1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

taskmanager/msconfig/regedit/antivirus

Discussion in 'Virus & Other Malware Removal' started by xpdiffer, Oct 31, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. xpdiffer

    xpdiffer Thread Starter

    Joined:
    Oct 31, 2003
    Messages:
    6
    hi guys
    i have this problem about when ever i open task manager,regedit,msconfig it closes in a second.
    The main problem also is that NORTON ANTIVIRUS nows the virus is there but it can,t fix it. I tried many things out ON THIS FORUM but it does not work STILL.

    -----------------------------------------------------------------------------------

    MY LOG IS:


    Logfile of HijackThis v1.97.3
    Scan saved at 6:28:11 PM, on 10/30/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\Common Files\CMEII\CMESys.exe
    C:\Program Files\NetPumper\NetPumperIEProxy.exe
    C:\PROGRA~1\Save\Save.exe
    C:\WINDOWS\System32\WHY.EXE
    C:\WINDOWS\System32\WINCFG32.EXE
    C:\WINDOWS\System32\SahAgent.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Common Files\GMT\GMT.exe
    C:\Program Files\NetAssistant\bin\mpbtn.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
    O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - (no file)
    O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - C:\WINDOWS\host.dll
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\6.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_48.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\6.bin\MYBAR.DLL
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NetPumper] "C:\Program Files\NetPumper\NetPumperIEProxy.exe"
    O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
    O4 - HKLM\..\Run: [Yahoo Messanger] WHY.EXE
    O4 - HKLM\..\Run: [Win Startup] WINCFG32.EXE
    O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
    O4 - HKCU\..\Run: [Windows System Configure] C:\WINDOWS\system32\SystemConfig.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\RunOnce: [Yahoo Messanger] WHY.EXE
    O4 - HKCU\..\RunOnce: [Win Startup] WINCFG32.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O4 - Global Startup: Prayer.lnk = C:\HAD\PTW.EXE
    O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O10 - Hijacked Internet access by New.Net
    O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
    O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8106/turbo.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8106/payload2.cab
    O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download2.abetterinternet.com/download/cabs/MPB18105/button.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {9656B666-992F-4D74-8588-8CA69E97D90C} - http://www.commonname.com/en/oneclick/uninstbb.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{481B143A-ADC1-4484-9BFC-8F200A880CCF}: NameServer = 206.47.244.61 206.47.244.13
    O17 - HKLM\System\CS1\Services\Tcpip\..\{481B143A-ADC1-4484-9BFC-8F200A880CCF}: NameServer = 206.47.244.61 206.47.244.13:( :(
     
  2. PlosivoEffec

    PlosivoEffec

    Joined:
    Oct 31, 2003
    Messages:
    3
    If you know the virus file name move it to the desktop and name it virus. Reboot and delete the file... Most virus' are not smart enough to reconfiger the main location of the infected file... or a exe loads at startup remaking the infected files.
     
  3. xpdiffer

    xpdiffer Thread Starter

    Joined:
    Oct 31, 2003
    Messages:
    6
    yes i know where the virus is located in C:\WINDOWS\system32\wincf32.exe
    thankyou replying i am going try what you said
     
  4. xpdiffer

    xpdiffer Thread Starter

    Joined:
    Oct 31, 2003
    Messages:
    6
    C:\WINDOWS\system32\wincfg32.exe
     
  5. xpdiffer

    xpdiffer Thread Starter

    Joined:
    Oct 31, 2003
    Messages:
    6
    no i can not past the file in the destop because it says:

    Cannot move wincfg32:Access is denied

    Make sure the disk is not full or write-protected and that the file is not currently in use
     
  6. PlosivoEffec

    PlosivoEffec

    Joined:
    Oct 31, 2003
    Messages:
    3
    make sure readonly is not enabled
     
  7. xpdiffer

    xpdiffer Thread Starter

    Joined:
    Oct 31, 2003
    Messages:
    6
    no red only is not enable and neither is archive and hidden
     
  8. Skivvywaver

    Skivvywaver

    Joined:
    Mar 18, 2001
    Messages:
    13,947
    Reboot in safe mode, browse to the file and delete it.
     
  9. amthmi

    amthmi

    Joined:
    Mar 23, 2002
    Messages:
    519
    You have the Backdoor.SilverFTP backdoor Trojan
    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.silverftp.html
    Follow the instructions from symantec to remove it.

    Then get the lsp fix here
    http://www.cexx.org/lspfix.htm

    Then download Spybot - Search & Destroy from http://tomcoyote.org/SPYBOT/index1.php
    After installing, use the Advanced Mode when starting up program.
    First press Online, and search for updates and install all checked updates.
    Next, close all Internet Explorer and OE windows, hit 'Check for Problems', and have SpyBot
    remove all it finds that are marked in RED.
    Spybot may need to reboot your system to finish it's job, allow it to reboot.

    Run Hijackthis again and post a new log for additional fixing.
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    xpdiffer

    First go to Add/Remove programs and uninstall New.Net

    Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

    O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - (no file)

    O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - C:\WINDOWS\host.dll

    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\6.bin\MYBAR.DLL

    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_48.dll

    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\6.bin\MYBAR.DLL

    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

    O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe

    O4 - HKLM\..\Run: [NetPumper] "C:\Program Files\NetPumper\NetPumperIEProxy.exe"

    O4 - HKLM\..\Run: [Yahoo Messanger] WHY.EXE

    O4 - HKLM\..\Run: [Win Startup] WINCFG32.EXE

    O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe

    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup

    O4 - HKCU\..\Run: [Windows System Configure] C:\WINDOWS\system32\SystemConfig.exe

    O4 - HKCU\..\RunOnce: [Yahoo Messanger] WHY.EXE

    O4 - HKCU\..\RunOnce: [Win Startup] WINCFG32.EXE

    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

    O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm

    O10 - Hijacked Internet access by New.Net

    O10 - Broken Internet access because of LSP provider 'lsp.dll' missing

    O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com...B8106/turbo.cab

    O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com...06/payload2.cab

    O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download2.abetterinternet.co...8105/button.cab

    O16 - DPF: {9656B666-992F-4D74-8588-8CA69E97D90C} - http://www.commonname.com/en/oneclick/uninstbb.cab

    Restart to safe mode and delete:

    The C:\WINDOWS\System32\WHY.EXE file
    The C:\WINDOWS\System32\WINCFG32.EXE file
    The C:\WINDOWS\System32\SahAgent.exe file'
    The C:\Program Files\Save folder
    The C:\Program Files\Common Files\CMEII folder
    The C:\Program Files\Common Files\GMT folder
    The C:\WINDOWS\system32\SystemConfig.exe file

    Now download LSPfix here: http://www.cexx.org/lspfix.htm

    Launch the application, and click the "I know what I'm doing" checkbox. Click "Finish"

    Go here http://www.lavasoftusa.com/software/adaware/ and download Adaware 6

    Install the program and launch it.

    I strongly recommend that you read the help file to familiarize yourself with the program.

    Before running the scan look at the top of the main window and you will see a Gear Icon. This is where you configure the settings. Click on that and then in the next window that pops up click on the "Scanning" tab on the left side. Under "Drives and Folders" put a check by "Scan within archives" and below that under "Memory and Registry" put a check by all the options there.
    The click on the "Tweak" tab and under "Scanning engine" put a check by "Unload recognized processes during scanning" ...........then......under "Cleaning engine" put a ckeck by "Let windows remove files in use at next reboot" then click "Proceed"

    Next in the main window look in the bottom right corner and click on "Check for updates now" and get the latest referencefiles.
    After getting the latest referencefiles you are ready to scan.

    Click "Start" and in the next window make sure "Active in depth scanning" is checked then click "Next" and the scan will begin.

    When it is finished put a check by and let it fix everything it finds.

    Restart your computer.

    Then go here http://spybot.eon.net.au/index.php?lang=en&page=download and download Spybot.

    Install the program and launch it.

    Before scanning press "Online" and "Search for Updates" .

    Put a check mark at and install all updates.

    Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds marked in RED.

    Restart your computer.

    Be sure and take advantage of the "Immunize" feature in Spybot.

    Finally go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to help prevent future attacks.
    On this page you will find links to Javacool's SpywareBlaster and SpywareGuard. Get them both and check for updates frequently.
    The Immunize feature in Spybot used in conjunction with SpywareBlaster , SpywareGuard and weekly scans with Spybot and Adaware will go a long way toward keeping your PC free of these pests..

    Important!: ALWAYS check for updated detections and referencefiles before scanning with Spybot and Adaware. And be sure to check for updates to SpywareBlaster and SpywareGuard on a weekly basis.

    also turn off system restore:

    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039

    When we are sure you are clean you can turn it back on and create a restore point
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    ???????
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/176042

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice