[Unresolved] Task manager, regedit, cmd disappears after opening
- Thread starter brusko
- Start date
- Status
Can be a memory (Ram ) issue
Quick look at log looks OK
Mind you, you have putty running twice and Network Diagnostics running
and all the normal stuff.
You could download and run CCleaner and also Startup and remove most of the unwanted stuff
Then defrag
The run memtest
Also ensure your Antivirus is fully updated and scanned
Check Disk is also a good idea
Open My Computer
Right Click on C drive
Select Properties
Select Tools tab
Select Check Now button
Tick "Automatically fix file system errors"
Start YES OK
Restart your computer
Wait for Check Disk to start/finish
Then test again
Quick look at log looks OK
Mind you, you have putty running twice and Network Diagnostics running
and all the normal stuff.
You could download and run CCleaner and also Startup and remove most of the unwanted stuff
Then defrag
The run memtest
Also ensure your Antivirus is fully updated and scanned
Check Disk is also a good idea
Open My Computer
Right Click on C drive
Select Properties
Select Tools tab
Select Check Now button
Tick "Automatically fix file system errors"
Start YES OK
Restart your computer
Wait for Check Disk to start/finish
Then test again
Blind Dragon
Posts: 3,774 +4
I'm not an expert at reading HJT logs so feel free to wait for somebody else's opinion, but looks like you are infected with W32/Sdbot-DIQ worm
I suggest that you read Is your system infected? Read this before Cleaning or Formatting
Then if you decide to attempt to clean your system follow Viruses/Spyware/Malware, preliminary removal instructions exactly and post the requested logs as attachments.
Since you already have HJT, you need to rename the .exe file to Crusty.exe because some malware can hide from hijackthis.exe
I suggest that you read Is your system infected? Read this before Cleaning or Formatting
Then if you decide to attempt to clean your system follow Viruses/Spyware/Malware, preliminary removal instructions exactly and post the requested logs as attachments.
Since you already have HJT, you need to rename the .exe file to Crusty.exe because some malware can hide from hijackthis.exe
i have executed the putty. it seems it was also affected (it disappeared also)
anyway, i saw one problem. i have a virus (an avi.exe file located at root folders). have found a fix in the net. and can now execute apps.
attached is my current log (created a copy of hijackthis and renamed it to bwahaha.exe). ive noticed a reboot.exe. i think this came with my ecs motherboard. should i remove this as said from some sites?
another observation from my system: when i edit my folder options. it seems it doesnt update my choice to "show hidden files and folders". it always go back to "do not show..."
thanks for the help.
anyway, i saw one problem. i have a virus (an avi.exe file located at root folders). have found a fix in the net. and can now execute apps.
attached is my current log (created a copy of hijackthis and renamed it to bwahaha.exe). ive noticed a reboot.exe. i think this came with my ecs motherboard. should i remove this as said from some sites?
another observation from my system: when i edit my folder options. it seems it doesnt update my choice to "show hidden files and folders". it always go back to "do not show..."
thanks for the help.
F2 - REG:system.ini: Shell=explorer.exe, xmss.exe is still there.
This file may also have a Hidden attribute (which is a little annoying, seeming you can't show hidden files)
Do a search, all files and folders, Advanced, include system/hidden files in your Windows directory for XMSS
Then delete it
edit:
Also Start - Run - Sysedit
Maximize system.ini window, and delete the line with Shell=explorer.exe, xmss.exe
This file may also have a Hidden attribute (which is a little annoying, seeming you can't show hidden files)
Do a search, all files and folders, Advanced, include system/hidden files in your Windows directory for XMSS
Then delete it
edit:
Also Start - Run - Sysedit
Maximize system.ini window, and delete the line with Shell=explorer.exe, xmss.exe
Blind Dragon
Posts: 3,774 +4
The file extension .avi.exe is to confuse the executable file to an avi movie. In a windows system with all default settings only Funny UST Scandal.avi is visible[.exe extension is hidden].
Software used to build the virus= AutoIt V3
drop Files- killer.exe(4084 kb)
in c:\windows\lsass.exe(3920kb)
in c:\documents and settings\all users\start menu\programs\startup\smss.exe(4088kb)
in all root drives and in c:\windows
autorun.inf(1kb) in all root drives with a script
I actually have a copy of the script open in notepad right now.
I am not supposed to help with HJT logs yet, as I am still learning but if it was on my machine this is what I would do.
1) Download Taskkiller
2)run taskiller and left click it on the system tray(the one with a skull icon)
click processes to close the virus
Close the following:
killer.exe
lsass.exe
smss.exe
close only files that have the same icon of Funny UST Scandal.avi.exe
3)now, click “start” then “run”
If theres any other drive or a partition type “d:” in command prompt without quotes “d” is the drive letter then repeat the CMD STEPS above
4)click “start” then “run”
Software used to build the virus= AutoIt V3
drop Files- killer.exe(4084 kb)
in c:\windows\lsass.exe(3920kb)
in c:\documents and settings\all users\start menu\programs\startup\smss.exe(4088kb)
in all root drives and in c:\windows
autorun.inf(1kb) in all root drives with a script
I actually have a copy of the script open in notepad right now.
I am not supposed to help with HJT logs yet, as I am still learning but if it was on my machine this is what I would do.
1) Download Taskkiller
2)run taskiller and left click it on the system tray(the one with a skull icon)
click processes to close the virus
Close the following:
killer.exe
lsass.exe
smss.exe
close only files that have the same icon of Funny UST Scandal.avi.exe
3)now, click “start” then “run”
- type “cmd” without quotes
- type “cd\” without quotes
- type “attrib -h -s smss.exe” without quotes
- type “attrib -h -s autorun.inf” without quotes
- type “start c:” without quotes (a new window will open)
- select smss.exe, autorun.inf, Funny UST Scandal.avi.exe and delete it
If theres any other drive or a partition type “d:” in command prompt without quotes “d” is the drive letter then repeat the CMD STEPS above
- now type on the command prompt “cd windows” without quotes.
- type “attrib -h -s smss.exe” (without quotes)
- type “start c:\windows” (without quotes)
- delete the file smss.exe
- now, goto c:\documents and settings\all users\startmenu\programs\startup
- delete lsass.exe
4)click “start” then “run”
- type “regedit” without quotes
- Navigate and remove the following entry HKLM\Software\Microsoft\WindowNT\CurrentVersion\Winlogon=shell(killer.exe)
HKCU\Software\Microsoft\windows\Currentversion\Run=runonce(c:\wind
Blind Dragon
Posts: 3,774 +4
This infection allows outsiders complete access to every keystroke, account, and password you use while on this machine.
IF this computer has been used for any kind of important data, my best recommendation is to disconnect from the internet, reformat the entire drive and reinstall your operating system and applications. you also may want to notify your bank if you do online banking, change your password right away
IF this computer has been used for any kind of important data, my best recommendation is to disconnect from the internet, reformat the entire drive and reinstall your operating system and applications. you also may want to notify your bank if you do online banking, change your password right away
Blind Dragon
Posts: 3,774 +4
The reason for my suggestion is due to the fact that we can probably clean the infected files, but it is not worth the risk of having your bank account hacked. We cannot be sure that the infection didn't do something to the system to reduce the system security. If that's the case, it could be subject to another attack or takeover as soon as you reconnect to the internet, even after removal of the infection.
It really depends on the usage of the computer. If you do online banking I would strongly suggest you disconnect now and change any sensitive account info ASAP.
It really depends on the usage of the computer. If you do online banking I would strongly suggest you disconnect now and change any sensitive account info ASAP.
Still not needed
There are thousands of spyware/malware reports on the Internet, and normally only 1% reformat due to it
Credit cards and so forth are usually made under https and unless your screen dumping your browsing to the Internet, it's not an issue.
Not that we know brusko is using credit cards so forth.
I say remove the Trojan/malware using your recommendations yes
Reformat - no
Have a good personnal firewall on (and updated) - yes
There are thousands of spyware/malware reports on the Internet, and normally only 1% reformat due to it
Credit cards and so forth are usually made under https and unless your screen dumping your browsing to the Internet, it's not an issue.
Not that we know brusko is using credit cards so forth.
I say remove the Trojan/malware using your recommendations yes
Reformat - no
Have a good personnal firewall on (and updated) - yes
momok
Posts: 2,127 +6
I would not think so. In any case that the infected system has been used for online banking, shopping or any financial/credit card related activities, I strongly encourage the reformat. The risk is simply too high, and as voluntary helpers in an online forum, we have no authority to guarantee any safety to the users sensitive information. If it has not, then we can help to clean the infection. In any case, it is definitely within our responsibility to alert the user about the dangers if his/her system was used for banking etc.kimsland said:
We leave the choice entirely up to the user though.
Regards,
momok
momok
Posts: 2,127 +6
No its not. These entries should not be there. I'll leave it to the rest to provide the proper clean up instructions.
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O4 - Global Startup: Reboot.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O4 - Global Startup: Reboot.exe
alcmtr.exe is a process installed alongside Realtek AC97 audio hardware and provides a monitoring service. This program is a non-essential process, but should not be terminated unless suspected to be causing problems
From here: http://www.liutilities.com/products/wintaskspro/processlibrary/alcmtr/
Run CCleaner again as well
You can also download Task Killer 2.30 if task manager cannot be used, to remove running processors.
Once installed just single click on the taskbar icon, and unload any process from memory.
The
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
Is just stating after restart a Temp folder will be created (which should exist anyway
O4 - Global Startup: Reboot.exe
I don't like this one exactly
Just run Startup and remove this line
Restart and repost log
From here: http://www.liutilities.com/products/wintaskspro/processlibrary/alcmtr/
Run CCleaner again as well
You can also download Task Killer 2.30 if task manager cannot be used, to remove running processors.
Once installed just single click on the taskbar icon, and unload any process from memory.
The
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
Is just stating after restart a Temp folder will be created (which should exist anyway
O4 - Global Startup: Reboot.exe
I don't like this one exactly
Just run Startup and remove this line
Restart and repost log
Apologies for double post
But this link requires its own post I feel
For cleanly removing XMSS.exe
http://groups.google.com/group/micr...general/browse_thread/thread/00c88e3a7e5b3897
Please report back with results
(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.)
Thank-you momok for returning
Yes it is advisable to disable the startup entry for this (but not to delete the file itself)
momok has helped me understand this - thank-you (truthfully)
But this link requires its own post I feel
For cleanly removing XMSS.exe
http://groups.google.com/group/micr...general/browse_thread/thread/00c88e3a7e5b3897
Please report back with results
(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.)
Thank-you momok for returning
Yes it is advisable to disable the startup entry for this (but not to delete the file itself)
momok has helped me understand this - thank-you (truthfully)
yup used earlier the fix for the avi.exe file
disabled alcmtr at startupcpl... but cant find entry for reboot.exe. i used msconfig to disable reboot.exe
what should i do with the
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
'
should i remove this?
disabled alcmtr at startupcpl... but cant find entry for reboot.exe. i used msconfig to disable reboot.exe
what should i do with the
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
'
should i remove this?
Blind Dragon
Posts: 3,774 +4
I would have though ccleaner would have gotten those entries
They are safe to remove
They are safe to remove
momok
Posts: 2,127 +6
I believe heyjack.exe is what brusko renamed his HijackThis to. There's no other process that refers to the HijackThis running process.
Brusko: please reboot your system and post a new HijackThis log.
Edit: Thread closed due to lack of response. Should the original starter require it to be reopened, please PM a mod.
Brusko: please reboot your system and post a new HijackThis log.
Edit: Thread closed due to lack of response. Should the original starter require it to be reopened, please PM a mod.
- Status
Similar threads
Latest posts
-
New charging algorithm could double life of li-ion batteries- DanteSmith replied
-
Logitech thinks the computer mouse needs an AI upgrade- brunocasarini replied
-
Boston Dynamics unveils impressive all-electric Atlas robot- Zsoltblabla replied
