Antivirus/Regedit/Taskmanager/e-mail/ will not run

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by quintesscence, Feb 14, 2005.

  1. quintesscence

    quintesscence Private E-2

    Hey all! So, you guys did a great job helping me out once in the past and so now I'm back again. Here we go...

    I first noticed that there was a problem when my outlook express program could not connect to server (I have 2 different e-mail accounts through this program that use 2 different servers and neither can connect). I checked the settings and contacted the service providers--no problems on that end.

    I tried to run Norton Antivirus 2002. I then get a message that states: "Your current security settings prohibit running ActiveX controls on this page. As a result, this page may not display correctly." Norton then opens up, and everything seems to be in the process of "refreshing". I cannot scan my machine because it does not give me the option to.

    Furthermore, I cannot bring up the task manager--it quickly disappears. And the same thing happens when I try to open regedit.

    When I was I was talking to my isp last night (comcast), the rep had me "enable all cookies" in the internet options. When I tried to bring up a website following this action, I got an error message that I had never seen before. Something about Microsoft Visual C ++ and that something was debugging, or could not be debugged or something to that effect. I cannot get this error message to come again so I cannot tell you exactly what that was about. Strangely, I cannot access my e-mail though the internet either. The page will not load. It is the only webpage that I cannot access. (ISP states that this page is functioning normally). It is as if someone does not want me to access my personal information.

    Okay, so I followed the instructions in "Spyware, Trojan, and Virus Removal". Trend Micro finds a clean system. Symantec Security Check runs for about 20-25 minutes, meanwhile finding 5 problems, but then stops, and the page changes to a "page cannot be found" page. This happens when I run the program in both safe and normal mode. AVERT found nothing. Adaware and spybot found a few things--nothing out of the ordinary and I quarantined/deleted files. The rest of the programs found nothing.

    Also, I deleted wildtangent yet again and I am getting an error message upon normal startup that "cdaengine0400.dll--the specific module could not be found". But I know that this is the least of my problems.

    Okay, I think that's it. Any thoughts on this? Thanks so much guys--you're the best.

    -Kelly
     
  2. quintesscence

    quintesscence Private E-2

    Whoops! I forgot to mention that I am running Windows XP Home with SP1. Sorry...
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

    You may also want to try making a copy of taskmgr.exe and call it mytmgr.exe. Then run it and see if it works. Try similar with regedit. Let me know it that works.
     
  4. quintesscence

    quintesscence Private E-2

    Here is my HJT log.

    Also, unfortunately, I'm not sure what you mean by making a copy of taskmgr.exe and calling it mytmgr.exe. Sounds pretty self-explanatory but I've never done anything like that. What are my chances of screwing that up? ;) Thanks again...
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What version of Norton virus scan do you have and are the virus definitions current?

    Look in Add/Remove programs for anything with WildTangent and uninstall it if found.

    You may want to give this a run before continuing with the below steps:
    W32.Mydoom.A Cleaning Utility


    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
    C:\WINDOWS\System32\WINAMP6.EXE

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [Winamp Player 6] WINAMP6.EXE
    O4 - HKCU\..\RunOnce: [Winamp Player 6] WINAMP6.EXE


    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\System32\WINAMP6.EXE
    C:\Program Files\WildTangent <--- the whole folder

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.


    Now:
    Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin
    And Click OK.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


    Now reboot in normal mode and post a new HJT log. And tell us how things are working (do your programs work now).
     
  6. quintesscence

    quintesscence Private E-2

    Okay, first to answer your question: I'm running Norton Antivirus 2002, version 8.07.17 C and the virus definitions are, indeed, current.

    Next, I ran the W32.Mydoom.A cleaning utility and nothing was found.

    I was unable to bring up the task manager because hitting CTRL-ALT-DEL was not functioning.

    I ran hijack this and fixed what you asked me to. I then booted into safe mode, and deleted winamp6.exe from the system32 folder. However, I could not find the wildtangent folder in "Program Files".

    I followed the rest of your instructions, rebooted and, miraculously, my e-mail now works, regedit works, task manager works. BUT, Norton antivirus has the same problem--the "active x" error message still comes up, it is still saying that the controls are "refreshing" and it will not scan.

    Also, my hijack this log says that:
    O4 - HKLM\..\Run: [Winamp Player 6] WINAMP6.EXE
    is still present even though I clicked fix when I ran it earlier.

    I've attached my latest HJT log. So far, so good....Thank you!!
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try just running HJT again and fixing the below line (when browsers with no browsers running):

    O4 - HKLM\..\Run: [Winamp Player 6] WINAMP6.EXE

    Then double check to make sure the file is really deleted. Check in three locations:
    C:\WINDOWS\System32\WINAMP6.EXE
    C:\WINDOWS\WINAMP6.EXE
    C:\WINAMP6.EXE

    If you find it, delete it (use safe mode if necessary).

    Reboot into normal mode and check you HJT log. Did the line come back?
     
  8. quintesscence

    quintesscence Private E-2

    Okay, now I'm starting to get annoyed. Chas, I did what you asked and yes, O4 - HKLM\..\Run: [Winamp Player 6] WINAMP6.EXE
    seems to be completely gone now. Thankyou.

    However, my antivirus still does not run and when I rebooted my machine Norton detected a virus:

    backdoor.sdbot
    object name: C:\windows\system32\lshosts32.exe
    unable to repair file

    Ugh. Now what? If Norton would just freaking work I would follow the removal instructions on the symantec page....but it won't run. Any thoughts?

    Thanks again,
    Kelly
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just boot in safe mode and delete that file.

    I'm confused by something! You say your antivirus does not work but yet it it detected this virus. Please explain. Do you mean it just detects things by itself at start up but you cannot actually have perform a full system scan?

    Do you have all of your Win XP system updates (other than SP2)? Are you sure?
     
  10. quintesscence

    quintesscence Private E-2

    Good call Chas about system updates; it seems my automatic updates was shut off and I haven't received any updates since 1/18/05. But when I try to update, I get the following message:

    The following updates failed to be installed successfully:


    Security Update for Windows XP (KB810217)
    Security Update for Windows XP (KB888302)
    Security Update for Windows XP (KB890047)
    Security Update for Windows XP (KB885250)
    Security Update for Windows Messenger (KB887472)
    Security Update for Windows XP (KB891781)
    Cumulative Security Update for Internet Explorer 6 Service Pack 1 (KB867282)
    Security Update for Windows XP (KB888113)
    Windows Malicious Software Removal Tool - February 2005 (KB890830)
    Security Update for Windows XP (KB873333)
    Update for Background Intelligent Transfer Service (BITS) (KB883357)

    Error: There is not enough disk space to install the update(s). Free additional space on your hard disk and then try again.

    I do have 56 gigs of free space on my drive so I don't know what this is about.

    And to answer your other question about the antivirus--yes, it just detected that one virus by itself at start up but I cannot actually have perform a full system scan. Still getting the Active X error.
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Where you able to delete this: C:\windows\system32\lshosts32.exe

    Look at step 7 in the following thread: How to Protect yourself from malware!

    Is that how you have yours setup?

    See if you can run any of the the below items:

    Bitdefender online scan
    RavAntivirus online scan <-- select Auto Clean then click Scan My PC
    TrojanScan online scan

    a-squared (a²) Free edition free but requires an email address to register
    avast! Virus Cleaner Tool

    By the way make sure you download and use from now on the new HijackThis 1.99.1
     
  12. quintesscence

    quintesscence Private E-2

    Hi Chas. Thanks for the reply. Here's the latest:

    Yes, I was able to delete Backdoor.Sdbot

    My Active X Security Settings are as they should be per step 7 in "How to Protect Yourself from Malware".

    While I was waiting for your reply yesterday afternoon, I uninstalled Norton Antivirus 2002 and installed Norton Antivirus 2005. Why? I have no idea--just thought I'd take a shot. Norton Antivirus 2005 is installed, says that Auto Protect is enabled but, like Norton 2002 before, will not scan. I cannot even open it to configure it.

    I scanned my machine with the programs that you suggested:
    bitdefender found nothing.
    trojanscan found nothing.
    rav antivirus found nothing.

    After this particular scan, I tried checking my e-mail. It, again, does not work. The error I get says "server has unexpectedly terminated the connection". This is true for all three e-mail accounts that I have set up through Outlook Express (through 2 different ISPs).

    A-squared found nothing.
    Avast! Cleaner found nothing but told me that some files could not be scanned. They are:

    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll... file could not be scanned!
    C:\WINDOWS\SoftwareDistribution\EventCache\{0383A514-D9D8-4639-9E8A-BC0D9F8D5396}.bin... file could not be scanned!
    C:\WINDOWS\Temp\ZLT00aaf.TMP... file could not be scanned!

    I am at a loss. Also last night I went through the steps of "how to remove spyware, trojans, and viruses" again. Nothing.

    In your last post you mentioned updating the HijackThis program--not sure if that meant that you wanted me to post another log so here it is just in case.

    THANK YOU!!
     

    Attached Files:

  13. quintesscence

    quintesscence Private E-2

    Whoops--my HJT log in the previous message was from the older version. Here is the HJT 1.99.1 log. Sorry 'bout that.
     

    Attached Files:

  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Does your Norton/Symantec software include a firewall? The reason I ask is that you have Zonealarm installed and you must use only one firewall.

    Try connecting to Windows Update and then shutdown your firewall and virus applications and then have it scan for updates and actually try to update.

    You are using Internet Explorer to connect to Microsoft Update....aren't you?
     
  15. quintesscence

    quintesscence Private E-2

    Truth be told, Chas, I do not know if Norton 2005 has a firewall. I swiped the disc from work so I don't know too much about it.

    Windows update has successfully updated after about the 11th try today--I had done nothing different prior to its working. I updated all but Service Pack 2.

    I actually uninstalled Zone Alarm so I have NO firewall running right now (that I know of).

    E-mail is working now. WHy? I don't know.

    I am still UNABLE to run the damn anti-virus scan. I managed to actually get in to view the interface but it says refreshing just as Norton 2002 was doing before. The active X error still comes up as well.

    If this Active X error is the result of a virus/trojan/etc...I would really like to find the root of the problem. If not, I think I may just uninstall it and run one of the free AV programs recommended on this site.

    Oh, and yes, I am using Internet Explorer 6.0.2800.1106.xpsp2 (does this mean service pack 2???????)
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should dump Norton and use one from: How to Protect yourself from malware!
    Like Avast or AVG. It is not worth all this trouble it has been putting you thru.

    Your email problem may have been due to the firewall. You have to remember that you are the administrator and have to allow what goes out and comes in. If you block the wrong thing, an application may not work.

    Make sure you follow all the steps in the How to Protect thread. You need to get a firewall back in ASAP.

    That is sp2 for Internet Explorer.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds