|
Donations |
|
 |
|
|
|
If you found this site helpful, please donate to help keep it online
Don't want to use PayPal? Try our physical address
|
|
|
Survey |
|
|
|
|
|
|
|
|
Translate |
|
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
Tennisguys
Guest
|
 Posted: Sat Apr 17, 2004 12:00 am Post subject: I can't run Task Manager, Reg Edit or MSCONFIG |
|
|
I am having a problem running Taskmanager, regedit, and msconfig; they will flash open and then close. I have run multiple virus scans including Norton AntiVirus Corporate edition, but all come back with no report of a virus, although I do have a number of quarantined files. I also ran Lavasoft Adware and removed hundreds of spyware objects, but I still have the same problem.
I downloaded and ran Hijackthis, and below are the results. I am not knowledgeable enough to know what to delete.
Any suggestions?
Logfile of HijackThis v1.97.7
Scan saved at 10:04:26 AM, on 4/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\THEWEA~1\The Weather Channel.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\LSAS.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\NavNT\vptray.exe
C:\Documents and Settings\DWeinstein\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp...sion_id=18
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Macafee] LSAS.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\The Weather Channel.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [Macafee] LSAS.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Shared...vSniff.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200...taller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleo...gleNav.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...5152777778
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://nhuonline.newhorizons.com/main/I...loader.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/Shar.../cabsa.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v15...ontrol.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/aut...pricer.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Templ...s/outc.cab
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v11/investor.cab |
|
| Back to top |
|
 |
chap
Guest
|
| Posted: Fri Apr 23, 2004 10:03 pm Post subject: |
|
|
| i have this exact same problem, please help |
|
| Back to top |
|
|
tonaroma
Guest
|
| Posted: Tue Apr 27, 2004 12:01 am Post subject: Same Problem... what the dilio? |
|
|
my system hangs while trying to login. i have to ctrl alt del to logout then try to login several times before my desktop and such will show. then everything is still a bit wacky. do i have bad memory or something? everything seems to work relatively fine in safe mode. i'm gonna try removing all my service packs and other software till i narrow it down.
but if someone knows whats up, please, please, please help. i tried sfc /runnonce several times and virus scans etc... |
|
| Back to top |
|
|
TuoK
Cadet
Joined: May 01, 2004
Posts: 1
Location: USA
|
| Posted: Sat May 01, 2004 11:41 am Post subject: |
|
|
| By chance do you have a task running named vjjfaiqnja.exe ???? That was causing all my problems with msconfig, regedit, etc, etc, etc. |
|
| Back to top |
|
|
helpless
1st Responder
Joined: Jan 29, 2004
Posts: 728
Location: Belgium
|
| Posted: Sat May 01, 2004 1:29 pm Post subject: |
|
|
bump
Last edited by helpless on Sat May 01, 2004 2:16 pm, edited 1 time in total |
|
| Back to top |
|
|
helpless
1st Responder
Joined: Jan 29, 2004
Posts: 728
Location: Belgium
|
| Posted: Sat May 01, 2004 1:31 pm Post subject: |
|
|
Tennisguys
in your log i see
| Quote: |
| C:\WINDOWS\System32\LSAS.EXE |
Don"t confuse LSAS.EXE (worm/backdoor) with LSASS.EXE (systemfile)!
meaning possibly that somebody has remote access to your PC, and denied you from this tasks.
will ask somebody to move this post if you are willing to register "its free" ,in the best place to get an expert on trojans at this.
for chap and tonaroma please start your own topics
.
Last edited by helpless on Sat May 01, 2004 2:14 pm, edited 1 time in total
|
|
| Back to top |
|
|
helpless
1st Responder
Joined: Jan 29, 2004
Posts: 728
Location: Belgium
|
| Posted: Sat May 01, 2004 1:50 pm Post subject: |
|
|
for chap and tonaroma please start your own topics
after doing this :
Download & instal Adaware from http://majorgeeks.com/download.php?det=506
& update it before scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
Remove what it finds by placing a check in the box to the left of the object.
Reboot
Download & instal Spybot S&D from http://www.safer-networking.org/index.php?page=download Update it before scanning.
After the scan is complete, have spybot fix everything marked RED.
On the page that first opens when you start Spybot there is an option to immunise, you should do this. also one to block you starthomepage in IE
Download CWShredder from http://www.computercops.biz/downloads-file-349.html run it. Select the fix button & it will get rid of everything related to CoolWebSearch. Close ALL other programs & windows, including IE, before running CWShredder.
Reboot
Download : HiJack This! from http://computercops.biz/downloads-cat-14.html
Create and Unzip to a folder, not your Desktop or the Temp folder, doubleclick HijackThis.exe, and hit "Scan".
When the scan is finished, use "Save Log" button, save the log in a text file, and post it [url]here http://www.computercops.biz/forum74.html[/url]
DO NOT FIX ANYTHING YOURSELF NOW, JUST WAIT FOR AN EXPERT TO HAVE A LOOK AT THE LOG |
|
| Back to top |
|
|
illukka
1st Responder
Premium Member
Joined: Feb 27, 2004
Posts: 706
Location: Finland
|
| Posted: Mon May 03, 2004 4:52 am Post subject: |
|
|
if task manager is disabled, instead of running it you can download process explorer from
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
it has the same features and more..
first we take out the trojan and then enable regedit etc again
like helpless thought its this
O4 - HKLM\..\Run: [Macafee] LSAS.EXE
O4 - HKCU\..\RunOnce: [Macafee] LSAS.EXE
probable sdbot/agobot variant, for verification you could scan this file with
http://www.kaspersky.com/remoteviruschk.html
so after you've downloaded the procexp.exe open it, highlight the process
C:\WINDOWS\System32\LSAS.EXE
and kill it. then fix those 2 startup entries with hjt.
then boot your pc into safe mode(tap f8 at boot) and delete the file C:\WINDOWS\System32\LSAS.EXE
DO NOT DELETE LSASS.EXE, IT'S AN IMPORTANT SYSTEM FILE
here's more to fix
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
post back a fresh log when done(and results of kav scan) |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
Powered by phpBB 2.0.8a © 2001 phpBB Group
Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops
|
You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0.
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
