Solved

Lost RUN cmd, Task Mgr and Home page option

Posted on 2006-11-28
7
615 Views
Last Modified: 2013-11-18
I have the malware that has removed my Run command from the Start menu (XP), prevents me from bringing up the Task Manager and has locked me out of the ability to change my home page.  I was running McAfee, but it failed to find most of my problems.  I installed Norton 2007 and ran it.  I cleaned up two worms and a number of adware programs.  I then downloaded and ran RegistrySmart 2006.  It found numerous problems, which have been fixed.  I ran the HijackRegistry program (log is below)....what now?



HijackThis log file analysis
HijackThis is a program used by experienced users in order to detect browser hijackers. It allows you to identify any sort of spyware and malware (as well as some trojan horses and worms). This is achieved by scanning special zones of the registry as well as the hard disk drive, the results being listed in a structured window. Another feature of HijackThis is the creation of a log file, which can be saved as a simple text file and opened by any text editor (notepad as default). Until now, inexperienced users, who could not analyze the log file by themselves, had no other choice than posting it in a specialized forum and to hope that a more experienced user takes some time to analyze it. The script presented on this page is a way to analyze your log without help from the outside: simply copy/paste the content of the log file in the textbox below and hit the analyze button. HijackThis is free and does not need to be installed. It can be downloaded here:
Due to a few misunderstandings, I just want to make it clear that this site provides only an online analysis, and not HijackThis the program.
To the authors homepage | Direct download
Languages: Deutsch - French - English - Italian - Czech

If you have a question concerning the analysis, you can post it in one of these forums:
HijackThis.de Supportforum Deutsch | English
Forospyware.com (Spanish) www.forospyware.com
Pchelpforum.com www.pchelpforum.com

Tip: Copy the link at the bottom of the page (save analysis) and paste it in your post


 You can paste a logfile in this textbox
   
or you can choose a logfile from your computer
 
 Show the visitors ratings
 The following analyses has been stored temporarily
Analysis 1 29.11.2006, 00:02:50

               
  Help us to keep this free service online! Please give us a small donation via PayPal.  
    We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own one. In case you got questions or you want us to add the firewall you use to our database, contact us at our forum.
   
  Entry   Kind
(Safe, Nasty, Unknown)     Description     Tip
  Logfile of HijackThis v1.99.1    
Safe.   Shows the version of HijackThis an. The newest version is: v1.99.1!
   This should be the newest version. (v1.99.1)
  Platform: Windows XP SP2 (WinNT 5.01.2600)      
   
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)    
Safe.   Shows the version of your Internet Explorer. Newest Version is: 6.00.2900.2180!
   This should be the newest version. (6.00.2900.2180)
  C:\WINDOWS\System32\smss.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\system32\winlogon.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\system32\services.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\system32\lsass.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\system32\svchost.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\System32\svchost.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe    
Unknown   running process. (ccSvcHst.exe)

   This is a unknown process.
 
  C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe    
Unknown   running process. (AppSvc32.exe)

   This is a unknown process.
 
  C:\WINDOWS\system32\spoolsv.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\Explorer.EXE    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\System32\svchost.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\system32\svchost.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\WINDOWS\system32\hkcmd.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe    
Safe.   running process. (DirectCD.exe)
Roxio WinOnCd
   
 
  C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe    
Safe.   running process. (hpztsb08.exe)
Part of Hewlett Packard
   
 
  C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe    
Safe.   running process. (HPWuSchd.exe)
Hewlett Packard Software Update
   
 
  C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe    
Safe.   running process. (hpotdd01.exe)
Part of Hewlett Packard
   
 
  C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE    
Safe.   running process. (LVCOMS.EXE)

   
Possibly nasty! According to our database this process runs normally in c:\programme\common files\logitech\qcdriver3\! Check if you know this process and arrange a viruscheck where required.
  C:\WINDOWS\system32\ezSP_Px.exe    
Safe.   running process. (ezSP_Px.exe)
Easy Systems Drag´n Drop CD & DVD
   
 
  C:\Program Files\iTunes\iTunesHelper.exe    
Safe.   running process. (iTunesHelper.exe)
Apple iTunes
   Not dangerous, but unnecessary.
 
  C:\Program Files\QuickTime\qttask.exe    
Safe.   running process. (qttask.exe)
Part of QuickTime
   
 
  C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe    
Safe.   running process. (jusched.exe)
Java Runtime
   
 
  C:\Program Files\Common Files\Symantec Shared\ccApp.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\Program Files\Messenger\msmsgs.exe    
Safe.   running process. (msmsgs.exe)
MSN Messenger
   
 
  C:\Program Files\Southwest Airlines\Ding\Ding.exe    
Unknown   running process. (Ding.exe)

   This is a unknown process.
 
  C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe    
Safe.   running process. (ymsgr_tray.exe)
Yahoo! Messenger
   
 
  C:\Program Files\iPod\bin\iPodService.exe    
Safe.   running process. (iPodService.exe)

   
 
  C:\WINDOWS\System32\svchost.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\Program Files\Internet Explorer\IEXPLORE.EXE    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe    
Safe.   running process. (GoogleToolbarNotifier.exe)
Associated with GoogleToolbarNotifier from Google Inc.
   
 
  C:\Program Files\HijackThis 1.99.1\HijackThis.exe    
Safe.   running process. (HijackThis.exe)
Tool, mit dem sie dieses Logfile erzeugt haben. Das Programm sollte so angelegt sein ! C:\Programme\HijackThis\HijackThis.exe
   Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups!
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage    
Safe.   This page has been identified as safe.
   
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =    
Safe.  
   
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =    
Safe.  
   
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll    
Safe.   Entries found in this registry zone are potentially nasty. This application ([06849E9F-C8D7-4D59-B87D-784B7D6BE0B3] - Result: 06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) has been checked. Hit rate: 100,00%
   
  O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll    
Safe.   Entries found in this registry zone are potentially nasty. This application ([1E8A6170-7264-4D0F-BEAE-D42A53123C75] - Result: 1E8A6170-7264-4D0F-BEAE-D42A53123C75) has been checked. Hit rate: 100,00%
   
  O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll    
Safe.   Entries found in this registry zone are potentially nasty. This application ([761497BB-D6F0-462C-B6EB-D4DAF1D92D43] - Result: 761497BB-D6F0-462C-B6EB-D4DAF1D92D43) has been checked. Hit rate: 100,00%
   
  O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - (no file)    
Unnecessarily   Entries found in this registry zone are potentially nasty. This application ([A084A565-B09B-4e4c-A497-7CC50AEAB2A7] - Result: A084A565-B09B-4E4C-A497-7CC50AEAB2A7) has been checked. Hit rate: 94,44%
   Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
  O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll    
Safe.   Entries found in this registry zone are potentially nasty. This application ([AA58ED58-01DD-4d91-8333-CF10577473F7] - Result: AA58ED58-01DD-4d91-8333-CF10577473F7) has been checked. Hit rate: 100,00%
   
  O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll    
Safe.   Entries found in this registry zone are potentially nasty. This application ([BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0] - Result: BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0) has been checked. Hit rate: 100,00%
   
  O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)    
Unnecessarily   Entries found in this registry zone are potentially nasty. This application ([0BF43445-2F28-4351-9252-17FE6E806AA0] - Result: 0BF43445-2F28-4351-9252-17FE6E806AA0) has been checked. Hit rate: 100,00%
   
Unnecessary (deactivated) entry that can be fixed.
  O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll    
Safe.   Entries found in this registry zone are potentially nasty. This application ([2318C2B1-4965-11d4-9B18-009027A5CD4F] - Result: 2318C2B1-4965-11D4-9B18-009027A5CD4F) has been checked. Hit rate: 97,22%
   
  O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll    
Safe.   Entries found in this registry zone are potentially nasty. This application ([90222687-F593-4738-B738-FBEE9C7B26DF] - Result: 90222687-F593-4738-B738-FBEE9C7B26DF) has been checked. Hit rate: 100,00%
   
  O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe    
Safe.   Application that implements the Intel Hotkey command.
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"    
Safe.   WinOnCD 5
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe    
Safe.   Part of Hewlett-Packard Deskjet
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe    
Safe.   Hewlett-Packard Softwre Update
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe    
Safe.   Detection of new imaging, printing and other peripherals on HP machines such as USB printers, cameras and Bluetooth products
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE    
Safe.   Lvcomm server. Related to Logitech Quick Cam - works fine without it but it is needed for the Logitech ImageStudio software to connect to the camera
Hit rate: 30,00 % (result)
   
  O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe    
Safe.   Quick access to the control panel via a System Tray icon for graphics based upon the Intel chipsets (ie, i810). These chipsets are often included on motherboards. Available via Start -> Settings -> Control Panel
Hit rate: 87,50 % (result)
   Not dangerous, but unnecessary.
  O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe    
Safe.   Part of Tmpgenc
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"    
Safe.  
Hit rate: 100,00 % (result)
   Not dangerous, but unnecessary.
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime    
Safe.   QuickTime
Hit rate: 100,00 % (result)
   Not dangerous, but unnecessary.
  O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"    
Safe.   Java von Sun
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"    
Safe.   Part of Norton AntiVirus 2003. Auto-protect and E-mail check will not function without this
Hit rate: 100,00 % (result)
   
  O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe" -boot    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet    
Safe.   Yahoo! Messenger allows you to send instant messages. Available via Start -> Programs
Hit rate: 100,00 % (result)
   
  O4 - HKCU\..\Run: [System Support] system32.exe    
Nasty   Added as a result of the LOGPOLE.C VIRUS!
Hit rate: 67,26 % (result)
   Must be fixed!
  O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O4 - Global Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe    
Unknown  
Hit rate: 0,00 % (result)
   Unknown application.
  O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1    
Nasty   Such entries should be fixed as a general rule.
   To be fixed immediately!
  O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRxdm103KOUS    
Nasty   The entry &Search has been identified as nasty.
   
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000    
Safe.   The entry E&xport to Microsoft Excel has been identified as safe.
   If the entry 'E&xport to Microsoft Excel ' is not needed anymore, it should be fixed.
  O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm    
Possibly nasty   Entries shown in the menu that pops up when right-clicking into the Internet Explorer. Unknown entries should be fixed.
   To be fixed if the entry 'Open Picture in &Microsoft PhotoDraw ' is unknown.
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll    
Safe.   The entry has been identified as safe.
   If the entry '' is not needed anymore, it should be fixed.
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll    
Safe.   The entry Sun Java Console has been identified as safe.
   If the entry 'Sun Java Console ' is not needed anymore, it should be fixed.
  O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\System32\shdocvw.dll    
Safe.   The entry Yahoo! Login has been identified as safe.
   If the entry 'Yahoo! Login ' is not needed anymore, it should be fixed.
  O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\System32\shdocvw.dll    
Safe.   The entry Yahoo! Login has been identified as safe.
   If the entry 'Yahoo! Login ' is not needed anymore, it should be fixed.
  O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe    
Safe.   The entry AIM has been identified as safe.
   If the entry 'AIM ' is not needed anymore, it should be fixed.
  O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll    
Safe.   The entry Real.com has been identified as safe.
   If the entry 'Real.com ' is not needed anymore, it should be fixed.
  O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe    
Safe.   The entry Yahoo! Messenger has been identified as safe.
   If the entry 'Yahoo! Messenger ' is not needed anymore, it should be fixed.
  O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe    
Safe.   The entry Yahoo! Messenger has been identified as safe.
   If the entry 'Yahoo! Messenger ' is not needed anymore, it should be fixed.
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe    
Safe.   The entry Messenger has been identified as safe.
   If the entry 'Messenger ' is not needed anymore, it should be fixed.
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe    
Safe.   The entry Windows Messenger has been identified as safe.
   If the entry 'Windows Messenger ' is not needed anymore, it should be fixed.
  O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversFW BInitialSetup1.0.0.15.cab    
Nasty   This entry is possibly nasty.
   Should be fixed.
  O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab    
Safe.   This entry has been identified as safe.
   
  O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by121fd.bay121.hotmail.msn.com/resources/MsnPUpld.cab    
Safe.   This entry has been identified as safe.
   
  O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab    
Possibly nasty   Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!
   Check if you know this site and fix it if you do not.
  O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab    
Safe.   This entry has been identified as safe.
   
  O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab    
Safe.   This entry has been identified as safe.
   
  O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - https://music.msn.com/client/msnmusax2622.cab    
Safe.   This entry has been identified as safe.
   
  O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe    
Safe.   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   This service (Ati2evxx.exe) was identified as a good one.
  O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)    
Unknown   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   Unknown service. (ccSvcHst.exe)
  O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)    
Unknown   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   Unknown service. (ccSvcHst.exe)
  O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)    
Unknown   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   Unknown service. (ccSvcHst.exe)
  O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe    
Unknown   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   Unknown service. (comHost.exe)
  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe    
Safe.   This entry was classified from our visitors as good.
   Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
  O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe    
Unknown   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   Unknown service. (isPwdSvc.exe)
  O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE    
Safe.   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   This service (LUCOMS~1.EXE) was identified as a good one.
  O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe    
Safe.   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   This service (PACSPTISVR.exe) was identified as a good one.
  O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe    
Safe.   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   This service (SPTISRV.exe) was identified as a good one.
  O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe    
Safe.   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   This service (symlcsvc.exe) was identified as a good one.
  O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe    
Unknown   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   Unknown service. (AppSvc32.exe)
  Save analysis | Short analysis
NOTICE: Your analysis will only be saved for 3 days.
You should save this file on your hard disk drive. (right click -> save target as)  


Use these tips at your own risk!

Copyright © 2004 - 2006 by Mathias Mattner | Contact | File Database
0
Comment
Question by:rburris2
7 Comments
 
LVL 30

Expert Comment

by:irwinpks
Comment Utility
Could you please post the analysis link?
0
 
LVL 30

Expert Comment

by:irwinpks
Comment Utility
This is my recipe, please note that you already did the first few steps.  however, the analyzed info you have display in your question is hard to read, so if you can post the analyzed link, we will have an easier time reading it.  Thank you
--------------------------------------------------
Download and install this
http://www.majorgeeks.com/HijackThis_d3155.html

Then copy the log and paste it in the analyzer
http://www.hijackthis.de/

Analyze the file and POST THE LINK here so that we can take a look at it..

In the mean time, there are several things to apply:

Go to MSCONFIG, START-RUN-type MSCONFIG <enter> then located any programs you recognize that you can turn off. Note your changes as you may need to re-enter them.  Restart your machine
---------------
Download Ewido, http://www.ewido.net/en/download/, install, open program, check for updates, restart computer, press F8 before windows logo appears, select safe mode, open Ewido, run full system scan. let Ewido delete all it finds, if anything is called serious by Ewido, disable Norton's Goback, and run Ewido again.
---------------
chkdsk /r
--------------
Windowsupdate everything except .NET items
0
 
LVL 23

Expert Comment

by:gecko_au2003
Comment Utility
This site will help with back up copys of task manager, regedit etc :

http://www.dougknox.com/xp/utils/xp_emerutils.htm

Also this site will be very handy :

http://windowsxp.mvps.org/ToolsQuit.htm
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
Comment Utility
Hi,
You have one of the SDBot/IRC variant there.
The log is so hard to read, for future reference only post the link to the uploaded log here please.
I suggest uninstalling "My Web Search Bar" from add/remove programs.

1.  Please run Hijackthis and put a check next to these entries, while all browsers and other windows are closed click "Fix Checked":
O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - (no file)    
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)    
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S    
O4 - HKCU\..\Run: [System Support] system32.exe    

And if you or another admin didn't set these restrictions, fix these also:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1  
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversFW BInitialSetup1.0.0.15.cab    
     

2.  Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip
Please then reboot your computer in [b]Safe Mode[/b] by doing the following:
[*]Restart your computer
[*]After hearing your computer beep once during startup, but before the Windows icon appears, tap the

F8 key continually;
[*]Instead of Windows loading as normal, a menu with options should appear;
[*]Select the first option, to run Windows in Safe Mode, then press "Enter".
[*]Choose your usual account.
[*] In Safe Mode, right click the SDFix.zip folder and choose "Extract All",
[*] Open the extracted folder and double click "RunThis.bat" to start the script.
[*] Type "Y" to begin the script.
[*] It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
[*] Press any Key and it will restart the PC.
[*] Your system will take longer that normal to restart as the fixtool will be running and removing files.
[*] When the desktop loads the Fixtool will complete the removal and display "Finished", then press any

key to end the script and load your desktop icons.
[*] Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back


If problem persists:
Download and install Superantispyware
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
Load Superantispyware and click the "check for updates" button.
Once the update is finished, close SuperAntispyware again, we'll perform the scan later in safe mode

* Start Superantispyware.
Click the :scan your computer" button.
Check "Perform Complete Scan" and then next.
Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
Make sure that they all have a check next to them and press next.
Click finish and you will be taken back to the main interface.
Click "Preferences" and then click the "statistics/logs" tab. Click the dated log and press view log and a text file will appear.


0
 

Author Comment

by:rburris2
Comment Utility
Resolved the problem after following the instructions provided by rpggamergirl.  Thank you very much for your help.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Most of the sites are being standardized with W3C Web Standards. W3C provides lot of web standard services to the web. They have the web specification, process and documentation for all the web standards. You can apply HTML, CSS and Accessibility st…
Preface This is the third article about the EE Collaborative Login Project. A Better Website Login System (http://www.experts-exchange.com/A_2902.html) introduces the Login System and shows how to implement a login page. The EE Collaborative Logi…
Viewers will learn about basic arrays, how to declare them, and how to use them. Introduction and definition: Declare an array and cover the syntax of declaring them: Initialize every index in the created array: Example/Features of a basic arr…
The viewer will receive an overview of the basics of CSS showing inline styles. In the head tags set up your style tags: (CODE) Reference the nav tag and set your properties.: (CODE) Set the reference for the UL element and styles for it to ensu…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now