Taskmanager & Regedit closes

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

lolsim

Thread Starter
Joined
Sep 18, 2003
Messages
4
I run Win2000 SP4.

Whenever I try to run regedit or taskmanager they open, and closes. I have also experienced problems with ZA, can't get it to run. I have no uninstalled this program.

I have done a virusscan using Norton Antivirus with latest updates.

Also downloaded Hijack this, log posted under.

Anyone know how to fix the problem?

Regards

Log:

Logfile of HijackThis v1.97.2
Scan saved at 21:55:31, on 18.09.2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TotalRecorder\TotRecSched.exe
C:\Program Files\Daemon Tools\daemon.exe
C:\WINNT\system32\wjview.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\system32\MSUPDT.EXE
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\WINNT\system32\internat.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\LimeShop\LimeShop.exe
C:\Program Files\Opera7\opera.exe
C:\Program Files\Common Files\Symantec Shared\NMAIN.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TotalRecorderScheduler] C:\Program Files\TotalRecorder\TotRecSched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\Daemon Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MSKExe] c:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Wiinbllah] MSUPDT.EXE
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\RunOnce: [Wiinbllah] MSUPDT.EXE
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37673.4733101852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E990FE4-C97F-45B5-B6F9-4643E685665A}: NameServer = 193.213.112.4 130.67.60.68
 
Joined
Jul 26, 2002
Messages
46,331
lolsim

Welcome to TSG!

Turn off System Restore.

Make sure "show hidden files" is checked in Folder options > View

Have a copy of HijackThis.exe in its own folder on the desktop. You may want to copy these instructions to a Notepad file on the desktop, you might need them in Safe Mode.

Restart to Safe Mode: press f8 on startup and select Safe Mode from the boot menu.

In Safe Mode, run HijackThis and "Fix Checked" the following entries:

O4 - HKLM\..\Run: [Wiinbllah] MSUPDT.EXE

O4 - HKCU\..\RunOnce: [Wiinbllah] MSUPDT.EXE

Next, click Start, Run and type in "explorer" without the quotes. Navigate to the folder C:\WINNT\system32 and delete the:

MSUPDT.EXE file.

Go to Start > Run and type in "regedit" without the quotes and navigate to:

Hkey_Current_User
Software
Microsoft
Windows
CurrentVersion
RunOnce

>> if there is anything in the Right hand pane but 'default', right click and delete it.

Reboot back to normal and verify that all is well.

If all is well turn system restore back on and create a restore point.
 

lolsim

Thread Starter
Joined
Sep 18, 2003
Messages
4
Thanx.!

I'm using win2000, how/where do I turn of restore point?

Regards
 

lolsim

Thread Starter
Joined
Sep 18, 2003
Messages
4
Thanx alot, that did the trick.

I booted in safe mode, deleted the files:

O4 - HKLM\..\Run: [Wiinbllah] MSUPDT.EXE

O4 - HKCU\..\RunOnce: [Wiinbllah] MSUPDT.EXE

Could not locate the MSUPDT.EXE file, and there was no entry in the register (except for default) for:

Hkey_Current_User
Software
Microsoft
Windows
CurrentVersion
RunOnce

Booted normal, then both regedit and taskmanager is ok.

What is the best way for keeping updated with this backdoors etc. What program is needed for constant updates of new threats?

Regards
 
Joined
Jul 26, 2002
Messages
46,331
I would doublecheck for the MSUPDT.EXE file. It should be there.

It most likely has the hidden attribute. Make sure "show hidden files" is checked in Folder options > View

And check again.
 

lolsim

Thread Starter
Joined
Sep 18, 2003
Messages
4
In normal mode I swithced to dos, did i dir with /s parameter.
Found the file:

05.09.2003 08:55 28_672 msupdt.exe

Do I need to boot to safe mode again to delete it?

Also, any idea for best protecting in the future?

Regards
 
Joined
Jul 26, 2002
Messages
46,331
Yes boot to safe mode and delete the msupdt.exe file.

I would say the first line of defense is your AV. I see you have Norton. I use it too and although I have it set to update automatically I still run Live update manually every day or two.

Of course a well configured firewall is a must.

I also think that all PC users should use Spybot, Adaware and SpywareBlaster.

I always recommend the following.

Go here http://www.lavasoftusa.com/software/adaware/ and download Adaware 6

Install the program and launch it.

I strongly recommend that you read the help file to familiarize yourself with the program.

Before running the scan look at the top of the main window and you will see a Gear Icon. This is where you configure the settings. Click on that and then in the next window that pops up click on the "Scanning" tab on the left side. Under "Drives and Folders" put a check by "Scan within archives" and below that under "Memory and Registry" put a check by all the options there.
The click on the "Tweak" tab and under "Scanning engine" put a check by "Unload recognized processes during scanning" ...........then......under "Cleaning engine" put a ckeck by "Automatically try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot" then click "Proceed"

Next in the main window look in the bottom right corner and click on "Check for updates now" and get the latest referencefiles.
After getting the latest referencefiles you are ready to scan.

Click "Start" and in the next window make sure "Active in depth scanning" is checked then click "Next" and the scan will begin.

When it is finished let it fix everything it finds.

Restart your computer.

Then go here http://spybot.eon.net.au/index.php?lang=en&page=download and download Spybot.

Install the program and launch it.

Before scanning press "Online" and "Search for Updates" .

Put a check mark at and install all updates.

Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

Restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.

Finally go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to help prevent future attacks.
On this page you will find a link to Javacool's SpywareBlaster. Get it and check for updates frequently.
The Immunize feature in Spybot used in conjunction with SpywareBlaster and weekly scans with Spybot and Adaware will go a long way toward keeping you spyware free.

Important!: ALWAYS check for updated detections and referencefiles before scanning with Spybot and Adaware. And be sure to check for updates to SpywareBlaster on a weekly basis.

And of course you have Hijack This which you can familiarize yourself with and run it occassionally to check for unusual entries.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top