Results 1 to 3 of 3
  1. #1
    Member caliFRAGi's Avatar
    Join Date
    Aug 2005
    Location
    Indonesia
    Posts
    26
    Points
    0

    Default regedit & msconfig always open with notepad

    hello!

    I got this problem,
    when I run "regedit" and/or "msconfig", the .exe are opened in notepad. but if i run other programs e.g. calc.exe, it runs normal without any problem.

    what I've done:
    ============
    * cleaned up from viruses.
    * I cross-checked with other computer. I try open regedit.exe with notepad. the results are same (scrambled character appears on notepad).
    * I copied fresh regedit.exe, but still no avail.
    * I double clicked c:\windows\regedit.exe and the results are same.
    * I make a blank .reg file then double click it. a windows pop-up:
    cannot find the regedit.exe file. Do you want to create a new file?
    if I click YES, a new regedit.exe (0 byte) is created on the same folder.
    * I cross-checked .reg "file types", "opens with" and "advanced" options isn't changed.
    * I run "Bart-PE Windows" from CD, I open regedit.exe and it works without problems.

    history:
    ======
    this computer had beed infected by brontok virus badly. It was frustating. I can't open task manager, the folder options' missing, can't open regedit and ms config, can't disable system restore, the virus is working on safe mode, etc. but finally I managed to wipe out the virus.

    here's the latest HJT log:
    ===================
    Logfile of HijackThis v1.99.1
    Scan saved at 12:11:32, on 06/06/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\S24EvMon.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\RegSrvc.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\slserv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\WINDOWS\system32\1XConfig.exe
    C:\Documents and Settings\Pdt. Kadek\Desktop\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe


    thanks!
    _,.-^'supercaliFRAGIlisticexpialidocious'^-.,_

  2. #2
    Moderator Forum Moderator arraknid's Avatar
    Join Date
    Dec 2006
    Location
    France
    Posts
    6,151
    Points
    1293
    Blog Entries
    4

    Default

    The virus has reset some of your registry entries. Download and run this script http://securityresponse.symantec.com...UnHookExec.inf which will reset your reg entries to default.

    Also, you should be posting your logs in the Spyware Section. You should also make sure you have the latest version of HJT, because the one you have is out of date.

    I suggest you download the latest version from here http://www.trendsecure.com/portal/en...ols/hijackthis do a rescan and post your log in the Spyware section.



    Good luck.
    Last edited by arraknid; 06-06-2008 at 12:25 PM.

  3. #3
    Member caliFRAGi's Avatar
    Join Date
    Aug 2005
    Location
    Indonesia
    Posts
    26
    Points
    0

    Default

    sorry, wrong section.

    I'll post it again on spyware section.
    thanks!
    _,.-^'supercaliFRAGIlisticexpialidocious'^-.,_