Solved: Regedit, task manager disappearing

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

boling

Thread Starter
Joined
Feb 3, 2005
Messages
5
After reading some of the other threads, I'm still confused about what to do. Here's my log from HJT:

Logfile of HijackThis v1.99.0
Scan saved at 8:50:31 PM, on 2/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\RUNDLL32.exe
C:\WINNT\System32\WINLOGONPC.EXE
C:\WINNT\System32\ctfmon.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\devldr32.exe
C:\Documents and Settings\chris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.springmail.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Windows Logon Procedure] WINLOGONPC.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Windows Logon Procedure] WINLOGONPC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)



I've done Adaware and NAV scans, but have yet to see anything I recognize. Also AIM seems to start as soon as the network is available. Currently connecting through ICS on another XP workstation that's running fine.

Thanks for any help

CCB
 
Joined
Dec 9, 2000
Messages
45,855
Have these instructions printed or in a convenient Notepad (or Wordpad) file so you can view them in Safe Mode. Have "show hidden (or all) files" checked in Folder Options > View in case you have to search for any hidden files to delete. Also ensure you do NOT have "hide file extensions..." enabled in Folder Options > View

If HijackThis has not been downloaded or copied to a permanent folder, move it there before beginning.



Then:

1 >> Restart in Safe Mode. Instructions here if you need them:http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

2 >> In Safe Mode run HijackThis and check and "fix" the following entries:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)

O4 - HKLM\..\Run: [Windows Logon Procedure] WINLOGONPC.EXE

O4 - HKCU\..\RunOnce: [Windows Logon Procedure] WINLOGONPC.EXE

O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)

3 >> Go to Start > Run and enter cmd and a command shell will open. At the prompt carefully type and enter each line:

del C:\WINNT\System32\WINLOGONPC.EXE

>> While still in Safe Mode, test regedit and Task Manager



>> Reboot and post another Scanlog. Test regedit and task manager in normal mode.

If they still don't work, copy them to My Documents (they are in the system32 folder) and rename them regedit.com and taskmgr.com and try running them directly. Let me know if they work that way.
 

boling

Thread Starter
Joined
Feb 3, 2005
Messages
5
Problem is fixed. Here is the new log:



Logfile of HijackThis v1.99.0
Scan saved at 1:38:16 PM, on 2/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\RUNDLL32.exe
C:\WINNT\System32\ctfmon.exe
C:\WINNT\System32\devldr32.exe
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\chris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.springmail.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe



Thanks much for the help!!!

Chris
 
Joined
Dec 9, 2000
Messages
45,855
Great!

The new log is fine -- so I'll mark the problem "solved" but for future reference this is also an option available to original posters in the Thread Tools tab.

You're most welcome for the help!

By the way you should definitely update IE to the latest version and patch it.

And give consideration to XP SP2. You may have many other unpatched vulnerabilities. Links for these are available in the Microsoft section of the Security Help Tools sticky in this forum.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top