123456
asked on
Get rid From Bad Situation(Hijack, Antivirus and Regedit Dont work)
Dear Experts,
I have A real Problem with a Virus or Trojan.
My Os is WinXp with Sp1
I cant Execute Hijackthis.exe .
I can t Install a Antivirus(symantec).
I can t Run Regedit.
When I execute those files windows was shutting down.
I cant do these works on Safe mode Too.
How Can I collect More Information For you?
How Can I get rid From this Situation?
Best Regards
Hamid Reza
I have A real Problem with a Virus or Trojan.
My Os is WinXp with Sp1
I cant Execute Hijackthis.exe .
I can t Install a Antivirus(symantec).
I can t Run Regedit.
When I execute those files windows was shutting down.
I cant do these works on Safe mode Too.
How Can I collect More Information For you?
How Can I get rid From this Situation?
Best Regards
Hamid Reza
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Try renaming hijackthis.exe to something else (do that on another PC). Then reboot the bad one into safemode and run the renamed version of hijackthis.
ASKER
I saw Newfolder.exe in each directories too.
ASKER
i dont think virus works based on names.
i did it but this problem existed on that computer.
i think when every file wants to acess to regedit, it goes to shutdown mode.
i did it but this problem existed on that computer.
i think when every file wants to acess to regedit, it goes to shutdown mode.
You may want to consider removing that hard drive from the computer and 'Slaving' it off another (or using a USB Enclosure).
That way, the AV/Anti-spyware programs on the other computer can do a complete scan.
As rindi suggested, try this: http://danborg.org/spy/hjt/alternativ.exe
Look here: http://www.spywareremove.com/removenewfolderexe.html
Vic
That way, the AV/Anti-spyware programs on the other computer can do a complete scan.
As rindi suggested, try this: http://danborg.org/spy/hjt/alternativ.exe
Look here: http://www.spywareremove.com/removenewfolderexe.html
Vic
Is this just when you're running an .exe?
rename hijackthis and change the extension to .com as in hijackthis.com or some.com
Also try renaming regedit.exe to regedit.com and see if it runs.
rename hijackthis and change the extension to .com as in hijackthis.com or some.com
Also try renaming regedit.exe to regedit.com and see if it runs.
ASKER
>>You may want to consider removing that hard drive from the computer and 'Slaving' it off another (or using a USB Enclosure). That way, the AV/Anti-spyware programs on the other computer can do a complete scan. <<
Is this way be safe for master Computer?
>>Is this just when you're running an .exe?
rename hijackthis and change the extension to .com as in hijackthis.com or some.com
Also try renaming regedit.exe to regedit.com and see if it runs <<
I test it tommorrow.
hint:
I cant open Task manager in Normal startup(It was closed very fast).
But i Can open Task Manager in Safe mode.
Is this way be safe for master Computer?
>>Is this just when you're running an .exe?
rename hijackthis and change the extension to .com as in hijackthis.com or some.com
Also try renaming regedit.exe to regedit.com and see if it runs <<
I test it tommorrow.
hint:
I cant open Task manager in Normal startup(It was closed very fast).
But i Can open Task Manager in Safe mode.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Do you think this Virus be Familiar For other AV/Anti-spyware Programs?
It is very old (3-4 years) so any AV (and Anti-spyware) program should be able to deal with it.
Vic
Vic
ASKER
Can you bring it s name?
Read about it here: http://www.spywareremove.com/removenewfolderexe.html
ASKER
Is Newfloder.exe Behaviors similar to my conditions?
May be NewFolder.exe is one of the Existed Viruses on My computer.
I cant see Shutting down in Newfolder.exe specifications.
May be NewFolder.exe is one of the Existed Viruses on My computer.
I cant see Shutting down in Newfolder.exe specifications.
Download and run the "Iddono" removal application from the link I gave you.
Vic
Vic
Or use the linux cd that was suggested earlier
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
rpggarmgirl:
link dont work for me.
link dont work for me.
@ 123456: do you need any help with the Trinity Rescue Kit?
It's really not THAT hard to burn the iso to a CD, boot from it and press a few buttons for a full system scan with current antivirus patterns...
see http://trinityhome.org/Home/index.php?wpid=40&front_id=12 as reference
Tolomir
It's really not THAT hard to burn the iso to a CD, boot from it and press a few buttons for a full system scan with current antivirus patterns...
see http://trinityhome.org/Home/index.php?wpid=40&front_id=12 as reference
Tolomir
ASKER
I scanned infected disc from another master disk.
it found many viruses on it. after it i installed symantec antivirus to it but i cant run scan command from it.
also i cant access to regisrery.
this message was raised :
regedit was disable with administrator.
Logfile of HijackThis v1.99.1
Scan saved at 12:36:37 ق.ظ, on 2007/03/05
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.e xe
D:\WINDOWS\system32\winlog on.exe
D:\WINDOWS\system32\servic es.exe
D:\WINDOWS\system32\lsass. exe
D:\WINDOWS\system32\svchos t.exe
D:\WINDOWS\System32\svchos t.exe
D:\WINDOWS\system32\spools v.exe
D:\Program Files\Symantec_Client_Secu rity\Syman tec AntiVirus\DefWatch.exe
D:\Program Files\Symantec_Client_Secu rity\Syman tec AntiVirus\Rtvscan.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Hewlett-Packard\Tool box\Status Client\Sta tusClient. exe
D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
D:\PROGRA~1\SYMANT~1\SYMAN T~1\vptray .exe
D:\WINDOWS\System32\ctfmon .exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Hewlett-Packard\Tool box\jre\bi n\javaw.ex e
C:\Security Files\hijackthis\HijackThi s.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - D:\WINDOWS\System32\msdxm. ocx
O4 - HKLM\..\Run: [System4224411] D:\WINDOWS\System32\System dll.exe
O4 - HKLM\..\Run: [StatusClient 2.6] D:\Program Files\Hewlett-Packard\Tool box\Status Client\Sta tusClient. exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] D:\Program Files\Hewlett-Packard\Tool box\hpbpst tp.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMAN T~1\vptray .exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon .exe
O4 - HKCU\..\Run: [Tok-Cirrhatus] "D:\Documents and Settings\Administrator\Loc al Settings\Application Data\smss.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe " /background
O7 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Policies\ System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - D:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-0 0aa003c157 a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-0 0aa003c157 a} - D:\WINDOWS\web\related.htm
O20 - Winlogon Notify: NavLogon - D:\WINDOWS\System32\NavLog on.dll
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\Symantec_Client_Secu rity\Syman tec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\Symantec_Client_Secu rity\Syman tec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm 12.exe
it found many viruses on it. after it i installed symantec antivirus to it but i cant run scan command from it.
also i cant access to regisrery.
this message was raised :
regedit was disable with administrator.
Logfile of HijackThis v1.99.1
Scan saved at 12:36:37 ق.ظ, on 2007/03/05
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.e
D:\WINDOWS\system32\winlog
D:\WINDOWS\system32\servic
D:\WINDOWS\system32\lsass.
D:\WINDOWS\system32\svchos
D:\WINDOWS\System32\svchos
D:\WINDOWS\system32\spools
D:\Program Files\Symantec_Client_Secu
D:\Program Files\Symantec_Client_Secu
D:\WINDOWS\Explorer.EXE
D:\Program Files\Hewlett-Packard\Tool
D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
D:\PROGRA~1\SYMANT~1\SYMAN
D:\WINDOWS\System32\ctfmon
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Hewlett-Packard\Tool
C:\Security Files\hijackthis\HijackThi
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [System4224411] D:\WINDOWS\System32\System
O4 - HKLM\..\Run: [StatusClient 2.6] D:\Program Files\Hewlett-Packard\Tool
O4 - HKLM\..\Run: [TomcatStartup 2.5] D:\Program Files\Hewlett-Packard\Tool
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMAN
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon
O4 - HKCU\..\Run: [Tok-Cirrhatus] "D:\Documents and Settings\Administrator\Loc
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe
O7 - HKCU\Software\Microsoft\Wi
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-0
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-0
O20 - Winlogon Notify: NavLogon - D:\WINDOWS\System32\NavLog
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\Symantec_Client_Secu
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\Symantec_Client_Secu
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Ooops sorry rindi, that's what happen when I don't refreshed the page, I duplicated people's advice.
123456,
This link below doesn't work for you? it's a direct download.
Floppy-E Removal Tool.exe.
http://www.atribune.org/ccount/click.php?id=5
Once you let hijackthis fix this entry below, you should be able to access regedit.
O7 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Policies\ System, DisableRegedit=1
@ Tolomir,
Thank you so much for helping me, :)
123456,
This link below doesn't work for you? it's a direct download.
Floppy-E Removal Tool.exe.
http://www.atribune.org/ccount/click.php?id=5
Once you let hijackthis fix this entry below, you should be able to access regedit.
O7 - HKCU\Software\Microsoft\Wi
@ Tolomir,
Thank you so much for helping me, :)
no problem. It happens to me all the time too.
ASKER
i m home now,
I will do all of the operations tommorrow.
RpgGarnerGirl,
I cant download below file:
http://www.atribune.org/ccount/click.php?id=5
I googled and saw someone couldn t download this file.
I will do all of the operations tommorrow.
RpgGarnerGirl,
I cant download below file:
http://www.atribune.org/ccount/click.php?id=5
I googled and saw someone couldn t download this file.
ASKER
Many Thanks For your Helps.
Sorry wasn't here.
I assume problem's solved?
Thanks.
I assume problem's solved?
Thanks.