[Unresolved] Task manager, regedit, cmd disappears after opening

By brusko
Jan 18, 2008
  1. even folder option window disappears... pls help thanks

    Attached Files:

  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Can be a memory (Ram ) issue

    Quick look at log looks OK
    Mind you, you have putty running twice and Network Diagnostics running
    and all the normal stuff.
    You could download and run CCleaner and also Startup and remove most of the unwanted stuff
    Then defrag
    The run memtest

    Also ensure your Antivirus is fully updated and scanned

    Check Disk is also a good idea

    Open My Computer
    Right Click on C drive
    Select Properties
    Select Tools tab
    Select Check Now button
    Tick "Automatically fix file system errors"
    Start YES OK
    Restart your computer
    Wait for Check Disk to start/finish

    Then test again
  3. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I'm not an expert at reading HJT logs so feel free to wait for somebody else's opinion, but looks like you are infected with W32/Sdbot-DIQ worm

    I suggest that you read Is your system infected? Read this before Cleaning or Formatting

    Then if you decide to attempt to clean your system follow Viruses/Spyware/Malware, preliminary removal instructions exactly and post the requested logs as attachments.

    Since you already have HJT, you need to rename the .exe file to Crusty.exe because some malware can hide from hijackthis.exe
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Blind Dragon is referring to C:\WINDOWS\xmss.exe
    Please locate this file and delete it (you will also need to end the process in Task Manager first)

    Also open Regedit and search for the xmss.exe, and delete all instances of it
  5. brusko

    brusko TS Rookie Topic Starter

    i have executed the putty. it seems it was also affected (it disappeared also)

    anyway, i saw one problem. i have a virus (an avi.exe file located at root folders). have found a fix in the net. and can now execute apps.

    attached is my current log (created a copy of hijackthis and renamed it to bwahaha.exe). ive noticed a reboot.exe. i think this came with my ecs motherboard. should i remove this as said from some sites?

    another observation from my system: when i edit my folder options. it seems it doesnt update my choice to "show hidden files and folders". it always go back to "do not show..."

    thanks for the help.
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    F2 - REG:system.ini: Shell=explorer.exe, xmss.exe is still there.

    This file may also have a Hidden attribute (which is a little annoying, seeming you can't show hidden files)

    Do a search, all files and folders, Advanced, include system/hidden files in your Windows directory for XMSS
    Then delete it


    Also Start - Run - Sysedit
    Maximize system.ini window, and delete the line with Shell=explorer.exe, xmss.exe
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    The file extension .avi.exe is to confuse the executable file to an avi movie. In a windows system with all default settings only Funny UST Scandal.avi is visible[.exe extension is hidden].

    Software used to build the virus= AutoIt V3
    drop Files- killer.exe(4084 kb)
    in c:\windows\lsass.exe(3920kb)
    in c:\documents and settings\all users\start menu\programs\startup\smss.exe(4088kb)
    in all root drives and in c:\windows

    autorun.inf(1kb) in all root drives with a script

    I actually have a copy of the script open in notepad right now.

    I am not supposed to help with HJT logs yet, as I am still learning but if it was on my machine this is what I would do.

    1) Download Taskkiller

    2)run taskiller and left click it on the system tray(the one with a skull icon)
    click processes to close the virus
    Close the following:

    close only files that have the same icon of Funny UST Scandal.avi.exe

    3)now, click “start” then “run”
    • type “cmd” without quotes
    • type “cd\” without quotes
    • type “attrib -h -s smss.exe” without quotes
    • type “attrib -h -s autorun.inf” without quotes
    • type “start c:” without quotes (a new window will open)
    • select smss.exe, autorun.inf, Funny UST Scandal.avi.exe and delete it

    If theres any other drive or a partition type “d:” in command prompt without quotes “d” is the drive letter then repeat the CMD STEPS above
    • now type on the command prompt “cd windows” without quotes.
    • type “attrib -h -s smss.exe” (without quotes)
    • type “start c:\windows” (without quotes)
    • delete the file smss.exe
    • now, goto c:\documents and settings\all users\startmenu\programs\startup
    • delete lsass.exe

    4)click “start” then “run”
    • type “regedit” without quotes
    • Navigate and remove the following entry HKLM\Software\Microsoft\WindowNT\CurrentVersion\Winlogon=shell(killer.exe)
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    This infection allows outsiders complete access to every keystroke, account, and password you use while on this machine.

    IF this computer has been used for any kind of important data, my best recommendation is to disconnect from the internet, reformat the entire drive and reinstall your operating system and applications. you also may want to notify your bank if you do online banking, change your password right away
  9. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Your information is very useful except the reformat option (I think this may be a bit extreme and also not needed
    Everyone has important information, usually the whole world can see without worrying much.
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    The reason for my suggestion is due to the fact that we can probably clean the infected files, but it is not worth the risk of having your bank account hacked. We cannot be sure that the infection didn't do something to the system to reduce the system security. If that's the case, it could be subject to another attack or takeover as soon as you reconnect to the internet, even after removal of the infection.

    It really depends on the usage of the computer. If you do online banking I would strongly suggest you disconnect now and change any sensitive account info ASAP.
  11. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Still not needed

    There are thousands of spyware/malware reports on the Internet, and normally only 1% reformat due to it
    Credit cards and so forth are usually made under https and unless your screen dumping your browsing to the Internet, it's not an issue.
    Not that we know brusko is using credit cards so forth.

    I say remove the Trojan/malware using your recommendations yes
    Reformat - no

    Have a good personnal firewall on (and updated) - yes
  12. momok

    momok TS Rookie Posts: 2,265

    I would not think so. In any case that the infected system has been used for online banking, shopping or any financial/credit card related activities, I strongly encourage the reformat. The risk is simply too high, and as voluntary helpers in an online forum, we have no authority to guarantee any safety to the users sensitive information. If it has not, then we can help to clean the infection. In any case, it is definitely within our responsibility to alert the user about the dangers if his/her system was used for banking etc.

    We leave the choice entirely up to the user though.

  13. brusko

    brusko TS Rookie Topic Starter

    i think it's fixed now. or is it?

    the only problem i have now is the "show hidden files and folders" not working...
  14. momok

    momok TS Rookie Posts: 2,265

    No its not. These entries should not be there. I'll leave it to the rest to provide the proper clean up instructions.

    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
    O4 - Global Startup: Reboot.exe
  15. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    alcmtr.exe is a process installed alongside Realtek AC97 audio hardware and provides a monitoring service. This program is a non-essential process, but should not be terminated unless suspected to be causing problems
    From here:

    Run CCleaner again as well

    You can also download Task Killer 2.30 if task manager cannot be used, to remove running processors.
    Once installed just single click on the taskbar icon, and unload any process from memory.

    O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')

    Is just stating after restart a Temp folder will be created (which should exist anyway

    O4 - Global Startup: Reboot.exe

    I don't like this one exactly

    Just run Startup and remove this line
    Restart and repost log
  16. momok

    momok TS Rookie Posts: 2,265

    Please see HERE.
    Of course, the user may choose to leave it running, though I myself would disable it.
  17. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Apologies for double post
    But this link requires its own post I feel

    For cleanly removing XMSS.exe

    Please report back with results

    (Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.)

    Thank-you momok for returning
    Yes it is advisable to disable the startup entry for this (but not to delete the file itself)
    momok has helped me understand this - thank-you (truthfully)
  18. brusko

    brusko TS Rookie Topic Starter

    yup used earlier the fix for the avi.exe file

    disabled alcmtr at startupcpl... but cant find entry for reboot.exe. i used msconfig to disable reboot.exe

    what should i do with the
    O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
    should i remove this?
  19. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    As I am not as proficient as momok in dealing with this. I must say yes, remove them also.

    Also D:\utils\heyjack.exe
    Looks as though this file on D drive may not be good either

    Then restart
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I would have though ccleaner would have gotten those entries

    They are safe to remove
  21. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    No CCleaner doesn't remove any startup entries only Temp files and whatnot
  22. brusko

    brusko TS Rookie Topic Starter

    hope there's no more

    thanks guys for the help
  23. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    It's such a long log because so much stuff, I suppose running Startup Control Panel you haven't decided to disable lots of thigs starting

    D:\utils\heyjack.exe is still in the list, this MUST be removed (as I stated 2 posts ago)
  24. momok

    momok TS Rookie Posts: 2,265

    I believe heyjack.exe is what brusko renamed his HijackThis to. There's no other process that refers to the HijackThis running process.

    Brusko: please reboot your system and post a new HijackThis log.

    Edit: Thread closed due to lack of response. Should the original starter require it to be reopened, please PM a mod.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...