Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blue Screen Of Death


  • Please log in to reply
6 replies to this topic

#1 2424

2424

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 19 May 2007 - 03:08 AM

Im trying to clean up a friends computer, he says he has recently had the blue screen of death as well as running very slow, cant run multiple programs at once, doesnt respond etc.

Any input?

Logfile of HijackThis v1.99.1
Scan saved at 12:55:58 AM, on 5/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Cox\Applications\app\Prism.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\auserinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 19 May 2007 - 04:17 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum 2424 :thumbsup:

Please make sure all hidden files are showing:
* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\auserinit.exe
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply please.

If Jotti's too busy,try here:
Go here:http://www.virustotal.com/en/virustotalf.html
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\auserinit.exe
Then click on 'Send'.
Post the results into your next reply please.

Also post a new Hijackthis log.
Posted Image
Posted Image

#3 2424

2424
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 19 May 2007 - 02:09 PM

It seems to have not found anything. New HJT Log attached below. I found his spyware tool...,spyware doctor, ran it, found 201 infections. but its still having problems. In fact in firefox lastnight, anything we typed in the address bar showed up backwards and reversed like we were typing on the wrong side of a mirror on the screen. Weird. Also some official looking send error report screen has been coming up saying something to the effect of "Curtains for windows blah blah blah service (NT) I forget what it says but it looks strange.

Service load:
0% 100%
File: AUserInit.exe
Status:
OK
MD5 4cfcb70380bf3e6b714124fea9f73d67
Packers detected:
-
Scanner results
Scan taken on 19 May 2007 18:58:07 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing



Logfile of HijackThis v1.99.1
Scan saved at 12:03:31 PM, on 5/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cox\Applications\app\Prism.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\auserinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

Edited by 2424, 19 May 2007 - 02:20 PM.


#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 19 May 2007 - 03:10 PM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

******************************

Download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Also post a new Hijackthis log please.
Let me know how your pc is running now.

Posted Image
Posted Image

#5 2424

2424
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 19 May 2007 - 09:10 PM

Ok, did all that had a little issue. After downloading drweb-cureit and booting in safemode there was no icon for drweb-cureit. Now maybe this could have been because possibly only so many desktop icons fit on the screen in safe mode, but I even used the start button, RUN function and entered the drweb-cureit.exe file name and that wouldnt run anything. Unable to find the icon, I rebooted in normal mode and there it was right where I left it. So I ran the desktop clean up tool to get rid of a lot of the crap on the desktop and then rebooted in SAFE and then I was able to see the drweb icon and follow the directions form there.

There is no drweb log because it didnt find anything. Here is the log from superantispyware:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/19/2007 at 04:11 PM

Application Version : 3.7.1018

Core Rules Database Version : 3241
Trace Rules Database Version: 1252

Scan type : Complete Scan
Total Scan Time : 00:44:09

Memory items scanned : 556
Memory threats detected : 0
Registry items scanned : 6672
Registry threats detected : 14
File items scanned : 38722
File threats detected : 163

Adware.MyWay
HKLM\Software\Classes\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}
HKCR\CLSID\{014DA6C9-189F-421A-88CD-07CFE51CFF10}
HKCR\CLSID\{014DA6C9-189F-421A-88CD-07CFE51CFF10}
HKCR\CLSID\{014DA6C9-189F-421A-88CD-07CFE51CFF10}\InprocServer32
C:\PROGRAM FILES\IMESHBAR\BAR\1.BIN\IMESHBAR.DLL

Trojan.Zlob Downloader
C:\PROGRAM FILES\ZIPCODEC\ZCODEC.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\zcodec.exe

Adware.Tracking Cookie
C:\Documents and Settings\daniel\Cookies\daniel@omnistats[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@thunderbolt.adjuggler[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@www.macromedia[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@nextag[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@rotator.dex.adjuggler[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@tripod[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@partner2profit[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@adopt.euroclick[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@clicks.emarketmakers[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@ads.revsci[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@revsci[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@20417[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@roiservice[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@adserving.autotrader[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@media.adrevolver[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@clicksor[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@adinterax[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@track.bestbuy[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@ads.realtechnetwork[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@anad.tacoda[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@azoogleads[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@xxxsupersize[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@www.googleadservices[5].txt
C:\Documents and Settings\daniel\Cookies\daniel@icc.intellisrv[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@e-2dj6wfkiqncpgbp.stats.esomniture[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@tacoda[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@sexybabesx[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@stats.adbrite[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@adultfriendfinder[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@ads.touregypt[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@jaystats[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@banner[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@38293[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@24292[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@adopt.specificclick[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@www.nextag[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@imagemedia[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@click2houston[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@www.googleadservices[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@drivecleaner[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@tracker.myspacemaps[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@www.screensavers[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@38302[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@specificclick[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@e-2dj6wgkyagajcdp.stats.esomniture[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@e-2dj6wgkyqldzcap.stats.esomniture[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@www.shemalesexzone[3].txt
C:\Documents and Settings\daniel\Cookies\daniel@gayhentaixxx[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@e-2dj6wfmywpc5mko.stats.esomniture[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@a.websponsors[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@ex=1_[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@adultlounge[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@www.drivecleaner[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@incest.madsexxx[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@roi2.clicklab[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@myadultreviews[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@ez-tracks[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@xxxpower[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@38274[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@www.googleadservices[3].txt
C:\Documents and Settings\daniel\Cookies\daniel@adcache.collectorcartraderonline[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@38275[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@stats.drivecleaner[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@click.payserve[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@www.movieland[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@mb[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@www.trackingroi[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@shakiramedia[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@publishers.clickbooth[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@24293[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@www.ez-tracks[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@www.adultplayersclub[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@weborama[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@38278[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@ad.media-servers[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@adbrite[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@ads.vitalix[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@secure.drivecleaner[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@leadprocesstrack[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@pt.crossmediaservices[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@feed.validclick[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@vhost.oddcast[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@qnsr[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@onlinerewardcenter[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@38291[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@admarketplace[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@xxxmov[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@38299[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@www.googleadservices[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@www.click2houston[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@www.shemalesexzone[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@mb[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@38283[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@soundclick[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@click.zoopartners[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@go.drivecleaner[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@newsexbuddy[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@20423[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@sexuality.about[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@i.screensavers[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@precisionclick[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@38303[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@www.gamestracker.co[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@stat-counter.fabrica.net[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@ads.traderonline[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@eztracks.aavalue[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@ad2.pl.mediainter[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@cdn.euroclick[1].txt
C:\Documents and Settings\daniel\Cookies\daniel@screensavers[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@adserving.cpxinteractive[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@38262[2].txt
C:\Documents and Settings\daniel\Cookies\daniel@banners[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@2o7[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@ad.yieldmanager[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@adknowledge[2].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@adopt.specificclick[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@adrevolver[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@adrevolver[3].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@ads.addynamix[2].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@ads.pointroll[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@adserving.autotrader[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@adtech[2].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@advertising[2].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@atdmt[2].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@ath.belnk[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@banner[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@belnk[2].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@burstnet[2].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@casalemedia[2].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@citi.bridgetrack[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@coxhsi.112.2o7[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@dist.belnk[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@doubleclick[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@ehg-equifax.hitbox[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@ehg-traderpublishing.hitbox[2].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@fastclick[2].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@hitbox[2].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@linksynergy[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@maxserving[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@media.fastclick[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@mediaplex[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@nextag[2].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@overture[2].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@perf.overture[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@polo.112.2o7[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@qnsr[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@realmedia[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@revenue[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@revsci[2].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@statcounter[2].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@statse.webtrendslive[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@tacoda[2].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@targetnet[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@trafficmp[2].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@tribalfusion[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@valueclick[2].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@www.burstbeacon[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@www.burstnet[2].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@z1.adserver[1].txt
C:\Documents and Settings\daniel\Local Settings\Temp\Cookies\daniel@zedo[1].txt

Registry Cleaner Trial
HKCR\Install.Install
HKCR\Install.Install\CLSID
HKCR\Install.Install\CurVer
HKCR\Install.Install.1
HKCR\Install.Install.1\CLSID

Trojan.Malware
HKCR\AVZipEnchancer.Chl
HKCR\AVZipEnchancer.Chl\CLSID

Trojan.Media-Codec
HKCR\VSEnchancer.Chl
HKCR\VSEnchancer.Chl\CLSID

Adware.MovieLand/MediaPipe
C:\PROGRAM FILES\FSUPPORT\NOTIFIER.EXE

________________________________________________________


Here is the new HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:06:07 PM, on 5/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cox\Applications\app\Prism.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\auserinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

#6 2424

2424
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 20 May 2007 - 12:14 AM

Ive been using the computer for the past few hours seems to be working fine now. It seems norton cant find live update...should I reinstall norton?

thanx for all the help

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 20 May 2007 - 03:12 AM

Click on Start/Run,then type regedit then press Ok.
Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Double click on the key 'Winlogon'.
In the right hand side window scroll down to,then double click on the value "Userinit".

In the opening 'Edit String' box,edit the following 'Value data' from:
C:\WINDOWS\system32\auserinit.exe
To,and including the comma on the end:
C:\WINDOWS\system32\userinit.exe,

Press Ok when you've done,exit regedit,restart your pc.

Post a new Hijackthis log in your next reply.
Let me know if you've still got problems with 'LiveUpdate'.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users