I realize it's been almost a week since you've posted... I don't know if you're still following this thread, or if you've tried seeking alternative help. if your situation hasn't changed any, here's what you can do:
you have
two separate WinFixer infections: an installer, and a vundo trojan.
UnZip it ... it will create a folder a folder of its own (a
RegSeeker folder) containing a bunch of files.
Restart your computer and boot into
SAFE Mode...
if SAFE mode allows to you specify a
user/login, then log-in with your usual login name.
Hopefully, you'll still be able to locate the RegSeeker folder in SAFE mode.
Go there, and open/run the
RegSeeker program.
Click-on
Find in Registry...
then place a
check-mark in
all of the
HKEY options
and where it asks about
search for , you should type in:
NI.UWFX5_0001_N56M0311
[if you can, COPY it from here, and PASTE it into there]
and click on
SEARCH.
When it finishes, click-on
Select ALL... which expands into a small menu from which you need to
again choose
Select ALL (you should notice some changes in color, as the items found are highlighted).
right click on the highlighted selections and choose
Delete Selected Items.
Reboot into regular mode, generate another HJT log, and hopefully, it should be gone this time.
*********************
for the tojan version: download
VirtumundoBeGone from:
* Save it to your Desktop * Close all running programs (including your Internet Browser) * Double-click VirtumundoBeGone.exe on the desktop * Follow the directions as indicated
please be advised that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens.
just reboot if your system "jams"
*********************
It's now time to report back to us: VirtumundoBeGone generated a "log" file of its own, VBG.TXT , which it should have placed on your Desktop... please REPLY to this thread, and copy/paste the VirtumundoBeGone log back here, along with your latest HJT log.
this is the log result after the reseeker. I wasn't sure if it did any thing or not.
Logfile of HijackThis v1.99.1
Scan saved at 8:11:02 PM, on 1/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
this was the log result after the virtumundobegone
[01/04/2006, 20:18:31] - VirtumundoBeGone v1.5 ( "C:\HJT\VirtumundoBeGone.exe" )
[01/04/2006, 20:18:40] - Detected System Information:
[01/04/2006, 20:18:40] - Windows Version: 5.1.2600, Service Pack 2
[01/04/2006, 20:18:40] - Current Username: AAA (Admin)
[01/04/2006, 20:18:40] - Windows is in NORMAL mode.
[01/04/2006, 20:18:40] - Searching for Browser Helper Objects:
[01/04/2006, 20:18:40] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/04/2006, 20:18:40] - BHO 2: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} ()
[01/04/2006, 20:18:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/04/2006, 20:18:40] - Checking for HKLM\...\Winlogon\Notify\deSrcAs
[01/04/2006, 20:18:40] - Key not found: HKLM\...\Winlogon\Notify\deSrcAs, continuing.
[01/04/2006, 20:18:40] - BHO 3: {944864A5-3916-46E2-96A9-A2E84F3F1208} (ADefaultSearch Class)
[01/04/2006, 20:18:40] - BHO 4: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (CNisExtBho Class)
[01/04/2006, 20:18:40] - BHO 5: {B313D637-F405-4052-AC37-E2119AB3C8F8} (MSEvents Object)
[01/04/2006, 20:18:40] - ALERT: Found MSEvents Object!
[01/04/2006, 20:18:40] - BHO 6: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[01/04/2006, 20:18:40] - Finished Searching Browser Helper Objects
[01/04/2006, 20:18:40] - *** Detected MSEvents Object
[01/04/2006, 20:18:40] - Trying to remove MSEvents Object...
[01/04/2006, 20:18:41] - Terminating Process: IEXPLORE.EXE
[01/04/2006, 20:18:41] - Terminating Process: RUNDLL32.EXE
[01/04/2006, 20:18:42] - Disabling Automatic Shell Restart
[01/04/2006, 20:18:42] - Terminating Process: EXPLORER.EXE
[01/04/2006, 20:18:42] - Suspending the NT Session Manager System Service
[01/04/2006, 20:18:42] - Terminating Windows NT Logon/Logoff Manager
[01/04/2006, 20:18:42] - Re-enabling Automatic Shell Restart
[01/04/2006, 20:18:42] - File to disable: C:\WINDOWS\system32\ddaba.dll
[01/04/2006, 20:18:42] - Renaming C:\WINDOWS\system32\ddaba.dll -> C:\WINDOWS\system32\ddaba.dll.vir
[01/04/2006, 20:18:42] - File successfully renamed!
[01/04/2006, 20:18:42] - Removing HKLM\...\Browser Helper Objects\{B313D637-F405-4052-AC37-E2119AB3C8F8}
[01/04/2006, 20:18:42] - Removing HKCR\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8}
[01/04/2006, 20:18:42] - Adding Kill Bit for ActiveX for GUID: {B313D637-F405-4052-AC37-E2119AB3C8F8}
[01/04/2006, 20:18:42] - Deleting ATLEvents/MSEvents Registry entries
[01/04/2006, 20:18:42] - Removing HKLM\...\Winlogon\Notify\ddaba
[01/04/2006, 20:18:43] - Searching for Browser Helper Objects:
[01/04/2006, 20:18:43] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/04/2006, 20:18:43] - BHO 2: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} ()
[01/04/2006, 20:18:43] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/04/2006, 20:18:43] - Checking for HKLM\...\Winlogon\Notify\deSrcAs
[01/04/2006, 20:18:43] - Key not found: HKLM\...\Winlogon\Notify\deSrcAs, continuing.
[01/04/2006, 20:18:43] - BHO 3: {944864A5-3916-46E2-96A9-A2E84F3F1208} (ADefaultSearch Class)
[01/04/2006, 20:18:43] - BHO 4: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (CNisExtBho Class)
[01/04/2006, 20:18:43] - BHO 5: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[01/04/2006, 20:18:43] - Finished Searching Browser Helper Objects
[01/04/2006, 20:18:43] - Finishing up...
[01/04/2006, 20:18:43] - A restart is needed.
[01/04/2006, 20:18:43] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[01/04/2006, 20:19:20] - Attempting to Restart via STOP error (Blue Screen!)
if you could get back to me as soon as you can that would be great. I have talk to several other people who can not help me. So thank you for at list trying. I have a feeling my system is going to crash any time now. Thanks again
1) the HJT log shows that RegSeeker successfully deactivated the WinFixer "installer"; and
2) the VBG log indicates that VBG successfully deactivated the Winfixer vundo-trojan.
However,
from the time-stamps, I see that your HJT log was generated at "
8:11:02 PM, on 1/4/2006",
which was 7 minutes
before you ran VBG at 20:18 [=
8:18 PM],
which explains why the vundo trojan still appears in your HJT log.
As such, I am going on the assumption that it will not be there when you post your next log.
********************
What problems are you now experiencing, that make you believe your system is about to crash any time??
********************
I see one highly-"questionable" item in your log... it seems you're running the Accoona tool bar. If you knowingly, willingly, and intentionally installed [and want to keep] this product, then you should skip the removal steps i'm gonna mention here. But if it got installed "against your will", or you don't know anything about it, i think you should remove it.
First, go to your
control panel, click on
Add-Remove programs, and see
ifyou can find any mention of Acoona there.... and if so [and if you decided to delete it], then try selecting/removing it.
If you found/removed it via control panel, that may automatically remove some lines from your HJT log. I'm gonna tell you what to look for... if they've already been removed, there's nothing more to do... but if still present, we can try to remove them with HJT.
close your internet browser
Run HJT. click on DO A SYSTEM SCAN ONLY
Place a check-mark in the box in front of the lines:
Click on FIX CHECKED. Close HJT. Reboot. And see if Accoona comes back or not.
[If Accoona is still there... i.e., if either (or both) of these lines still appears in your log after rebooting... then you should reboot your system into SAFE MODE (by tapping the F8-key during the boot-up process, and selecting SAFE MODE), and try this FIX again while running HJT in SAFE MODE; and then, reboot into NORMAL mode.]
*****************************************
if your system seems "stable"-enough at the moment, then I want you to try the following... however, if it stills seems UNstable to you, then skip this step [which involves a 16MB download[:
it appears you're running Sun Java
j2re1.4.2_03 . there is much speculation that a "hole" in this particular version is being exploited by WinFixer. so we should upgrade to the latest version,
1.5.0_06 from
http://www.java.com/en/download/manual.jsp
my personal preference is to download the MANUAL (OFFline) installation version (16 MB). but if you prefer the online installation, that choice is yours.
AFTER you successfully install the new java, go to your control panel, ADD/REMOVE programs, and
UNinstall all older versions of Java (if any) that still show up there.... especially the 1.4.2_03.
****************************
when you're done [with either removing Acoona, or installing Java, or doing both --- or doing neither],
REPLY to
thisthread, and post an updated/revised HJT log.
Logfile of HijackThis v1.99.1
Scan saved at 6:01:18 PM, on 1/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Is there any other problems that you can detect from the log? I how else can I find viruses or spyware on my computer. I started having troules when my Norton Internet Security was "unable to start the integrator". I'm still trying to get help with that. I don't know if you can help me with it or not. Thank you
I see you removed the Accoona toolbar, and the old java....
but it looks like you didn't install the new java... any reason why???
I'm "specializing" in only certain types of infections (such as WinFixer), so at this point, I'm gonna try to ask someone else to step-in, to determine additional problems (if any) that you might have. Please be advised that we're very "understaffed" at the moment, so I can't make any guarantee as to when the next helper will arrive.
There is something strange about this log. The word "rem" appears in so many of the otherwise normal O4 entries. I have sent an email to the spyware list where the HijackTHis designer hangs out asking if he has any idea what is going on. Will let you know as soon as he replies. While we wait for him to get back to us let's run rootkitrevealer and see if it finds anything odd. We are mostly interested in lines that end with .exe, .dll, or .sys. It seems to always flag a few registry entries saying the sizes don't match so ignore them.
HKLM\SOFTWARE\Classes\webcal\URL Protocol 7/11/2005 11:32 AM 13 bytes Data mismatch between Windows API and raw hive data.
C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0832NAV~.TMP 1/9/2006 4:57 PM 0 bytes Hidden from Windows API.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP103\A0025579.ini 1/7/2006 6:15 PM
The search for the rem files i wasn't sure if i typed it in correctly. This is what the screen displays...
Microsoft Windows XP [Version 5.1.2600]
C:\Documents and Settings\AAA>cd\
C:\>dir/a/s rem.*
Volume in drive C has no label.
Volume Serial Number is 40C3-4B3C
Directory of C:\Documents and Settings\All Users\Application Data\Symantec\Norton Antivirus\Tasks
03/15/2005 01:55 PM 436 rem.sca
1 File(s) 436 bytes
Total Files Listed:
1 File(s) 436 bytes
0 Dir(s) 39,696,510,976 bytes free
I don't know if i told about my Norton Internet Security, but it stopped working after i downloaded some music. That is why think i have all these viruses and stuff. I have tried to uninstall Norton and reinstall it, but it will not let me uninstall it. So if it is possible for you to help me with this issue also that would be wonderful. Thanx
I talked to some gurus on the MVP antispyware list and they tell me the "rem" in the O4s is a technique used to disable the entry. If you look at the last log you will see that one of the things with the rem is
O4 - HKLM\..\Run: [ccApp] rem "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
This is a critical part of Norton/Symantec antivirus. I don't know if Spyware Cleaner did this or one of your other bugs.
I am afraid this is going to take some registry edits to fix. Be careful and check everything twice. If something is not clear then stop and comeback here and ask me for clarification (in a Reply to this post)
Click the Start button and then click Run. The Run dialog box appears.
Type regedit and click OK. The Registry Editor opens.
By Navigate, they mean, Look in the left pane and find the entry HKEY_Local_Machine and click on the + sign in front of it. This will open up the subfolders. Find Software and click on its + then Microsoft then Current Version. When you find Run then click once on Run which should cause a bunch of entries to show up in the right pane.
The right pane will display one or more string values.
For each value other than (Default) which has a rem in the string, follow the instructions in steps 5 through 9.
Double-click a String Value in the right pane. The Edit String dialog box will appear with the value selected.
Press the Home key on the keyboard. The cursor should be to the left of the string value, and the value should no longer be selected. Please verify that this is the case before going to the next step.
Hit Delete four times. This should remove the word REM and the space after it. Do not delete anything more.
Click OK.
Repeat these steps for each string value that has REM in it.
Logfile of HijackThis v1.99.1
Scan saved at 5:48:30 PM, on 1/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
When I restarted my computer a different error message popped up saying that it couldn't find the NISP. And then another came up for "Norton AntiViruss has encountered an internal program error. Uninstall and re-install Norton AnitVirus." When I click on the Norton Internet Security icon this error still comes up "Unable to start the Integrator. Please reboot and try again. If this fails, please contact technical support." I guess the error messages are some what a good thing becasue at least it is recognizing that there is a problem.
I think there are a couple of the Norton services that are not coming up. Start, Run, eventvwr.msc, OK to bring up the Event Viewer then select Applications and look for errors that happened near your last start up time. Double click on them to open and look to see if any of them talk about norton or symantec or ccPwdSvc.exe, ISSVC.exe, SAVScan.exe, SBServ.exe. If you find one, copy the text (press the bottom of the three buttons then move to a reply and Edit Paste). Also look in System and see if there are any useful errors there.
I know it is possible to disable Norton by a registry entry. You can check that it is set correctly:
Use regedit to navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem Verify that the value of the NtfsDisable8dot3NameCreation key (if found) is 0. If it is 1 or 2 change it back to 0.
Start, Run, services.msc, OK then look for each of the following services and see which ones are not running. Doubleclick on each to open it up and then try to Start them and note what it says when and if they do not start.
"Could not start the Symantec Password Validation service on Local Computer.
Error 1053: The service did not respond to the start or control request in a timely fashion."
"Could not start the ISSvc service on Local Computer
Error 1053: The service did not respond to the start or control request in a timely fashion."
ky331
3 Apprentice
•
15.6K Posts
0
December 25th, 2005 13:00
http://www.hoverdesk.net/dl/en/RegSeeker.zip
UnZip it ... it will create a folder a folder of its own (a RegSeeker folder) containing a bunch of files.
Hopefully, you'll still be able to locate the RegSeeker folder in SAFE mode.
When it finishes, click-on Select ALL... which expands into a small menu from which you need to again choose Select ALL (you should notice some changes in color, as the items found are highlighted).
Reboot into regular mode, generate another HJT log, and hopefully, it should be gone this time.
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
* Save it to your Desktop
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the desktop
* Follow the directions as indicated
please be advised that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens.
just reboot if your system "jams"*********************
It's now time to report back to us: VirtumundoBeGone generated a "log" file of its own, VBG.TXT , which it should have placed on your Desktop... please REPLY to this thread, and copy/paste the VirtumundoBeGone log back here, along with your latest HJT log.
ky331
3 Apprentice
•
15.6K Posts
0
January 5th, 2006 12:00
Scan saved at 8:11:02 PM, on 1/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Dell\QuickSet\quickset.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\ddaba.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] rem C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] rem C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] rem C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] rem "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] rem "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [iTunesHelper] rem "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] rem "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] rem C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelWireless] rem C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] rem C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] rem C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] rem "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\PROGRA~1\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ccApp] rem "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] rem C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132854975592
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: ddaba - C:\WINDOWS\system32\ddaba.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
[01/04/2006, 20:18:40] - Detected System Information:
[01/04/2006, 20:18:40] - Windows Version: 5.1.2600, Service Pack 2
[01/04/2006, 20:18:40] - Current Username: AAA (Admin)
[01/04/2006, 20:18:40] - Windows is in NORMAL mode.
[01/04/2006, 20:18:40] - Searching for Browser Helper Objects:
[01/04/2006, 20:18:40] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/04/2006, 20:18:40] - BHO 2: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} ()
[01/04/2006, 20:18:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/04/2006, 20:18:40] - Checking for HKLM\...\Winlogon\Notify\deSrcAs
[01/04/2006, 20:18:40] - Key not found: HKLM\...\Winlogon\Notify\deSrcAs, continuing.
[01/04/2006, 20:18:40] - BHO 3: {944864A5-3916-46E2-96A9-A2E84F3F1208} (ADefaultSearch Class)
[01/04/2006, 20:18:40] - BHO 4: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (CNisExtBho Class)
[01/04/2006, 20:18:40] - BHO 5: {B313D637-F405-4052-AC37-E2119AB3C8F8} (MSEvents Object)
[01/04/2006, 20:18:40] - ALERT: Found MSEvents Object!
[01/04/2006, 20:18:40] - BHO 6: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[01/04/2006, 20:18:40] - Finished Searching Browser Helper Objects
[01/04/2006, 20:18:40] - *** Detected MSEvents Object
[01/04/2006, 20:18:40] - Trying to remove MSEvents Object...
[01/04/2006, 20:18:41] - Terminating Process: IEXPLORE.EXE
[01/04/2006, 20:18:41] - Terminating Process: RUNDLL32.EXE
[01/04/2006, 20:18:42] - Disabling Automatic Shell Restart
[01/04/2006, 20:18:42] - Terminating Process: EXPLORER.EXE
[01/04/2006, 20:18:42] - Suspending the NT Session Manager System Service
[01/04/2006, 20:18:42] - Terminating Windows NT Logon/Logoff Manager
[01/04/2006, 20:18:42] - Re-enabling Automatic Shell Restart
[01/04/2006, 20:18:42] - File to disable: C:\WINDOWS\system32\ddaba.dll
[01/04/2006, 20:18:42] - Renaming C:\WINDOWS\system32\ddaba.dll -> C:\WINDOWS\system32\ddaba.dll.vir
[01/04/2006, 20:18:42] - File successfully renamed!
[01/04/2006, 20:18:42] - Removing HKLM\...\Browser Helper Objects\{B313D637-F405-4052-AC37-E2119AB3C8F8}
[01/04/2006, 20:18:42] - Removing HKCR\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8}
[01/04/2006, 20:18:42] - Adding Kill Bit for ActiveX for GUID: {B313D637-F405-4052-AC37-E2119AB3C8F8}
[01/04/2006, 20:18:42] - Deleting ATLEvents/MSEvents Registry entries
[01/04/2006, 20:18:42] - Removing HKLM\...\Winlogon\Notify\ddaba
[01/04/2006, 20:18:43] - Searching for Browser Helper Objects:
[01/04/2006, 20:18:43] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/04/2006, 20:18:43] - BHO 2: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} ()
[01/04/2006, 20:18:43] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/04/2006, 20:18:43] - Checking for HKLM\...\Winlogon\Notify\deSrcAs
[01/04/2006, 20:18:43] - Key not found: HKLM\...\Winlogon\Notify\deSrcAs, continuing.
[01/04/2006, 20:18:43] - BHO 3: {944864A5-3916-46E2-96A9-A2E84F3F1208} (ADefaultSearch Class)
[01/04/2006, 20:18:43] - BHO 4: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (CNisExtBho Class)
[01/04/2006, 20:18:43] - BHO 5: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[01/04/2006, 20:18:43] - Finished Searching Browser Helper Objects
[01/04/2006, 20:18:43] - Finishing up...
[01/04/2006, 20:18:43] - A restart is needed.
[01/04/2006, 20:18:43] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[01/04/2006, 20:19:20] - Attempting to Restart via STOP error (Blue Screen!)
ky331
3 Apprentice
•
15.6K Posts
0
January 5th, 2006 12:00
close your internet browser
Run HJT. click on DO A SYSTEM SCAN ONLY
Place a check-mark in the box in front of the lines:
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll
Click on FIX CHECKED. Close HJT. Reboot. And see if Accoona comes back or not.
[If Accoona is still there... i.e., if either (or both) of these lines still appears in your log after rebooting... then you should reboot your system into SAFE MODE (by tapping the F8-key during the boot-up process, and selecting SAFE MODE), and try this FIX again while running HJT in SAFE MODE; and then, reboot into NORMAL mode.]
*****************************************
if your system seems "stable"-enough at the moment, then I want you to try the following... however, if it stills seems UNstable to you, then skip this step [which involves a 16MB download[:
AAA7517
10 Posts
0
January 5th, 2006 23:00
Scan saved at 6:01:18 PM, on 1/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\Dell\QuickSet\quickset.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\NOTEPAD.EXE
C:\Program Files\Norton Internet Security\ccEmFlSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\AAA\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] rem C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RealTray] rem C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] rem "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] rem "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [iTunesHelper] rem "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] rem "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] rem C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelWireless] rem C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] rem C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] rem C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] rem "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\PROGRA~1\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ccApp] rem "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] rem C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132854975592
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
ky331
3 Apprentice
•
15.6K Posts
0
January 6th, 2006 11:00
I see you removed the Accoona toolbar, and the old java....
but it looks like you didn't install the new java... any reason why???
I'm "specializing" in only certain types of infections (such as WinFixer), so at this point, I'm gonna try to ask someone else to step-in, to determine additional problems (if any) that you might have. Please be advised that we're very "understaffed" at the moment, so I can't make any guarantee as to when the next helper will arrive.
Good luck.
RKinner
2 Intern
•
5.9K Posts
0
January 8th, 2006 11:00
There is something strange about this log. The word "rem" appears in so many of the otherwise normal O4 entries. I have sent an email to the spyware list where the HijackTHis designer hangs out asking if he has any idea what is going on. Will let you know as soon as he replies. While we wait for him to get back to us let's run rootkitrevealer and see if it finds anything odd. We are mostly interested in lines that end with .exe, .dll, or .sys. It seems to always flag a few registry entries saying the sizes don't match so ignore them.
http://www.sysinternals.com/Utilities/RootkitRevealer.html
Also, Start, Run, cmd, OK to bring up a black CMD screen. Type:
cd \
dir /a /s rem.*
(This will search your whole drive for a file named rem.something. IF it finds it tell me what it finds and where it finds it.)
Ron
AAA7517
10 Posts
0
January 9th, 2006 22:00
C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0832NAV~.TMP 1/9/2006 4:57 PM 0 bytes Hidden from Windows API.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP103\A0025579.ini 1/7/2006 6:15 PM
RKinner
2 Intern
•
5.9K Posts
0
January 10th, 2006 13:00
I talked to some gurus on the MVP antispyware list and they tell me the "rem" in the O4s is a technique used to disable the entry. If you look at the last log you will see that one of the things with the rem is
O4 - HKLM\..\Run: [ccApp] rem "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
This is a critical part of Norton/Symantec antivirus. I don't know if Spyware Cleaner did this or one of your other bugs.
I am afraid this is going to take some registry edits to fix. Be careful and check everything twice. If something is not clear then stop and comeback here and ask me for clarification (in a Reply to this post)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
By Navigate, they mean, Look in the left pane and find the entry HKEY_Local_Machine and click on the + sign in front of it. This will open up the subfolders. Find Software and click on its + then Microsoft then Current Version. When you find Run then click once on Run which should cause a bunch of entries to show up in the right pane.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Run HijackThis afterwards and post the log as a reply. Does that help Norton any?
Ron
AAA7517
10 Posts
0
January 10th, 2006 22:00
Scan saved at 5:48:30 PM, on 1/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
c:\progra~1\common~1\instal~1\update~1\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Documents and Settings\AAA\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\PROGRA~1\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132854975592
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
RKinner
2 Intern
•
5.9K Posts
0
January 10th, 2006 23:00
I think there are a couple of the Norton services that are not coming up. Start, Run, eventvwr.msc, OK to bring up the Event Viewer then select Applications and look for errors that happened near your last start up time. Double click on them to open and look to see if any of them talk about norton or symantec or ccPwdSvc.exe, ISSVC.exe, SAVScan.exe, SBServ.exe. If you find one, copy the text (press the bottom of the three buttons then move to a reply and Edit Paste). Also look in System and see if there are any useful errors there.
I know it is possible to disable Norton by a registry entry. You can check that it is set correctly:
Use regedit to navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem
Verify that the value of the NtfsDisable8dot3NameCreation key (if found) is 0. If it is 1 or 2 change it back to 0.
Ron
RKinner
2 Intern
•
5.9K Posts
0
January 11th, 2006 21:00
Start, Run, services.msc, OK then look for each of the following services and see which ones are not running. Doubleclick on each to open it up and then try to Start them and note what it says when and if they do not start.
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Ron
Message Edited by RKinner on 01-11-2006 05:44 PM
AAA7517
10 Posts
0
January 11th, 2006 21:00
RKinner
2 Intern
•
5.9K Posts
0
January 12th, 2006 00:00
AAA7517
10 Posts
0
January 12th, 2006 00:00
Error 1053: The service did not respond to the start or control request in a timely fashion."
"Could not start the ISSvc service on Local Computer
Error 1053: The service did not respond to the start or control request in a timely fashion."