1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Regedit, task manager disappearing

Discussion in 'Virus & Other Malware Removal' started by boling, Feb 3, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. boling

    boling Thread Starter

    Joined:
    Feb 3, 2005
    Messages:
    5
    After reading some of the other threads, I'm still confused about what to do. Here's my log from HJT:

    Logfile of HijackThis v1.99.0
    Scan saved at 8:50:31 PM, on 2/3/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\MsgSys.EXE
    C:\WINNT\Explorer.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\WINNT\System32\RUNDLL32.exe
    C:\WINNT\System32\WINLOGONPC.EXE
    C:\WINNT\System32\ctfmon.exe
    C:\WINNT\System32\wuauclt.exe
    C:\WINNT\System32\devldr32.exe
    C:\Documents and Settings\chris\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.springmail.com/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [Windows Logon Procedure] WINLOGONPC.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
    O4 - HKCU\..\RunOnce: [Windows Logon Procedure] WINLOGONPC.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)



    I've done Adaware and NAV scans, but have yet to see anything I recognize. Also AIM seems to start as soon as the network is available. Currently connecting through ICS on another XP workstation that's running fine.

    Thanks for any help

    CCB
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    [​IMG] Have these instructions printed or in a convenient Notepad (or Wordpad) file so you can view them in Safe Mode. Have "show hidden (or all) files" checked in Folder Options > View in case you have to search for any hidden files to delete. Also ensure you do NOT have "hide file extensions..." enabled in Folder Options > View

    If HijackThis has not been downloaded or copied to a permanent folder, move it there before beginning.



    Then:

    1 >> Restart in Safe Mode. Instructions here if you need them:http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    2 >> In Safe Mode run HijackThis and check and "fix" the following entries:

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)

    O4 - HKLM\..\Run: [Windows Logon Procedure] WINLOGONPC.EXE

    O4 - HKCU\..\RunOnce: [Windows Logon Procedure] WINLOGONPC.EXE

    O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)

    3 >> Go to Start > Run and enter cmd and a command shell will open. At the prompt carefully type and enter each line:

    del C:\WINNT\System32\WINLOGONPC.EXE

    >> While still in Safe Mode, test regedit and Task Manager



    >> Reboot and post another Scanlog. Test regedit and task manager in normal mode.

    If they still don't work, copy them to My Documents (they are in the system32 folder) and rename them regedit.com and taskmgr.com and try running them directly. Let me know if they work that way.
     
  3. boling

    boling Thread Starter

    Joined:
    Feb 3, 2005
    Messages:
    5
    Problem is fixed. Here is the new log:



    Logfile of HijackThis v1.99.0
    Scan saved at 1:38:16 PM, on 2/5/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\MsgSys.EXE
    C:\WINNT\Explorer.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\WINNT\System32\RUNDLL32.exe
    C:\WINNT\System32\ctfmon.exe
    C:\WINNT\System32\devldr32.exe
    C:\WINNT\System32\wuauclt.exe
    C:\Documents and Settings\chris\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.springmail.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe



    Thanks much for the help!!!

    Chris
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Great!

    The new log is fine -- so I'll mark the problem "solved" but for future reference this is also an option available to original posters in the Thread Tools tab.

    You're most welcome for the help!

    By the way you should definitely update IE to the latest version and patch it.

    And give consideration to XP SP2. You may have many other unpatched vulnerabilities. Links for these are available in the Microsoft section of the Security Help Tools sticky in this forum.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/326553

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice