D4F56A2A B} (YInstStarter Class) - http://download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-4 1EE9F4C36C E} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-0 09027A35D7 3} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-3 98534BB899 9} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-0 0C04FD9152 D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
What I've done so far..
I placed sp2 this AM. I thought it would fixed it. I just turned off system restore..
Logfile of HijackThis v1.97.7
Scan saved at 9:56:35 PM, on 9/17/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\downloads\HijackThis.ex
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-7
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-9
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\age
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vs
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vs
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\age
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\age
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\RunOnce: [Zoom Video Player] ZOOMPLAY.EXE
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: BrowserVillage (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Chikka Text Messenger - http://java.chikka.com/library/chikkaLIB_v2.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4
O16 - DPF: {2B323CD9-50E3-11D3-9466-0
O16 - DPF: {30528230-99F7-4BB4-88D8-F
O16 - DPF: {3E68E405-C6DE-49FF-83AE-4
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-0
O16 - DPF: {B9191F79-5613-4C76-AA2A-3
O16 - DPF: {BB47CA33-8B4D-11D0-9511-0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
What spy removal do you recommend for this? and AV too?
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot ==> http://www.spychecker.com/program/spybot.html
and Stinger >> http://vil.nai.com/vil/stinger
when u install Adaware and Spybot, first update them and then run them in safemode with Stinger !!
SpyBot ==> http://www.spychecker.com/program/spybot.html
and Stinger >> http://vil.nai.com/vil/stinger
when u install Adaware and Spybot, first update them and then run them in safemode with Stinger !!
ASKER
How can I update it if the machine cannot connect to the internet. I can download it using this PC but can I upate them though?
>> But I would like to get rid of it permanently. Can't run internet...
ok i didn't see that line, u can run them without update then, what else =\
ok i didn't see that line, u can run them without update then, what else =\
ASKER
Thanks!
I ran ad-aawre. It found 543 criticals and I quarantined them.
I ran SPYbot and out of 13775 files found 13 problems. I chose FIX Selected and some errors appeared as follows:
1. WTKERNEL0100.DLL not found. Reinstalling the application may fix the problem.
2. Dll or App C:\Windows\wt\webdriver.dl l is not a valid windows image. Please check this against installation diskette.
3. Application failed to start because WDEngine.dkk was not found. Re-installing the application may fix the problem.
4. C:\windows\wt\wtupdates\we bd\4.1.1\f iles\legac y\webdrive r.sll is not a valid windows image.
Am about to run stinger. PLease advise ASAP
I ran ad-aawre. It found 543 criticals and I quarantined them.
I ran SPYbot and out of 13775 files found 13 problems. I chose FIX Selected and some errors appeared as follows:
1. WTKERNEL0100.DLL not found. Reinstalling the application may fix the problem.
2. Dll or App C:\Windows\wt\webdriver.dl
3. Application failed to start because WDEngine.dkk was not found. Re-installing the application may fix the problem.
4. C:\windows\wt\wtupdates\we
Am about to run stinger. PLease advise ASAP
very good.... u were having these much junks, and u never thought abt running those removal tools.... and i think that u are running them for the first time..... =\
Add these tools also in the list of tools which u have to run.... ur system is the Home of malwares\trojans\viruses.. .. =\
SpySweeper ==> http://www.spychecker.com/program/spysweeper.html
SpywareBlaster ==> http://www.spychecker.com/program/spywareblaster.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
and leave those ones which they cannot delete, we can try to delete them afterwards manually !!
Im leaving for the other town right now,,,, will be unable for the next 12 hours approx. so sorry for that.... =\
But will be there after to know the progress of this war between u and those junks, Good Luck :)
Add these tools also in the list of tools which u have to run.... ur system is the Home of malwares\trojans\viruses..
SpySweeper ==> http://www.spychecker.com/program/spysweeper.html
SpywareBlaster ==> http://www.spychecker.com/program/spywareblaster.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
and leave those ones which they cannot delete, we can try to delete them afterwards manually !!
Im leaving for the other town right now,,,, will be unable for the next 12 hours approx. so sorry for that.... =\
But will be there after to know the progress of this war between u and those junks, Good Luck :)
ASKER
Thanks for your help despite your busy schedule. Maybe it's time for you to take a break!
But at any rate stinger is still running. Will let you know how it went.
Have a nice time for the next 12 hours!!!
Do you think I can open my internet on that PC again???
But at any rate stinger is still running. Will let you know how it went.
Have a nice time for the next 12 hours!!!
Do you think I can open my internet on that PC again???
ASKER
I got resolved this problem this morning Sheh. You may be surprised how I did it!
My regedit, config is back and my PC is back to what it supposed to do!!
Solution:(This maybe a case to case basis or may not apply to everyone. For e.g. the file involved may be different in yours or to everyone. In my case it was zoomplay.exe(which cause me the whole week adn long night hours to debug it!)
following all of Sheh's advice- IN Safe MODE
Run AdAware
Run spybot
Run stinger
HERE: IF YOU KNOW OR IDENTIFIED WHICH ONE IS PREVENTING YOUR REGEDIT TO SHOW AND DISSAPPEAR-DELETE IT.
IN MY CASE IT WAS ZoomPlay.exe. and it is located in teh RUN directory under Currentversion
Run your AV
Run in normal mode:
Still the Zoomplay.exe still appeared in the Registry under RUN folder
Download Process explorer (This is a beauty! Higly Recommended!!) I was able to monitor the Handle,DLL and where is it located. It was at Windows/system32 but you cannot see it there because that file was HIDDEN.
The KEY was to go back to Process explorer and select the Zoomplay.exe -Go to properties and unchecked the hidden property.
Go back to Windows/system32 and RENAME the file to something like xzoomplay or anything...
Reboot your machine under Safemode
GO to Windows/system32 and Delete the file or if zoomplay.exe is there yet delete it.
Clean your recycle bin.
Reboot to normal mode.- YOu know what, zoomplay was still there:)
HERE : IF YOU CAN AND IF YOU CAN GO TO OPEN REGEDIT OR MSCONFIG... In the Startup tab unchecked Zooomplay.
FOR SOME REASON, THE GOOD ANGEL IS STILL AT MY SIDE! IWAS ABLE TO CONNECT TO INTERNET.
i UPDATED ALL AV,ADAWARE AND SPYBOT...
THE ONLY QUESTION NOW IS HOW COME I CANNOT DELETE THE ZOOMPLAY.EXE.
AND WHY IS IT OVERWRITING OR TAKING DOMINANCE AGAINST THE REGEDIT,MSCONFIG..
Yes I am up and running,(yes, after unchecking the zoomplay.exe in the msconfig) I can't get rid of the file...
My regedit, config is back and my PC is back to what it supposed to do!!
Solution:(This maybe a case to case basis or may not apply to everyone. For e.g. the file involved may be different in yours or to everyone. In my case it was zoomplay.exe(which cause me the whole week adn long night hours to debug it!)
following all of Sheh's advice- IN Safe MODE
Run AdAware
Run spybot
Run stinger
HERE: IF YOU KNOW OR IDENTIFIED WHICH ONE IS PREVENTING YOUR REGEDIT TO SHOW AND DISSAPPEAR-DELETE IT.
IN MY CASE IT WAS ZoomPlay.exe. and it is located in teh RUN directory under Currentversion
Run your AV
Run in normal mode:
Still the Zoomplay.exe still appeared in the Registry under RUN folder
Download Process explorer (This is a beauty! Higly Recommended!!) I was able to monitor the Handle,DLL and where is it located. It was at Windows/system32 but you cannot see it there because that file was HIDDEN.
The KEY was to go back to Process explorer and select the Zoomplay.exe -Go to properties and unchecked the hidden property.
Go back to Windows/system32 and RENAME the file to something like xzoomplay or anything...
Reboot your machine under Safemode
GO to Windows/system32 and Delete the file or if zoomplay.exe is there yet delete it.
Clean your recycle bin.
Reboot to normal mode.- YOu know what, zoomplay was still there:)
HERE : IF YOU CAN AND IF YOU CAN GO TO OPEN REGEDIT OR MSCONFIG... In the Startup tab unchecked Zooomplay.
FOR SOME REASON, THE GOOD ANGEL IS STILL AT MY SIDE! IWAS ABLE TO CONNECT TO INTERNET.
i UPDATED ALL AV,ADAWARE AND SPYBOT...
THE ONLY QUESTION NOW IS HOW COME I CANNOT DELETE THE ZOOMPLAY.EXE.
AND WHY IS IT OVERWRITING OR TAKING DOMINANCE AGAINST THE REGEDIT,MSCONFIG..
Yes I am up and running,(yes, after unchecking the zoomplay.exe in the msconfig) I can't get rid of the file...
hmmmmmm im back, hope u will mind that much delay =\
so u did manage to fool this file, and got msconfig, regedit and internet running, Good Job !! :)
the only problem left is, u cannot delete this file, even after renaming or deleting it recreates itself in C:\Windows\System32 folder, right ??
tell me when u right click this file and chek its properties, what are the details, i mean any company information or unknown !!
second thing.... when u open regedit, and hit F3 and search for zoomplay.exe, what results does it come with ??
so u did manage to fool this file, and got msconfig, regedit and internet running, Good Job !! :)
the only problem left is, u cannot delete this file, even after renaming or deleting it recreates itself in C:\Windows\System32 folder, right ??
tell me when u right click this file and chek its properties, what are the details, i mean any company information or unknown !!
second thing.... when u open regedit, and hit F3 and search for zoomplay.exe, what results does it come with ??
ASKER
there is no company information. The company info column for this file is blank.
ASKER
BTW, I am using XP home edition.
Also I think I noticed is that I don't see the Security Policy icon in the Administrative tools folder.
Was this probably renamed by the virus/
Sorry for the delay too!
Also I think I noticed is that I don't see the Security Policy icon in the Administrative tools folder.
Was this probably renamed by the virus/
Sorry for the delay too!
ASKER
I also saw a posting that security Policy is not available with the XP Home edition among others that the professional edition has.
hmmmmmmmm u are right, XP Home edition has no Local Security Policy(secpol.msc), so no need to worry on it !! :)
but that zoomplay.exe is something that is really baffling me =\
there is no information on this file anywhere,,,, and neither its listed in those viruses description which are known to make regedit, msconfig and task manager disappear :-/
tell me one thing,,,, in ur log file of hijackthis, did u removed the other processes urself, or did it really generate that Single process, hijackthis.exe ??
coz if still soemthing junk is running in ur task manager in background, that can cause such problems.... i dont know but im too confused abt this file...... im facing this darn thing for the first time in my life, and this idiot thing looks like an innocense Video Player >:(
but that zoomplay.exe is something that is really baffling me =\
there is no information on this file anywhere,,,, and neither its listed in those viruses description which are known to make regedit, msconfig and task manager disappear :-/
tell me one thing,,,, in ur log file of hijackthis, did u removed the other processes urself, or did it really generate that Single process, hijackthis.exe ??
coz if still soemthing junk is running in ur task manager in background, that can cause such problems.... i dont know but im too confused abt this file...... im facing this darn thing for the first time in my life, and this idiot thing looks like an innocense Video Player >:(
ASKER
Right now I'm happy out of the woods! As long as I updat my AV and Ad Awares and Spybots I'll be allright!
thanks for your help and excellent advice.
thanks for your help and excellent advice.
Check this first !!
Task Manager, MSCONFIG, or REGEDIT disappears while opening:
http://www.mvps.org/sramesh2k/ToolsQuit.htm
( site credit goes to Ramesh >> https://www.experts-exchange.com/M_926622.html :)
CHECK FOR ONLINE VIRUS SCAN:
--------------------------
1. http://us.mcafee.com/root/mfs/default.asp?cid=9059
2. http://security.symantec.com/
3. http://housecall.trendmicro.com/
4. http://www.pandasoftware.com/activescan/com/activescan_principal.htm
5. http://www.pcpitstop.com/antivirus/default.asp
Stinger >> http://vil.nai.com/vil/stinger