TechSpot

Virus/Worm Task Manager, Regedit, MsConfig Closes .5-1 Sec

By SkankingMakar
Feb 17, 2005
  1. Hello, I have taken all the precautions posted by black. I still have the virus and there seems to be no end. I ran Spybot and it came up with two things:
    -Wild Tangents (2 entries)
    -DSO Exploit (4 entries)
    When I hit fix it goes through, and then stops and gives an error that it can't find WDEngine.dll.
    I have run Adware, Panda, CWShredder, Norton Antivirus 2005, Spybot and HIJack all in safemode without success.
    Bellow are the results of my hijackthis scan after following all of blacks directions (http://www.techspot.com/vb/topic17297.html).

    Logfile of HijackThis v1.99.1
    Scan saved at 5:41:30 PM, on 2/17/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Vince\My Documents\Anti Virus\hijackthis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AlienAutopsy] "C:\Program Files\AlienAutopsy\Test_BS.exe" -h
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [Winamp Player 6] WINAMP6.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
    O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
    O4 - HKCU\..\RunOnce: [Winamp Player 6] WINAMP6.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.madonion.com/global/msc34.cab
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    Any help would be greatly appreciated. I have already gotten rid of the AIM aspect of my problem which use to pop up an away msg with the intent of spreading the virus. When I'm in Safe Mode, the virus does not run. Task Manager, Msconfig, and Regedit all run in safe mode. Normal mode is when I have the problem.

    Thanks,
    Vince
     
  2. SkankingMakar

    SkankingMakar TS Rookie Topic Starter

    Update

    This is an updated Hijack log. I did this one after I disabled all non windows start ups in msconfig during safe mode.

    Logfile of HijackThis v1.99.1
    Scan saved at 8:43:53 PM, on 2/17/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\WINAMP6.EXE
    C:\Program Files\Common Files\Symantec Shared\Nmain.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Vince\My Documents\Anti Virus\hijackthis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [Winamp Player 6] WINAMP6.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\RunOnce: [Winamp Player 6] WINAMP6.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

    I hope that helps, thanks.
     
  3. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    No, that second log was total rubbish, because it does not show what your PC normally would do. You have falsified your PC contents that way!

    Based on the first log:

    Boot in Safe Mode
    Switch off System restore
    Try to UNinstall anything to do with:
    C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe (this is a FALSE one)

    Next, run HJT on its own and let it 'fix' if still there:
    C:\WINDOWS\system32\WINAMP6.EXE ==>> only useful line from second log <<==
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [Winamp Player 6] WINAMP6.EXE
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\RunOnce: [Winamp Player 6] WINAMP6.EXE
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...DC_1_0_0_44.cab
    O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.madonion.com/global/msc34.cab

    When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

    Stop using IE, except for Windows-updates.
    Install Firefox instead from http://www.getfirefox.com

    Boot normal.
    If all OK, put System Restore back on.
     
  4. SkankingMakar

    SkankingMakar TS Rookie Topic Starter

    I tried doing all of the above and I still have the worm/virus :(

    This is what comes up when I run Spybot, it isn't able to fix these.

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-3791268304-1061356862-3921390923-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    I was able to dl a free register editor at http://www.resplendence.com/reglite.
    I now can see the registries, but I don't know what I should fix about them.

    Thanks
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

  6. SkankingMakar

    SkankingMakar TS Rookie Topic Starter

    Still no succes, even though spybot says it fixes the problems if I run it again the same problems show up.
     
  7. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    The entry 1004!=W=3 in Regedit on my PC shows as follows:
    1004 REG_DWORD 0x00000003(3)
    Perhaps SSD shows this in a different way? It looks like it would be OK.
    Look in your Regedit.
    Click Star/Run, type in regedit and click OK.
    Then go to anyone of those keys. If they look the same as my example, it must be a glitch in SSD's way of displaying.

    Anyway, they have nothing to do with a virus.
    Show us your new HJT-log.
     
  8. excelman

    excelman TS Rookie

    realblackstuff wrote:

    "Anyway, they have nothing to do with a virus.
    Show us your new HJT-log."

    I most certainly is a virus, "Realblackstuff."

    I suggest the original poster take a look at this entry from HiJack this:

    winamp6.exe

    Search for this on www.symantec.com and all will be revealed.

    I am personally still working on getting rid of the nasty thing. I'll post back if I find a reasonable solution.
     
  9. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    I advised SkankingMakar

    Next, run HJT on its own and let it 'fix' if still there:
    C:\WINDOWS\system32\WINAMP6.EXE ==>> only useful line from second log <<==

    and a few more things.
    So the SSD problem AFTERWARDS had nothing to do with a virus, if he had let HJT 'fix' it, OK?
     
  10. excelman

    excelman TS Rookie

    realblackstuff Stated:

    "I advised SkankingMakar

    Next, run HJT on its own and let it 'fix' if still there:
    C:\WINDOWS\system32\WINAMP6.EXE ==>> only useful line from second log <<==

    and a few more things.
    So the SSD problem AFTERWARDS had nothing to do with a virus, if he had let HJT 'fix' it, OK?" (end quote)


    realblackstuff,

    I see what you mean, now. You were referring ONLY to the pesky "DSO Exploit" errors in Spybot. However, those had nothing to do with the original poster's (and my current!) problem of MSCONFIG, Task Manager and Regedit all failing to run for more than 1 second.

    This is clearly virus activity and has a lot to do with that dang WINAMP6.EXE entry on HJT that WILL NOT GO AWAY using Hijack this only.

    I'm still working on a fix.

    UPDATE: Earlier this morning, I did this ame thing to no avail but this time it appears to have worked: I started up in safe mode, ran REGEDIT and removed every entry for anything releated to WINAMP6.EXE I could find. This time, it appears to ahve worked. I can now run Task Manager, REGEDIT and MSCONFIG in normal mode to my heart's content.

    The only thing I did differently was to also delete the registry folders the WINAMP6.EXE file was located in. Caution: If anyone else reads this, don't delete ANYTHING from the registry until you back it up first!

    Anyway, a few more HJT and others scans and I think I might just have this dang thing whooped . . . Whatever it was.

    I'll post back if it regenerates.
     
  11. jezzalinco

    jezzalinco TS Rookie

    Best Solution

    Hi guys,

    The best solution for this is to backup all your docs, and give the machine a reformat, then make sure you have an updated antivirus installed.

    My recommendation for antivirus is Avant antivirus, along with installing Ad Aware Personal Edition.

    Thanks,

    Jezzalinco
     
  12. hynesy

    hynesy TS Maniac Posts: 389

    MY advice is to download a trial from Bitdefender 9 interent sceurity, this power anti virus engine has stopped and killed many malious treats on my system it also upadtes every hour so ur never out of date.
    They also offer 24 LIVE help for any virus, trogan, adware, spyware, etc.
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Old thread guys, look at the date lol.

    Done it myself a few times when I first became a member.

    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...