Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

can not start regedit, antivirus and many other


  • Please log in to reply

#1
ivansto

ivansto

    New Member

  • Member
  • Pip
  • 6 posts
Hi,
I am using Win 2000.

I am not able to run regedit (it close short after start).
Also I am not able to use paste (many times).
Also my AntiVir do not start at startup.
I found many entrys in hosts that disables many anti visur sites and so on.

After reading many docs and posts I concentrated of searching for libsysmgr and syslog32 in my registry and after restarting in safe mode I found this in reg file.

I removed all this entry and searched (also system and hidden files) for libsysmgr.exe and syslog32.exe but I DO NOT FOUND any in my file sysrtem.

The last was supprice for me.

After it I restarted in normal mode, but I was not able to run regedit again.

the last step was to download HijackThis .

It also stops to work very short after starting, but I was able (very quick) to save my log file.

I send this output:

Logfile of HijackThis v1.97.7
Scan saved at 8:39:41 AM, on 12/6/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
I:\WINNT\System32\smss.exe
I:\WINNT\system32\winlogon.exe
I:\WINNT\system32\services.exe
I:\WINNT\system32\lsass.exe
I:\WINNT\system32\svchost.exe
I:\WINNT\System32\WBEM\WinMgmt.exe
I:\WINNT\Explorer.EXE
I:\down\vir\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - I:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] I:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = I:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EE41BCA-A707-47B1-8C7A-B83FB7D20313}: NameServer = 192.168.1.1



Pls. help me to resolve this problem.
  • 0

Advertisements


#2
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
This is a very peculiar log.

You have a number of randomonly named files on your system. We like to start with an online virus and trojan scan. Even though you have antivirus software on your system, it can become corrupted by malware.

Please run a free online virus scan here (tick the "Auto Clean" checkbox):
http://housecall.antivirus.com/

Reboot

Download Ad-aware from: http://www.geekstogo...n=download&id=5

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

-> Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives
-> Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
-> Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
-> Click on Proceed to save the settings.

-> Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
  • Use Custom Scanning Options
-> Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

-> Save the log file when it asks and then click Finish

-> When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.


-> Reboot your computer.

If you would please, rescan with HijackThis and post a fresh log in this same topic. Please download the new version. You have an old version and it's not picking up everything.
  • 0

#3
ivansto

ivansto

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi,

thanks for the answer.

I was not able to run the online virus scan.
I receive messgae: Connection was refused when attempting to contact www.trendmicro.com
and points me to http://housecall.tre...ll/install.html.

I downloadet and installed this program, but it continue not to work.


After it I ran Ad-aware and execute all the described steps.
It finished and found problems. Also deleted all needet files.

After it I restarted my pc and found that I am nor able to execute Hijack This (it closes short after start).
I do not found any new version for it (pls. point me where to download the last one).

After 2-3 attempt I was able to receive the log from Hijack This and I send it:


Logfile of HijackThis v1.97.7
Scan saved at 12:50:11 PM, on 12/6/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
I:\WINNT\System32\smss.exe
I:\WINNT\system32\winlogon.exe
I:\WINNT\system32\services.exe
I:\WINNT\system32\lsass.exe
I:\WINNT\system32\Ati2evxx.exe
I:\WINNT\system32\spoolsv.exe
I:\WINNT\System32\svchost.exe
I:\WINNT\system32\cool.exe
I:\WINNT\system32\regsvc.exe
I:\WINNT\system32\MSTask.exe
I:\WINNT\System32\WBEM\WinMgmt.exe
I:\WINNT\system32\Ati2evxx.exe
I:\WINNT\Explorer.EXE
I:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
I:\WINNT\system32\internat.exe
I:\down\vir\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - I:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] I:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = I:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EE41BCA-A707-47B1-8C7A-B83FB7D20313}: NameServer = 192.168.1.1
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe

Then reboot and post a new log.
I don't see them running so the scan may have removed the files and forgot the startup entries.

Direct downloadlink HJT: http://www.spywarein.../HijackThis.exe

Regards,

Pieter
  • 0

#5
ivansto

ivansto

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi

I continue to have the same problem:

Logfile of HijackThis v1.98.2
Scan saved at 2:30:42 PM, on 12/6/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
I:\WINNT\System32\smss.exe
I:\WINNT\system32\winlogon.exe
I:\WINNT\system32\services.exe
I:\WINNT\system32\lsass.exe
I:\WINNT\system32\Ati2evxx.exe
I:\WINNT\system32\spoolsv.exe
I:\WINNT\System32\svchost.exe
I:\WINNT\system32\cool.exe
I:\WINNT\system32\regsvc.exe
I:\WINNT\system32\MSTask.exe
I:\WINNT\System32\WBEM\WinMgmt.exe
I:\WINNT\system32\Ati2evxx.exe
I:\WINNT\Explorer.EXE
I:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
I:\WINNT\system32\internat.exe
I:\down\vir\HijackThis1.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - I:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] I:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = I:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\WINNT\System32\msjava.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EE41BCA-A707-47B1-8C7A-B83FB7D20313}: NameServer = 192.168.1.1
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
IN TaskManager (Ctrl-Alt-Del) stop this process:
cool.exe
Then go to
http://housecall.tre.../start_corp.asp
and do an online virusscan.

Keep us posted,

Pieter
  • 0

#7
ivansto

ivansto

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi ,

I am not able to kill cool.exe.

I receive message:

Access is denied.

regards.
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
I think this is what we are dealing with:
http://www.sophos.co...32sdbotcaf.html

Click Start > Run > type or copy services.msc > OK

Find the service called ntlogin32, rightclick it and choose Properties. Click the Stop button. Set Startup Type to Disabled.

Copy the part in bold below into notepad and save the file to somewhere easy to find calling it remsdbot.reg


REGEDIT4

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft System Checkup"=-
"NT Logging Service"=-

[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft System Checkup"=-

[-HKLM\System\CurrentControlSet\Enum\Root\LEGACY_NTLOGIN32]

[-HKLM\System\CurrentControlSet\Services\ntlogin32]


Now reboot into safe mode
and doubleclick the file we made (remsdbot.reg)
and delete the following files:
I:\WINNT\system32\cool.exe
I:\WINNT\system32\libsysmgr.exe
I:\WINNT\system32\syslog32.exe

Reboot normally and post a new log when you are done

Regards,

Pieter
  • 0

#9
ivansto

ivansto

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Piter,

the last one solved my problem.

The regedit script do not work (it returns error message) , but I entered per keyboard and all was fine.

Thanks again.
  • 0

#10
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Hi ivansto,

Glad to hear it worked for you.

Can you tell me which error you got using the regfile.
I expect to see some more victims of this one and it would be nice if we had a easy (working) fix.

Regards,

Pieter
  • 0

#11
ivansto

ivansto

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi,

If I click on reg-file I received error : "bad regedit script" (not sure exactly).

I try to rewrite the script by cutting the line with REGEDIT4 and many others, but the message continues.

In this situation I manualy dropped the entrys in regedit and inserted the new values and it worked well (for me).

I have another 2 infected PC and I can try to reexecute this script if it will help you.

regards.
  • 0

#12
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Strange, I just tried on my win2k computer and it got merged.

All of the text and nothing more then what is in the code block

CODE
REGEDIT4

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft System Checkup"=-
"NT Logging Service"=-

[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft System Checkup"=-

[-HKLM\System\CurrentControlSet\Enum\Root\LEGACY_NTLOGIN32]

[-HKLM\System\CurrentControlSet\Services\ntlogin32]


Regards,

Pieter
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP