1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Taskmanager & Regedit closes

Discussion in 'Virus & Other Malware Removal' started by lolsim, Sep 18, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. lolsim

    lolsim Thread Starter

    Joined:
    Sep 18, 2003
    Messages:
    4
    I run Win2000 SP4.

    Whenever I try to run regedit or taskmanager they open, and closes. I have also experienced problems with ZA, can't get it to run. I have no uninstalled this program.

    I have done a virusscan using Norton Antivirus with latest updates.

    Also downloaded Hijack this, log posted under.

    Anyone know how to fix the problem?

    Regards

    Log:

    Logfile of HijackThis v1.97.2
    Scan saved at 21:55:31, on 18.09.2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\TotalRecorder\TotRecSched.exe
    C:\Program Files\Daemon Tools\daemon.exe
    C:\WINNT\system32\wjview.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\WINNT\system32\MSUPDT.EXE
    C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
    C:\WINNT\system32\internat.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\LimeShop\LimeShop.exe
    C:\Program Files\Opera7\opera.exe
    C:\Program Files\Common Files\Symantec Shared\NMAIN.EXE
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\WINNT\system32\notepad.exe
    C:\Program Files\HijackThis\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [TotalRecorderScheduler] C:\Program Files\TotalRecorder\TotRecSched.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\Daemon Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MSKExe] c:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [Wiinbllah] MSUPDT.EXE
    O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\RunOnce: [Wiinbllah] MSUPDT.EXE
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37673.4733101852
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8E990FE4-C97F-45B5-B6F9-4643E685665A}: NameServer = 193.213.112.4 130.67.60.68
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    lolsim

    Welcome to TSG!

    Turn off System Restore.

    Make sure "show hidden files" is checked in Folder options > View

    Have a copy of HijackThis.exe in its own folder on the desktop. You may want to copy these instructions to a Notepad file on the desktop, you might need them in Safe Mode.

    Restart to Safe Mode: press f8 on startup and select Safe Mode from the boot menu.

    In Safe Mode, run HijackThis and "Fix Checked" the following entries:

    O4 - HKLM\..\Run: [Wiinbllah] MSUPDT.EXE

    O4 - HKCU\..\RunOnce: [Wiinbllah] MSUPDT.EXE

    Next, click Start, Run and type in "explorer" without the quotes. Navigate to the folder C:\WINNT\system32 and delete the:

    MSUPDT.EXE file.

    Go to Start > Run and type in "regedit" without the quotes and navigate to:

    Hkey_Current_User
    Software
    Microsoft
    Windows
    CurrentVersion
    RunOnce

    >> if there is anything in the Right hand pane but 'default', right click and delete it.

    Reboot back to normal and verify that all is well.

    If all is well turn system restore back on and create a restore point.
     
  3. lolsim

    lolsim Thread Starter

    Joined:
    Sep 18, 2003
    Messages:
    4
    Thanx.!

    I'm using win2000, how/where do I turn of restore point?

    Regards
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Sorry! Win2K doen't have System Restore. Disregard that part.
     
  5. lolsim

    lolsim Thread Starter

    Joined:
    Sep 18, 2003
    Messages:
    4
    Thanx alot, that did the trick.

    I booted in safe mode, deleted the files:

    O4 - HKLM\..\Run: [Wiinbllah] MSUPDT.EXE

    O4 - HKCU\..\RunOnce: [Wiinbllah] MSUPDT.EXE

    Could not locate the MSUPDT.EXE file, and there was no entry in the register (except for default) for:

    Hkey_Current_User
    Software
    Microsoft
    Windows
    CurrentVersion
    RunOnce

    Booted normal, then both regedit and taskmanager is ok.

    What is the best way for keeping updated with this backdoors etc. What program is needed for constant updates of new threats?

    Regards
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I would doublecheck for the MSUPDT.EXE file. It should be there.

    It most likely has the hidden attribute. Make sure "show hidden files" is checked in Folder options > View

    And check again.
     
  7. lolsim

    lolsim Thread Starter

    Joined:
    Sep 18, 2003
    Messages:
    4
    In normal mode I swithced to dos, did i dir with /s parameter.
    Found the file:

    05.09.2003 08:55 28_672 msupdt.exe

    Do I need to boot to safe mode again to delete it?

    Also, any idea for best protecting in the future?

    Regards
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Yes boot to safe mode and delete the msupdt.exe file.

    I would say the first line of defense is your AV. I see you have Norton. I use it too and although I have it set to update automatically I still run Live update manually every day or two.

    Of course a well configured firewall is a must.

    I also think that all PC users should use Spybot, Adaware and SpywareBlaster.

    I always recommend the following.

    Go here http://www.lavasoftusa.com/software/adaware/ and download Adaware 6

    Install the program and launch it.

    I strongly recommend that you read the help file to familiarize yourself with the program.

    Before running the scan look at the top of the main window and you will see a Gear Icon. This is where you configure the settings. Click on that and then in the next window that pops up click on the "Scanning" tab on the left side. Under "Drives and Folders" put a check by "Scan within archives" and below that under "Memory and Registry" put a check by all the options there.
    The click on the "Tweak" tab and under "Scanning engine" put a check by "Unload recognized processes during scanning" ...........then......under "Cleaning engine" put a ckeck by "Automatically try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot" then click "Proceed"

    Next in the main window look in the bottom right corner and click on "Check for updates now" and get the latest referencefiles.
    After getting the latest referencefiles you are ready to scan.

    Click "Start" and in the next window make sure "Active in depth scanning" is checked then click "Next" and the scan will begin.

    When it is finished let it fix everything it finds.

    Restart your computer.

    Then go here http://spybot.eon.net.au/index.php?lang=en&page=download and download Spybot.

    Install the program and launch it.

    Before scanning press "Online" and "Search for Updates" .

    Put a check mark at and install all updates.

    Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

    Restart your computer.

    Be sure and take advantage of the "Immunize" feature in Spybot.

    Finally go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to help prevent future attacks.
    On this page you will find a link to Javacool's SpywareBlaster. Get it and check for updates frequently.
    The Immunize feature in Spybot used in conjunction with SpywareBlaster and weekly scans with Spybot and Adaware will go a long way toward keeping you spyware free.

    Important!: ALWAYS check for updated detections and referencefiles before scanning with Spybot and Adaware. And be sure to check for updates to SpywareBlaster on a weekly basis.

    And of course you have Hijack This which you can familiarize yourself with and run it occassionally to check for unusual entries.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/165724

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice