[Resolved] task manager and registry dead

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

bILLyYaNk

Thread Starter
Joined
Oct 1, 2003
Messages
7
I looked at your related threads and tried everything. I renamed my registry and that now works. Task manager is dead.

Here is my hijackthis log:

Logfile of HijackThis v1.97.2
Scan saved at 6:36:00 PM, on 10/1/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\System32\WINLODR.SCR
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Scott Ronan\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\regedit1.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~2\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\ICQ.exe -trayboot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks!!!
 
Joined
Dec 9, 2000
Messages
45,855
This is the culprit:

C:\WINDOWS\System32\WINLODR.SCR

But I can't see where it is starting from.

You can boot up in Safe Mode and delete it. Or you can copy taskmgr.exe to My Documents and rename it taskmgr.com

Terminate the process for winlodr.scr then delete the file.

Run regedit and collapse the file tree completely and click Edit > Find and do a search for winlodr.scr and delete all instances.


I suspect you probably picked this up through ICQ by the way. Something you definitely use at some risk.
 

bILLyYaNk

Thread Starter
Joined
Oct 1, 2003
Messages
7
yeah I thought that was it. I tried to delete it but I couldn't. I will try safe mode.... Yup I thought it was ICQ as well ..... Here I go to safe mode.
 
Joined
Dec 9, 2000
Messages
45,855
If you cannot delete it or if it returns anyway (this seems to be a problem) after restarting, post a HijackThis Startuplist following these directions:

Click Config, then Misc Tools. Put a check in "list minor sections" and click Generate StartupList and copy/paste that. It will show more locations, including services.

One or the other of these ICQ files may be bogus:

O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\ICQ.exe -trayboot

O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe

I suspect the RUNOnce location is pointing to a malicious file. So you may need to run HijackThis and delete that in Safe Mode as well.
 

bILLyYaNk

Thread Starter
Joined
Oct 1, 2003
Messages
7
I don't have an option to run safe mode. Weird.... I hit F8 and it doesn't have the safe mode option
 

bILLyYaNk

Thread Starter
Joined
Oct 1, 2003
Messages
7
Here is the list:
StartupList report, 10/1/2003, 11:22:53 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Scott Ronan\Desktop\hijackthis\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\System32\WINLODR.SCR
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Scott Ronan\Desktop\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
Advanced Tools Check = C:\PROGRA~2\NORTON~1\AdvTools\ADVCHK.EXE
NetLimiter = C:\Program Files\NetLimiter\NetLimiter.exe /s
NeroCheck = C:\WINDOWS\System32\NeroCheck.exe
RoxioEngineUtility = "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
RoxioDragToDisc = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
RoxioAudioCentral = "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
Mirabilis ICQ = C:\Program Files\ICQ\ICQNet.exe
Winsock2 driver = WINLODR.SCR
Power Scan = C:\Program Files\Power Scan\powerscan.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

NVIEW = rundll32.exe nview.dll,nViewLoadHook
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

ICQ = C:\Program Files\ICQ\ICQ.exe -trayboot
Winsock2 driver = WINLODR.SCR

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #2: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #3: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #4: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #5: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #19: C:\Program Files\NetLimiter\nl_lsp.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 6,058 bytes
Report generated in 0.040 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
Joined
Dec 9, 2000
Messages
45,855
You have XP, if your timing was right you should have got a Boot Menu with several options, normal boot, safe mode, safe mode with network support, safe mode with command prompt.

Did you see those? If not you pressed f8 too soon or too late.

Another option is to run msconfig (you may need to copy and rename it msconfig.com) and open the boot.ini tab. You can there select the "/safeboot" option.
 
Joined
Dec 9, 2000
Messages
45,855
Ok, now it's showing two more locations. I don't know why they didn't show in the Scanlog, you might try running that again.

Anyway they are under:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Winsock2 driver = WINLODR.SCR

and

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

Winsock2 driver = WINLODR.SCR

You will have to run either regedit or HijackThis and delete those entries in Safe Mode before restarting.
 

bILLyYaNk

Thread Starter
Joined
Oct 1, 2003
Messages
7
Got it fixed!!!!!......I have a home network so maybe I needed to hit f12 ...I don't know but msconfig got me into safe mode and then I did a search in the registry and got rid of it. I deleted the screensaver as well. Thanks for the great help!!!!!!
 
Joined
Dec 9, 2000
Messages
45,855
Excellent, you're most welcome for the help.

F8 is supposed to get you there with f12 being a different menu, at least on my system, that points to other boot options including the CD-ROM.

Anyway, whatever works. Glad to hear all is well.
 

bILLyYaNk

Thread Starter
Joined
Oct 1, 2003
Messages
7
Safe mode wasn't one of the options under f8 on my system. I checked it twice. I also couldn't find a boot.ini file which I thought was weird. I did find a boot.ini.backup. i don't know but I am happy now.
 
Joined
Dec 9, 2000
Messages
45,855
I believe the boot.ini file is a "hidden" one, so you have to have "show hidden files" checked in Folder Options > View.

Did you get ANY menu when pressing f8? What was on it? I'm not aware of any method of removing that boot option or menu, it is inherent in the operating system.

http://support.microsoft.com/?kbid=315222
 

bILLyYaNk

Thread Starter
Joined
Oct 1, 2003
Messages
7
I always show all my files I wouldn't of been able to find the hidden screen saver if I didn't.. I have a lot of drives maybe you can only have so many options under f8. No big deal you showed me what to do.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top