TechSpot

Blocked: regedit, msconfig, task manager processes, HJT, various keywords

By Ranilin
Dec 26, 2004
  1. Okay, I couldn't really get the descriptive title down, because well.. I'll just describe all of my symptoms. :)

    First thing I noticed is other computers on the network no longer can access the root directory of my shared folders to see what folders are BEING shared. However, knowing the name to any shared folder, you can still access them perfectly fine. Just not get a list of all of them at once anymore.

    Next thing I noticed was my Task Manager. It opens just fine, sure. However, the processes screen is completely grayed out. And it's not from needing to double-click the border or anything, I can switch through the tabs fine. The only thing wrong is when I switch to the Processes Tab, the list of running processes between the tabs at the top and the radio box "Show processes from all users" + "End Process" button is not there. It's simply a blank area the color of the rest of the border.

    So I tried to run HijackThis. Doesn't work. I moved it and renamed it. It opened this time, but closed almost instantly. The same goes for msconfig, regedit, etc.

    Starting to get annoyed, I rebooted into Safe mode. Everything is exactly as it is in normal mode: no access to processes in task manager, many helpful programs will not run no matter what I do, etc. I honestly have no clue at this point what's going on, it's gone beyond my knowledge.

    So I start up Firefox and go to google. My first search was fine, but I forget what keywords I used. My next attempt, I included the word virus, and the moment I hit enter (or clicked the submit button, I went through this a lot), my browser closes. So I load up Internet Explorer, just to check the same search. Closed instantly when I did the search. I've since found two more words that close my browser instantly when googling: monitor & security

    I actually found 'monitor' on accident because I was using FTP to transfer files a bit ago and one of the file names was something like "al_lhmonitor_tel". Everytime that file tried to transfer, the FTP client would be closed. I reopen it and move that file further down the qeue, the other files transfer fine, until that file is reached again. Closed. Renamed it, transferred it fine. And I have moved this file before across via FTP when it worked fine, about 16 days ago or so.


    Well, I think I have mentioned everything that I know so far. I've never had to actually ask for help because I've always been able to find it before, so this is a first. Anything you need I can provide quickly, whether it be screenshots, video recordings of it going on, whatever. I do this stuff normally, so it's not an inconvenience. It just seems like anything I try to do to even identify what the problem is has been thwarted before I ever got to that point.

    PS: Adaware 6, Spyware Blaster, and Spybot Search and Destroy could not find anything.

    Edited to add more stuff: Doug's emergency utilities does me no good. Also, I've tried using Process Explorer. Closed the instant it opens, safe mode or not.

    Also, I believe this computer is being used in a DoS attack. My other computers started timing out earlier, but the moment I pulled the plug on this one (just the ethernet, not power :p), everything else ceased to time out.
     
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Welcome to TechSpot
    Go to my thread here:
    How to remove Begin2Search / Coolwebsearch
    Go down to where you find Smartkiller. D/L and run that. Then do the rest of the thread from its start, and report back.
     
  3. Ranilin

    Ranilin TS Rookie Topic Starter

    Alright, Smartkiller didn't find anything. Just to be sure though, I went through your thread yet again, step by step. Everything is still locked to me, even in safe mode. Can't access procces viewer nor HJT, even regedit and regedt32.

    Also, CWshredder finds nothing as well, but I was unclear on whether it was supposed to or not, or whether I was hoping for the side-effect of closing other applications to help. Still, no luck.

    What shall I do next? :)

    I wanted to see where all this data was going that my computer was sending out earlier, but I've also lost access to netstat. Dunno where it went..
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

  5. sacki123

    sacki123 TS Rookie

    exact same problems..

    i seem to have the exact same problem .. (i´m running on win xp pro sp1 with firefox as browser)

    besides the things allready mentioned i can't open my hardware device manager neither ..

    i´ve tried spybot, Cws shredder, ad-aware,smartkiller and a few other spyware removers..none of them helped at all .. i tried the mcafee stinger thing.. it wont even open .. i know this looks alot like cws (of course i allready had my expirience with that too )..but it´s seems to be something worse :mad:


    @ Ranilin : it would be interesting to know if you use irc ? because that´s like the only thing i could imagin getting this from ..



    i´m scanning my system with "Antivir Personal Edidtion" right now.. that´s like the only vir prog i can open (or even open the website without my browser closing instantly)

    EDIT : didn't show anything..


    i still hope anybody on here could help me out..
     
  6. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Have you guys got a self-booting CD with an antivirus-program on it?
    Maybe that could clean up the mess enough to do a Repair of your OS.
     
  7. sacki123

    sacki123 TS Rookie


    no.. unfortunaly not.. is there a tutorial anywhere on the web for making one ?

    but i think i finally got a little bit further in finding a way to kill this virus..

    i tried "Spy Sweeper" and fist made it do a deep scan..it turned up some hijackers and adware programs ..i couldn't make it delete them because my testing period allready expired..
    but spy sweeper has some other featuers..like letting me edit my startup files.. (which i couldn't do untill now because my msconfig wont turn up..)

    here is my current startup files (do any of them look suspicious ? i suppose some are ) :


    Item Name Path


    AVGCTrl C:\Program Files\AVpersonal\AVGNT.exe
    (that´s my virus-scaner i guess)
    CheckInit dllserve.exe
    CheckInit dllserve.exe
    CheckInit dllserve.exe
    C-Media Mixer Mixer.exe
    DllCacherv2 C:\Windows\System32\dllcachev2.exe
    getright.exe C:\Programm Files\Getright\getright.exe
    (my download manager)
    IPConfig svcnw32.exe
    IPConfig svcnw32.exe
    Microsoft Winsock Wrapper C:\Windows\System32\ws2_32.exe
    mouself C:\Progra~1\KYE\Genius~1\mouself.exe
    (my genius mouse)
    MsnMsgr C:\Program Files\MSN Messenger\MsnMsgr.exe
    mswnvmx32 explorer
    NBJ C:\Program Files\Ahead\NeroBackitup\NBJ.exe
    NvcplDaemon rundll32.exe C:\Windows\System32\Nvcpl.dll,NVstartup
    NVMediacenter rundll32.exe C:\Windows\System32\NvMcTray.dll
    Windows Restore Services mrestore.exe
    Windows Restore Services mrestore.exe
    Windows Restore Services mrestore.exe

    all this typing better help something lol

    i hope someone here can tell me if dissabling some of them would help anything..

    any help is very appreciated !



    EDIT : I also just found out spysweeper also gives me a list of urls that have been hijacked (by checking if the ip adress my host files contain (?) are correct) everything related to virus-protection..or windows update pages is hijacked..i´m about "to un-hijack" these now..
     
  8. sacki123

    sacki123 TS Rookie

    Finally a Hijackthis log ...

    I noticed that i can't see the processes in my process manager..but i could still browse them (without seeing what i´m doing though).. so i did that (by pressing up or down on my keyboard) and randomly clicked "end proces" .. well.. after a few trys i seem to have killed the right proces..i can view them now properly.. i´m also able to run hijack this and msconfig again (the only thing still not working is regedit)

    i ran stinger and it found some spybot sd variants.. i deleted the files of question and rebooted.. seems like that didn't help..because i had to randomly close processes again ..


    well .. here is my hijacthis logfile (that´s after the causing process has been ended.. i hope the experts will still see suspicious entrys) :


    Logfile of HijackThis v1.99.0
    Scan saved at 23:06:42, on 01.01.2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\KYE\GENIUS~1\mouseElf.exe
    C:\WINDOWS\Mixer.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\AVPersonal\AVGUARD.EXE
    C:\Program Files\AVPersonal\AVWIN.EXE
    C:\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiegel.de
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiegel.de
    F2 - REG:system.ini: Shell=Explorer.exe,dllserv.exe -shell
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O2 - BHO: C:\WINDOWS\lbbho.dll - {E3794574-59E5-43E3-9E66-26BAE8ED1B67} - C:\WINDOWS\lbbho.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\KYE\GENIUS~1\mouseElf.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
    O4 - HKLM\..\Run: [IPConfig] svcxnw32.exe
    O4 - HKLM\..\Run: [CheckInit] dllserv.exe -services
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [mswnvmx32] explorer
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\RunServices: [CheckInit] dllserv.exe -services
    O4 - HKCU\..\Run: [CheckInit] dllserv.exe -drivers
    O4 - HKCU\..\Run: [IPConfig] svcxnw32.exe
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O8 - Extra context menu item: RF - &Formular speichern - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: RF - &Menü anpassen - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: RF - Formular ausf&üllen - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Ausfüllen - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: RF - Formular ausf&üllen - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Speichern - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: RF - &Formular speichern - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RF - RoboForm-S&ymbolleiste - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...1dd4eb01d54f:eeba47ee03d937f4aaa2edc6fc4885a4
    O16 - DPF: {8E6AA867-94D4-4B4F-8791-1B048F8C122A} - https://fastsend.com/products/Fsplugin.cab
    O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq.com/odyssey_web11.cab
    O16 - DPF: {AD8D3C68-0C60-4B53-8A9E-BC654BBB36FE} (download_35mb_com.applet) - http://www.35mb.com/downloadapplet.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
    O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
    O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
     
  9. sacki123

    sacki123 TS Rookie

    lol..now after 2 days of hardcore trial and error .... I present to you :

    *drums*

    dllserv.exe




    this is the process of question .. i downloaded Win Tasks Pro (trial) which the virus doesn't disable.. hence your able to see and stop your processes... then i eliminated the dllserv.exe process ..everything seems to work fine now.. next it´s 'msconfig' and disabling the exe file from your start up .. i went the safe route and also deleted the file from my 'windows\system32\' path ..

    now everything seems to work perfect again ..


    there´s only one problem left : when i try to run regedit it tells me that my administrator has disabled regedit for me.. any way to work around this ?



    P.S. :
    Strange thing is : a google search for dllserv.exe turns up nothing..
     
  10. Frosty00

    Frosty00 TS Rookie

    I recently had a very similar problem.

    My regedit was blocked by administrator every time i restarted the computer, (i had to use adaware SE, which found it everytime and fixed it). Also, after enableing regedit, under 10 seconds after opening, it would close, the same with MSCONFIG. And i tried the google search key words, of which i only had a problem with "virus" in which i had the exact same problem, except it would take around 7 seconds to close, not instantly.

    I checked my process list in the XP task manager, and ended several processes and checked whether IE would crash after the search for "virus". It finally worked after ending "regsrv.exe".

    After searching for this file, i found it in Windows/System32.
    I found another file along with my search... REGSRV.EXE-3568936E.PF
    I do not know if this file has anything to do with the other, but i felt it was worth posting.

    P.S. Upon searching for dllserv.exe i found nothing.
     
  11. papa_loa

    papa_loa TS Rookie

    I have had a very similar problem. I have compiled info I found on this site plus others, as well as my own experience and put it into a single thread on this site with the name "Nasty Trojan disables regedit, msconfig, antivirus, firewall, task manager, etc" (posted 02 Jan 05). I can't post the direct URL for some reason...

    I have not yet rid myself of it, but I have been able to get registry tool control back and been able to run NAV (it didn't find anything) and, after a quick edit of the hosts file, I am now running some online scans so we'll see what happens...
     
     
  12. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Sacki123,
    your problems are not over yet. dllserv.exe is NOT the only one.

    Go to my post and follow exactly.
    How to remove Begin2Search / Coolwebsearch

    Then boot into Safe Mode.

    Uninstall Getright, it is adware. Afterwards, install Stardownloader from www.stardownloader.com

    Run HJT on its own, and let it "fix" (whatever is left after you followed my post above):

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiegel.de
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiegel.de
    F2 - REG:system.ini: Shell=Explorer.exe,dllserv.exe -shell
    O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: C:\WINDOWS\lbbho.dll - {E3794574-59E5-43E3-9E66-26BAE8ED1B67} - C:\WINDOWS\lbbho.dll

    O4 - HKLM\..\Run: [IPConfig] svcxnw32.exe
    O4 - HKLM\..\Run: [CheckInit] dllserv.exe -services
    O4 - HKLM\..\Run: [mswnvmx32] explorer
    O4 - HKLM\..\RunServices: [CheckInit] dllserv.exe -services
    O4 - HKCU\..\Run: [CheckInit] dllserv.exe -drivers
    O4 - HKCU\..\Run: [IPConfig] svcxnw32.exe
    O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    ----->>> If HJT does not do it, set this to 0
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
    ----->>> Follow instructions at bottom of my above post
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...aa2edc6fc4885a4
    O16 - DPF: {8E6AA867-94D4-4B4F-8791-1B048F8C122A} - https://fastsend.com/products/Fsplugin.cab
    O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq.com/odyssey_web11.cab
    O16 - DPF: {AD8D3C68-0C60-4B53-8A9E-BC654BBB36FE} (download_35mb_com.applet) - http://www.35mb.com/downloadapplet.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/gam...aploader_v6.cab

    When done, delete the bold files.
     
  13. sacki123

    sacki123 TS Rookie

    thanks realblackstuff for the help .. i will do all of the later on (i´ll let you guys know if everything is working after that)


    what bothers me the most about this virus/trojan/whateverware is that none of the internet based virus-dictotionarys/archives listed anything about this .. like i said ..a google search turns up little to no results..

    @papa_loa i think your thread is a good idea .. you could add the hardware device manager to the list of blocked applicatiosn.. plus another thing i just noticed is : when i clicked on "my computer" it wouldn't show the device names or drive letters of my hardrives..
     
  14. LNCPapa

    LNCPapa TS Special Forces Posts: 4,336   +280

    papa_loa (feels odd calling someone else papa) - once you've made another post you will be able to post links. You must have a minimum of 3 posts before you can post hyperlinks.
     
  15. Funbox

    Funbox TS Rookie

    I had to register to these forums just because of this.

    THANK YOU, realblackstuff, and also to Ranlin for posting keywords which matched my Google search.... or else this horrible annoying problem would still be plaguing me for a long time.

    BTW, are there any side effects to this? Like, what exactly was the purpose of the virus itself? Was it just one that malignantly blocked you from getting rid of it, or does it do other things to the computer in the background?
     
  16. colt18

    colt18 TS Rookie

    Hey guys i've also facin' wit da same problem. i used wintask 5 pro utility. this program gives short descriptions about processes runnin' on u'r system. while i was looking at processes i found something interestind named as process.exe under the windows\system32 folder. no explanation was written about it. i stop the process and block it to prevent its running. at last system turned on. now i'm able to open regedit and msconfig. also the command prompt. and this trojan or virus whatelse was uploading information from my system and making my connection to very very slow for sure. i have a 512/128 download/upload connection an sent bytes was 4 times more than received bytes. that means some threads from the connection. also avast was stopping some attacks from some tcp servers. now all the problems solved. ready to use my machine again.
     
  17. hkparali

    hkparali TS Rookie

    The simple way...

    I just faced the same problem. I read the whole page for three times. But I have no internet connection other than a dial up connection. So I must have a cure without any download and upload programs. So I just did the following.
    First of all download "Hijack this" from some site.
    1. Paste the following into your Run window.
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /t REG_DWORD /d 0 /f
    then press enter.
    2. A DOS mode window will flash infront of you. Very quickly press Alt+Ctrl+Del then go to Processes tab and simply press Del button after selecting a process that you have not seen before. Then click Yes button (dont worry that your system will hang or do anything like that, if it is a critical process system will alert you.)
    3. Then Quickly run "Hijack This" or "Crusty" whichever the name you given.
    You can see some Process Inside Regedit ->Run will suspicious to you.Fix the undoubtingly.
    4. The log file may look like the follows.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:24:41 AM, on 1/10/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    D:\blue\BTNtService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\Crusty.exe.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\adobe reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\blue\BTNtService.exe

    --
    End of file - 1609 bytes
    Thanks here by you got rid off the virus success fullly.
     
  18. hkparali

    hkparali TS Rookie

    Problem is with the regedit

    I was really blowing out with this kind of problems. As I only have my good old PC I cant simply format it and reinstall everything as it will take a 4 to 5 hours of good day.
    I was really searching for use full info.
    at last I found that the problem is in the Registry editor (regedit). going through the the files I found after a check with the HJT the problem is in the following path.

    HKCU\Software\microsoft\windows\current version\policies\system, Disable Regedit=1

    I manually deleted the file from regedit.

    BUt it came again after a refresh.

    Can anyone suggest a way to create a file that will delete this entry whenever it comes live..


    or can anyone make a guess what is the cause of this reincarnation?
     
  19. Visnew

    Visnew TS Rookie Posts: 16

    I bet you have what I have... Search google for hsfd83jfdg.dll & look @ result 1 & 3. this will tell you (& helpers here) what it does. basically all you do is inverse everything it does (in safe mode). pretty simple really.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.