1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] task manager and registry dead

Discussion in 'Virus & Other Malware Removal' started by bILLyYaNk, Oct 1, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. bILLyYaNk

    bILLyYaNk Thread Starter

    Joined:
    Oct 1, 2003
    Messages:
    7
    I looked at your related threads and tried everything. I renamed my registry and that now works. Task manager is dead.

    Here is my hijackthis log:

    Logfile of HijackThis v1.97.2
    Scan saved at 6:36:00 PM, on 10/1/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\WINDOWS\System32\WINLODR.SCR
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Scott Ronan\Desktop\hijackthis\HijackThis.exe
    C:\WINDOWS\regedit1.exe

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~2\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe
    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\ICQ.exe -trayboot
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Thanks!!!
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    This is the culprit:

    C:\WINDOWS\System32\WINLODR.SCR

    But I can't see where it is starting from.

    You can boot up in Safe Mode and delete it. Or you can copy taskmgr.exe to My Documents and rename it taskmgr.com

    Terminate the process for winlodr.scr then delete the file.

    Run regedit and collapse the file tree completely and click Edit > Find and do a search for winlodr.scr and delete all instances.


    I suspect you probably picked this up through ICQ by the way. Something you definitely use at some risk.
     
  3. bILLyYaNk

    bILLyYaNk Thread Starter

    Joined:
    Oct 1, 2003
    Messages:
    7
    yeah I thought that was it. I tried to delete it but I couldn't. I will try safe mode.... Yup I thought it was ICQ as well ..... Here I go to safe mode.
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    If you cannot delete it or if it returns anyway (this seems to be a problem) after restarting, post a HijackThis Startuplist following these directions:

    Click Config, then Misc Tools. Put a check in "list minor sections" and click Generate StartupList and copy/paste that. It will show more locations, including services.

    One or the other of these ICQ files may be bogus:

    O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\ICQ.exe -trayboot

    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe

    I suspect the RUNOnce location is pointing to a malicious file. So you may need to run HijackThis and delete that in Safe Mode as well.
     
  5. bILLyYaNk

    bILLyYaNk Thread Starter

    Joined:
    Oct 1, 2003
    Messages:
    7
    I don't have an option to run safe mode. Weird.... I hit F8 and it doesn't have the safe mode option
     
  6. bILLyYaNk

    bILLyYaNk Thread Starter

    Joined:
    Oct 1, 2003
    Messages:
    7
    Here is the list:
    StartupList report, 10/1/2003, 11:22:53 PM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\Scott Ronan\Desktop\hijackthis\HijackThis.EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\WINDOWS\System32\WINLODR.SCR
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Documents and Settings\Scott Ronan\Desktop\hijackthis\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    nwiz = nwiz.exe /install
    ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    Advanced Tools Check = C:\PROGRA~2\NORTON~1\AdvTools\ADVCHK.EXE
    NetLimiter = C:\Program Files\NetLimiter\NetLimiter.exe /s
    NeroCheck = C:\WINDOWS\System32\NeroCheck.exe
    RoxioEngineUtility = "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    RoxioDragToDisc = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    RoxioAudioCentral = "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
    Mirabilis ICQ = C:\Program Files\ICQ\ICQNet.exe
    Winsock2 driver = WINLODR.SCR
    Power Scan = C:\Program Files\Power Scan\powerscan.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    NVIEW = rundll32.exe nview.dll,nViewLoadHook
    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
    NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    ICQ = C:\Program Files\ICQ\ICQ.exe -trayboot
    Winsock2 driver = WINLODR.SCR

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Norton AntiVirus - Scan my computer.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    Protocol #1: C:\Program Files\NetLimiter\nl_lsp.dll
    Protocol #2: C:\Program Files\NetLimiter\nl_lsp.dll
    Protocol #3: C:\Program Files\NetLimiter\nl_lsp.dll
    Protocol #4: C:\Program Files\NetLimiter\nl_lsp.dll
    Protocol #5: C:\Program Files\NetLimiter\nl_lsp.dll
    Protocol #19: C:\Program Files\NetLimiter\nl_lsp.dll

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 6,058 bytes
    Report generated in 0.040 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  7. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You have XP, if your timing was right you should have got a Boot Menu with several options, normal boot, safe mode, safe mode with network support, safe mode with command prompt.

    Did you see those? If not you pressed f8 too soon or too late.

    Another option is to run msconfig (you may need to copy and rename it msconfig.com) and open the boot.ini tab. You can there select the "/safeboot" option.
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Ok, now it's showing two more locations. I don't know why they didn't show in the Scanlog, you might try running that again.

    Anyway they are under:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Winsock2 driver = WINLODR.SCR

    and

    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    Winsock2 driver = WINLODR.SCR

    You will have to run either regedit or HijackThis and delete those entries in Safe Mode before restarting.
     
  9. bILLyYaNk

    bILLyYaNk Thread Starter

    Joined:
    Oct 1, 2003
    Messages:
    7
    Got it fixed!!!!!......I have a home network so maybe I needed to hit f12 ...I don't know but msconfig got me into safe mode and then I did a search in the registry and got rid of it. I deleted the screensaver as well. Thanks for the great help!!!!!!
     
  10. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Excellent, you're most welcome for the help.

    F8 is supposed to get you there with f12 being a different menu, at least on my system, that points to other boot options including the CD-ROM.

    Anyway, whatever works. Glad to hear all is well.
     
  11. bILLyYaNk

    bILLyYaNk Thread Starter

    Joined:
    Oct 1, 2003
    Messages:
    7
    Safe mode wasn't one of the options under f8 on my system. I checked it twice. I also couldn't find a boot.ini file which I thought was weird. I did find a boot.ini.backup. i don't know but I am happy now.
     
  12. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I believe the boot.ini file is a "hidden" one, so you have to have "show hidden files" checked in Folder Options > View.

    Did you get ANY menu when pressing f8? What was on it? I'm not aware of any method of removing that boot option or menu, it is inherent in the operating system.

    http://support.microsoft.com/?kbid=315222
     
  13. bILLyYaNk

    bILLyYaNk Thread Starter

    Joined:
    Oct 1, 2003
    Messages:
    7
    I always show all my files I wouldn't of been able to find the hidden screen saver if I didn't.. I have a lot of drives maybe you can only have so many options under f8. No big deal you showed me what to do.
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/168891

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice