a weird problem....

[hearthacker]

hi...my system is facing a new problem...

when i goto run and type either regedit or msconfig....the respective window come but only for one microsecond...i mean if i type regedit in run and click on...registry editor will come up...but will exist after a fraction of second...

help me please

thanx

[amit_arya]

try opening it from DOS prompt
c:\windows\regedit.exe where c:\windows is your OS dir.


see event viewer if there is any error reported.

[swatkat]

It's a virus. Download HijackThis and unzip it to dedicated folder (like C:\HJT\hijackthis.exe).
Then run it and click the button Do a System scan and save log file. HijackThis will perform a scan and saves the log file as hijackthis.log. Copy the entire contents of the file and post it here.

[Kl@w-24]

Yup, it's a virus. It happened to me too. I cudn't even run AVG antivirus!!! Paste ur HijackThis log file, as suggested by swatkat.

[hearthacker]

Logfile of HijackThis v1.99.1
Scan saved at 10:55:30 PM, on 6/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\userinit.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\RUNDLL32.EXE
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Virtual CD v4\System\vcdsecs.exe
E:\Softwares\HijackThis.exe
D:\WINDOWS\System32\imapi.exe

R3 - Default URLSearchHook is missing
O1 - Hosts: 203.197.24.163 www.citibank.co.in
O1 - Hosts: 210.210.19.82 www.sifymall.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVCLOCK] Rundll32 nvclock.dll,fnNvclock
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...3/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D62201D9-58A1-4012-B058-906CAD26838A}: NameServer = 210.210.69.72,202.144.13.50
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VCDSecS - H+H Software GmbH - D:\Program Files\Virtual CD v4\System\vcdsecs.exe

[swatkat]

Download McAfee Stinger.
Boot in SAFE mode, run HijackThis, click "Do only a system scan" and put a checkmark against these entries:-

R3 - Default URLSearchHook is missing
O1 - Hosts: 203.197.24.163 www.citibank.co.in
O1 - Hosts: 210.210.19.82 www.sifymall.com
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Close all other open programs and click "Fix Checked" in HijackThis.

Run McAfee Stinger, click "Add" and here type the Hard Disk partitions manually (for example, C:\) and click OK. Repeat this step so that all the partitions are added. Then click "Scan Now".

Restart to Normal mode, post a new HijackThis log. Also, post whether Stinger found anything and Task manager/ Regedit are working or not.

[hearthacker]

Logfile of HijackThis v1.99.1
Scan saved at 11:41:45 AM, on 6/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\RUNDLL32.EXE
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Ares Lite Edition\Ares.exe
D:\Program Files\Virtual CD v4\System\vcdsecs.exe
D:\Program Files\Ahead\Nero\nero.exe
D:\WINDOWS\System32\ping.exe
E:\Softwares\HijackThis.exe
D:\WINDOWS\System32\imapi.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVCLOCK] Rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [HP Compaq Service Drivers] Hpmsnt32.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares Lite Edition\Ares.exe" -h
O4 - HKCU\..\RunServices: [HP Compaq Service Drivers] Hpmsnt32.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...3/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1117647329484
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D62201D9-58A1-4012-B058-906CAD26838A}: NameServer = 210.210.69.72,202.144.13.50
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VCDSecS - H+H Software GmbH - D:\Program Files\Virtual CD v4\System\vcdsecs.exe

************************************************** ********

And STINGER did not find anything in a system scan.

and now same is happening with hijackthis....i start it and it dissapears...and one more thing...I dont have anything of HP on my system...but eevrytime a file known as "hpmsnt32.exe" (HP Compaq service drivers" starts up wid my system even if i delete all the entries from registry and the file itself frmo system32 folder...

[drgrudge]

Quote:

O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares Lite Edition\Ares.exe" -h

U are running Ares at startup, which is not necesary as it's system resource hungry and when u connect to internet it will connect automatically and upload stuffs and also download in case u have not finished any downaloads without ur knowledge. So u end up wasting ur BW and system resource.

Why is all the entry marked by swat showing up agian?

[swatkat]

Can you run HijackThis in SAFE mode? If yes, follow the below steps:-
Run HijackThis, click "Do only a system scan", and select these entries:-

R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\RunServices: [HP Compaq Service Drivers] Hpmsnt32.exe
O4 - HKCU\..\RunServices: [HP Compaq Service Drivers] Hpmsnt32.exe

Then click "Fix Checked" in HijackThis.
After this, delete this file:-
Hpmsnt32.exe

Reboot and post a new log.

If you can run HijackThis in SAFE mode also, then open NotePad, and copy the contents of the below "Code" box into NotePad:-

Code:

regedit /e test1.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" 
regedit /e test2.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" 
regedit /e test3.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices" 
regedit /e test4.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices" 
regedit /e test5.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" 
regedit /e test6.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
regedit /e test7.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects"

copy test1.txt + test2.txt + test3.txt + test4.txt + test5.txt + test6.txt + test7.txt = info.txt

del test1.txt
del test2.txt
del test3.txt
del test4.txt
del test5.txt
del test6.txt
del test7.txt

Go to File Menu> Save As and type the filename as Run.bat and save the file. Exit from NotePad.
Double-Click on the Run.bat file, a small DOS window appears, and after few seconds close it. There will be a text file named Info.txt in the same location where the Run.bat file is present, open the Info.txt file and copy it's contents and psot it here.

[hearthacker]

RUN.BAT RESULT
-----------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE D:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE D:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"NVCLOCK"="Rundll32 nvclock.dll,fnNvclock"
"HP Compaq Service Drivers"="Hpmsnt32.exe"
"Internet Services"="interserv.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\IMAIL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MAPI]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MSFS]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnce]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices]
"Internet Services"="interserv.exe"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunServices]
"Internet Services"="interserv.exe"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="D:\\WINDOWS\\System32\\ctfmon.ex e"
"ares"="\"D:\\Program Files\\Ares Lite Edition\\Ares.exe\" -h"
"Yahoo! Pager"="D:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"HP Compaq Service Drivers"="Hpmsnt32.exe"
"Internet Services"="interserv.exe"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

----------------------------------------------------------------------

NEW HIJACK THIS LOG

***********************************************
Logfile of HijackThis v1.99.1
Scan saved at 10:10:29 AM, on 6/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\userinit.exe
D:\WINDOWS\Explorer.EXE
E:\Softwares\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVCLOCK] Rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [HP Compaq Service Drivers] Hpmsnt32.exe
O4 - HKLM\..\Run: [Internet Services] interserv.exe
O4 - HKLM\..\RunServices: [Internet Services] interserv.exe
O4 - HKLM\..\RunServices: [HP Compaq Service Drivers] Hpmsnt32.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares Lite Edition\Ares.exe" -h
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [HP Compaq Service Drivers] Hpmsnt32.exe
O4 - HKCU\..\Run: [Internet Services] interserv.exe
O4 - HKCU\..\RunServices: [Internet Services] interserv.exe
O4 - HKCU\..\RunServices: [HP Compaq Service Drivers] Hpmsnt32.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...3/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1117647329484
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D62201D9-58A1-4012-B058-906CAD26838A}: NameServer = 210.210.69.72,202.144.13.50
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VCDSecS - H+H Software GmbH - D:\Program Files\Virtual CD v4\System\vcdsecs.exe

**************************************************

[hearthacker]

***BUMP***

[swatkat]

Right-click on the empty part of the Desktop and choose "New" > "Text Document" to open NotePad. Copy the contents of the below "Code" box, and paste it in NotePad:-

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"HP Compaq Service Drivers"=-
"Internet Services"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Internet Services"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Internet Services"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"HP Compaq Service Drivers"=-
"Internet Services"=-

Go to File Menu> Save As and type the filename as Fix.reg and save it. Exit from NotePad.
Boot in SAFE mode. Run HijackThis and click "Do only a system scan", and select these entries:-

O4 - HKLM\..\Run: [HP Compaq Service Drivers] Hpmsnt32.exe
O4 - HKLM\..\Run: [Internet Services] interserv.exe
O4 - HKLM\..\RunServices: [Internet Services] interserv.exe
O4 - HKLM\..\RunServices: [HP Compaq Service Drivers] Hpmsnt32.exe
O4 - HKCU\..\Run: [HP Compaq Service Drivers] Hpmsnt32.exe
O4 - HKCU\..\Run: [Internet Services] interserv.exe
O4 - HKCU\..\RunServices: [Internet Services] interserv.exe
O4 - HKCU\..\RunServices: [HP Compaq Service Drivers] Hpmsnt32.exe

Click "Fix Checked" in HijackThis.

Delete these files:-
interserv.exe
Hpmsnt32.exe

Double-click on the Fix.reg file, and choose "Yes" to merge it with Registry.

Restart to Normal Mode, and post a new HijackThis log.