Jump to content


Photo

Can't run regedit, hijackthis, etc


  • This topic is locked This topic is locked
3 replies to this topic

#1 stwhidden

stwhidden

    Member

  • New Member
  • Pip
  • 1 posts

Posted 26 July 2004 - 10:12 PM

So I'm pretty sure I've been hijacked - I can't open regedit, hijackthis, taskmanager - start the program, it pops open for second, and then is closed out on its own accord...and I found and removed Internet Optimizer on the system. However, I still can't run the above programs, and password sites now just get a error message...

Here's my Hijack this log (obtained through pure luck by repeated clicking...) Any help would be greatly appreciated...


Logfile of HijackThis v1.97.7
Scan saved at 11:03:05 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PROMon.exe
E:\Program Files\iPod\Bin\iPodWatcher.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\WINDOWS\System32\snvudc.exe
C:\WINDOWS\System32\winupdt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
E:\Program Files\iPod\Bin\iPodSrv.exe
C:\WINDOWS\System32\ni_nic.exe
C:\WINDOWS\System32\NMSSvc.exe
E:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Documents and Settings\the_whiddens\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [iPodWatcher] E:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdobeVersionCue] e:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SAV\vptray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [Windows Media Player] snvudc.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] winupdt.exe
O4 - HKLM\..\RunServices: [Windows Media Player] snvudc.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] winupdt.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows Media Player] snvudc.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] winupdt.exe
O4 - HKCU\..\RunServices: [Windows Media Player] snvudc.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{327746A4-B0FA-4128-BB71-6CA49FFB7802}: Domain = sympatico.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{327746A4-B0FA-4128-BB71-6CA49FFB7802}: NameServer = 192.168.2.1

#2 boyettenj@272

boyettenj@272

    Member

  • New Member
  • Pip
  • 3 posts

Posted 01 August 2004 - 05:01 PM

I had a similar problem with msconfig and regedit. I can only run them in safe mode. Today I downloaded and ran the latest copy of stinger from the McAfee site. It found/repaired all of my files that were infected with the W32/Pate.b virus. Both msconfig and regedit are now running ok. So give it a try.

#3 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 01 August 2004 - 09:17 PM

Hi,
First thing to do is ...

Posted Image Reconfigure Windows Explorer to show Hidden Files: [required step]
Open the Windows Explorer | Tools | Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.

Next:

Close all open programs and browsers, rescan with HijackThis
Place a check in each of the following then click "Fix checked".

O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll (file missing)
O4 - HKLM\..\Run: [Windows Media Player] snvudc.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] winupdt.exe
O4 - HKLM\..\RunServices: [Windows Media Player] snvudc.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] winupdt.exe
O4 - HKCU\..\Run: [Windows Media Player] snvudc.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] winupdt.exe
O4 - HKCU\..\RunServices: [Windows Media Player] snvudc.exe


Then reboot, on restart, restart in Safe Mode [required step - see "How To" below]

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following:

C:\WINDOWS\System32\snvudc.exe <--this file
C:\WINDOWS\System32\winupdt.exe <--this file

Restart normally and then ... Download Posted Image HijackThis! 1.98.1

After the above, reboot, rescan with HijackThis and post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 01 October 2004 - 04:51 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button