Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

Taskmanager & Regedit closes

1286 Views 7 Replies 2 Participants Last post by  Flrman1
I run Win2000 SP4.

Whenever I try to run regedit or taskmanager they open, and closes. I have also experienced problems with ZA, can't get it to run. I have no uninstalled this program.

I have done a virusscan using Norton Antivirus with latest updates.

Also downloaded Hijack this, log posted under.

Anyone know how to fix the problem?



Logfile of HijackThis v1.97.2
Scan saved at 21:55:31, on 18.09.2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TotalRecorder\TotRecSched.exe
C:\Program Files\Daemon Tools\daemon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\LimeShop\LimeShop.exe
C:\Program Files\Opera7\opera.exe
C:\Program Files\Common Files\Symantec Shared\NMAIN.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\\Agent\mcupdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TotalRecorderScheduler] C:\Program Files\TotalRecorder\TotRecSched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\Daemon Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\\agent\mcagent.exe
O4 - HKLM\..\Run: [MSKExe] c:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Wiinbllah] MSUPDT.EXE
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\RunOnce: [Wiinbllah] MSUPDT.EXE
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E990FE4-C97F-45B5-B6F9-4643E685665A}: NameServer =
See less See more
Not open for further replies.
1 - 8 of 8 Posts

Welcome to TSG!

Turn off System Restore.

Make sure "show hidden files" is checked in Folder options > View

Have a copy of HijackThis.exe in its own folder on the desktop. You may want to copy these instructions to a Notepad file on the desktop, you might need them in Safe Mode.

Restart to Safe Mode: press f8 on startup and select Safe Mode from the boot menu.

In Safe Mode, run HijackThis and "Fix Checked" the following entries:

O4 - HKLM\..\Run: [Wiinbllah] MSUPDT.EXE

O4 - HKCU\..\RunOnce: [Wiinbllah] MSUPDT.EXE

Next, click Start, Run and type in "explorer" without the quotes. Navigate to the folder C:\WINNT\system32 and delete the:


Go to Start > Run and type in "regedit" without the quotes and navigate to:


>> if there is anything in the Right hand pane but 'default', right click and delete it.

Reboot back to normal and verify that all is well.

If all is well turn system restore back on and create a restore point.
See less See more

I'm using win2000, how/where do I turn of restore point?

Sorry! Win2K doen't have System Restore. Disregard that part.
Thanx alot, that did the trick.

I booted in safe mode, deleted the files:

O4 - HKLM\..\Run: [Wiinbllah] MSUPDT.EXE

O4 - HKCU\..\RunOnce: [Wiinbllah] MSUPDT.EXE

Could not locate the MSUPDT.EXE file, and there was no entry in the register (except for default) for:


Booted normal, then both regedit and taskmanager is ok.

What is the best way for keeping updated with this backdoors etc. What program is needed for constant updates of new threats?

See less See more
I would doublecheck for the MSUPDT.EXE file. It should be there.

It most likely has the hidden attribute. Make sure "show hidden files" is checked in Folder options > View

And check again.
In normal mode I swithced to dos, did i dir with /s parameter.
Found the file:

05.09.2003 08:55 28_672 msupdt.exe

Do I need to boot to safe mode again to delete it?

Also, any idea for best protecting in the future?

Yes boot to safe mode and delete the msupdt.exe file.

I would say the first line of defense is your AV. I see you have Norton. I use it too and although I have it set to update automatically I still run Live update manually every day or two.

Of course a well configured firewall is a must.

I also think that all PC users should use Spybot, Adaware and SpywareBlaster.

I always recommend the following.

Go here and download Adaware 6

Install the program and launch it.

I strongly recommend that you read the help file to familiarize yourself with the program.

Before running the scan look at the top of the main window and you will see a Gear Icon. This is where you configure the settings. Click on that and then in the next window that pops up click on the "Scanning" tab on the left side. Under "Drives and Folders" put a check by "Scan within archives" and below that under "Memory and Registry" put a check by all the options there.
The click on the "Tweak" tab and under "Scanning engine" put a check by "Unload recognized processes during scanning" ...........then......under "Cleaning engine" put a ckeck by "Automatically try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot" then click "Proceed"

Next in the main window look in the bottom right corner and click on "Check for updates now" and get the latest referencefiles.
After getting the latest referencefiles you are ready to scan.

Click "Start" and in the next window make sure "Active in depth scanning" is checked then click "Next" and the scan will begin.

When it is finished let it fix everything it finds.

Restart your computer.

Then go here and download Spybot.

Install the program and launch it.

Before scanning press "Online" and "Search for Updates" .

Put a check mark at and install all updates.

Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

Restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.

Finally go here;act=ST;f=38;t=3051 for info on how this happens and how to help prevent future attacks.
On this page you will find a link to Javacool's SpywareBlaster. Get it and check for updates frequently.
The Immunize feature in Spybot used in conjunction with SpywareBlaster and weekly scans with Spybot and Adaware will go a long way toward keeping you spyware free.

Important!: ALWAYS check for updated detections and referencefiles before scanning with Spybot and Adaware. And be sure to check for updates to SpywareBlaster on a weekly basis.

And of course you have Hijack This which you can familiarize yourself with and run it occassionally to check for unusual entries.
See less See more
1 - 8 of 8 Posts
Not open for further replies.