regedit, msconfig, taskmanager will not work. help!

[exis]

Hi all, thanks for reading.

Task Manager, msconfig and regedit will NOT stay open. When I say "stay" open I mean they open for a fraction of a second then disappear. I first noticed this when trying to merge a registry file, when the same problem (appear, disappear) occured with the dialogue box after I clicked "Merge". Anyway, here is my log:

-----------------------------------------------
Logfile of HijackThis v1.99.0
Scan saved at 10:57:06 p.m., on 30/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\GEARSEC.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Me\Desktop\Admin\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\SVEHOST.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\slrundll.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Programs\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot\SDHelper.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Documents and Settings\Me\Desktop\Admin\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Windows Print Spooler] SVEHOST.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Windows Print Spooler] SVEHOST.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/support/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/support/ocis/SiSAutodetectNT.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C33D9FB-C1C6-4259-A75D-9E9DFD9C4A15}: NameServer = 202.37.101.1 202.37.101.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{F206E979-9E98-44F6-AFC3-BE7D486172E1}: NameServer = 203.97.33.1,203.97.37.1
O23 - Service: Adobe Active File Monitor - Unknown - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\GEARSEC.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Photoshop Elements Device Connect - Unknown - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)

-------------------------------------------------

This is exactly the same problem as http://www.techist.com/showthread.php?s=&threadid=35826 as far as I know, but I didn't find any particularly useful information in there. And I did follow all the instructions except for this piece:

A repair/recovery will not cure your problem. Your system is infected with spyware. To get back regedit/msconfig/task manager , login to safe mode. Goto Tools-> options in explorer window and check 'show hidden files' and uncheck 'Hide operating sys files ......$&^$* ' .

Goto system32 folder, there if you find 'msconf2' or 'msconf' . Delete that file. And run 'msconfig' and remove all the unnecessary start-up items.

Now get into the normal mode, install 1 or 2 spyware/adaware software , update and scan your system with them.

...as I'm not too sure about deleting files I know nothing about. A second opinion would help.

Again, thanks alot for reading this. I appreciate the effort you guys put into helping people like me

 

[exis]

Sorry, just an edit: I just tried the fix above, but there is no msconf(/2) in my system32, so I assume it's not that.

 

[southernlady]

First, scan with your a/v first and get that virus fixed cause you have one. I'm not sure of the name on NOD32 but it's the SPYBOT.H VIRUS and causes all sorts of problems.

Next, since XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Restart to Safe Mode

Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O4 - HKLM\..\Run: [Windows Print Spooler] SVEHOST.EXE

O4 - HKCU\..\RunOnce: [Windows Print Spooler] SVEHOST.EXE

O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)

Now find and delete this file:

C:\WINDOWS\system32\SVEHOST.EXE SPYBOT.H VIRUS!

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Reboot

Empty the Recycle Bin

Then post another log. Liz

 

[exis]

NOD32 finds no virus apart from

C:\System Volume Information\_restore{FF28ABED-CB8F-46DB-BCE6-AE68AF2301E7}\RP24\A0004913.exe - Win32/Agent.AY trojan

C:\System Volume Information\_restore{FF28ABED-CB8F-46DB-BCE6-AE68AF2301E7}\RP24\A0004914.exe - Win32/Agent.AY trojan

Every time I scan with Ad-Aware, NOD32 finds these two viruses. Apparently they are created on each scan, because if I delete them then scan with NOD32, my system is (apparently) clean, but when I scan with Ad-Aware, they appear again.

Is my Ad-Aware corrupt?

 

[southernlady]

No, but it sounds like they may be in your boot sector, turn off system restore: Disable system restore Then rescan.

Next download and scan with a-squared (a²) Free edition 1.52 It's free and it scans for trojans.

Since it seems that NOD32 misses the boat on this trojan...after you check with the a-squared (a²) Free edition 1.52 then go to one of the online virus scans listed in this thread:
http://www.techist.com/showthread.php?s=&threadid=34713
Liz

 

[exis]

Logfile of HijackThis v1.99.0
Scan saved at 9:11:54 a.m., on 1/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\GEARSEC.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Me\Desktop\Admin\iTunes\iTunesHelper.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programs\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Documents and Settings\Me\Desktop\Admin\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/support/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/support/ocis/SiSAutodetectNT.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F206E979-9E98-44F6-AFC3-BE7D486172E1}: NameServer = 203.97.33.1,203.97.37.1
O23 - Service: Adobe Active File Monitor - Unknown - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\GEARSEC.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Photoshop Elements Device Connect - Unknown - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
-------------------------------------------------

AND... regedit, task manager and msconfig all work fine!!!(as far as I can tell). So apart from that, are there any abnormalities on my log that I need to check out?

Thankyou very much Liz, you've been incredibly helpful - much appreciated.

 

[southernlady]

exis, do you still need assistance? If so, please post a new HiJack This log so we can help you.

Otherwise, I will close this thread. Liz

 

[exis]

No more assistance needed. Thanks.

 

[southernlady]

Okay, closing thread. Liz