Lost RUN cmd, Task Mgr and Home page option

**Iphone** · 17-Apr-2007, 03:42 AM

Question: I have the malware that has removed my Run command from the Start menu (XP), prevents me from bringing up the Task Manager and has locked me out of the ability to change my home page. I was running McAfee, but it failed to find most of my problems. I installed Norton 2007 and ran it. I cleaned up two worms and a number of adware programs. I then downloaded and ran RegistrySmart 2006. It found numerous problems, which have been fixed. I ran the HijackRegistry program (log is below)....what now?

HijackThis log file analysis
HijackThis is a program used by experienced users in order to detect browser hijackers. It allows you to identify any sort of spyware and malware (as well as some trojan horses and worms). This is achieved by scanning special zones of the registry as well as the hard disk drive, the results being listed in a structured window. Another feature of HijackThis is the creation of a log file, which can be saved as a simple text file and opened by any text editor (notepad as default). Until now, inexperienced users, who could not analyze the log file by themselves, had no other choice than posting it in a specialized forum and to hope that a more experienced user takes some time to analyze it. The script presented on this page is a way to analyze your log without help from the outside: simply copy/paste the content of the log file in the textbox below and hit the analyze button. HijackThis is free and does not need to be installed. It can be downloaded here:
Due to a few misunderstandings, I just want to make it clear that this site provides only an online analysis, and not HijackThis the program.
To the authors homepage | Direct download
Languages: Deutsch - French - English - Italian - Czech

If you have a question concerning the analysis, you can post it in one of these forums:
HijackThis.de Supportforum Deutsch | English
Forospyware.com (Spanish) Foro de Spyware, Adware, Hijackers - InfoSpyware
Pchelpforum.com PC Help Forum - Computer Tech Support

Tip: Copy the link at the bottom of the page (save analysis) and paste it in your post

You can paste a logfile in this textbox

or you can choose a logfile from your computer

Show the visitors ratings
The following analyses has been stored temporarily
Analysis 1 29.11.2006, 00:02:50

Help us to keep this free service online! Please give us a small donation via PayPal.
We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own one. In case you got questions or you want us to add the firewall you use to our database, contact us at our forum.

Entry Kind
(Safe, Nasty, Unknown) Description Tip
Logfile of HijackThis v1.99.1
Safe. Shows the version of HijackThis an. The newest version is: v1.99.1!
This should be the newest version. (v1.99.1)
Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Safe. Shows the version of your Internet Explorer. Newest Version is: 6.00.2900.2180!
This should be the newest version. (6.00.2900.2180)
C:\WINDOWS\System32\smss.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\winlogon.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\services.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\lsass.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\svchost.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\System32\svchost.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
Unknown running process. (ccSvcHst.exe)

This is a unknown process.

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Unknown running process. (AppSvc32.exe)

This is a unknown process.

C:\WINDOWS\system32\spoolsv.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\Explorer.EXE
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\System32\svchost.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\svchost.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\hkcmd.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
Safe. running process. (DirectCD.exe)
Roxio WinOnCd

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 8.exe
Safe. running process. (hpztsb08.exe)
Part of Hewlett Packard

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
Safe. running process. (HPWuSchd.exe)
Hewlett Packard Software Update

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
Safe. running process. (hpotdd01.exe)
Part of Hewlett Packard

C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
Safe. running process. (LVCOMS.EXE)

Possibly nasty! According to our database this process runs normally in c:\programme\common files\logitech\qcdriver3\! Check if you know this process and arrange a viruscheck where required.
C:\WINDOWS\system32\ezSP_Px.exe
Safe. running process. (ezSP_Px.exe)
Easy Systems Drag´n Drop CD & DVD

C:\Program Files\iTunes\iTunesHelper.exe
Safe. running process. (iTunesHelper.exe)
Apple iTunes
Not dangerous, but unnecessary.

C:\Program Files\QuickTime\qttask.exe
Safe. running process. (qttask.exe)
Part of QuickTime

C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
Safe. running process. (jusched.exe)
Java Runtime

C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\Program Files\Messenger\msmsgs.exe
Safe. running process. (msmsgs.exe)
MSN Messenger

C:\Program Files\Southwest Airlines\Ding\Ding.exe
Unknown running process. (Ding.exe)

This is a unknown process.

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
Safe. running process. (ymsgr_tray.exe)
Yahoo! Messenger

C:\Program Files\iPod\bin\iPodService.exe
Safe. running process. (iPodService.exe)

C:\WINDOWS\System32\svchost.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\Program Files\Internet Explorer\IEXPLORE.EXE
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\Go ogleToolbarNotifier.exe
Safe. running process. (GoogleToolbarNotifier.exe)
Associated with GoogleToolbarNotifier from Google Inc.

C:\Program Files\HijackThis 1.99.1\HijackThis.exe
Safe. running process. (HijackThis.exe)
Tool, mit dem sie dieses Logfile erzeugt haben. Das Programm sollte so angelegt sein ! C:\Programme\HijackThis\HijackThis.exe
Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups!
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Symantec Security Response - Home Page Reset
Safe. This page has been identified as safe.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
Safe.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
Safe.

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
Safe. Entries found in this registry zone are potentially nasty. This application ([06849E9F-C8D7-4D59-B87D-784B7D6BE0B3] - Result: 06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) has been checked. Hit rate: 100,00%

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
Safe. Entries found in this registry zone are potentially nasty. This application ([1E8A6170-7264-4D0F-BEAE-D42A53123C75] - Result: 1E8A6170-7264-4D0F-BEAE-D42A53123C75) has been checked. Hit rate: 100,00%

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
Safe. Entries found in this registry zone are potentially nasty. This application ([761497BB-D6F0-462C-B6EB-D4DAF1D92D43] - Result: 761497BB-D6F0-462C-B6EB-D4DAF1D92D43) has been checked. Hit rate: 100,00%

O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - (no file)
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([A084A565-B09B-4e4c-A497-7CC50AEAB2A7] - Result: A084A565-B09B-4E4C-A497-7CC50AEAB2A7) has been checked. Hit rate: 94,44%
Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
Safe. Entries found in this registry zone are potentially nasty. This application ([AA58ED58-01DD-4d91-8333-CF10577473F7] - Result: AA58ED58-01DD-4d91-8333-CF10577473F7) has been checked. Hit rate: 100,00%

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
Safe. Entries found in this registry zone are potentially nasty. This application ([BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0] - Result: BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0) has been checked. Hit rate: 100,00%

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([0BF43445-2F28-4351-9252-17FE6E806AA0] - Result: 0BF43445-2F28-4351-9252-17FE6E806AA0) has been checked. Hit rate: 100,00%

Unnecessary (deactivated) entry that can be fixed.
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
Safe. Entries found in this registry zone are potentially nasty. This application ([2318C2B1-4965-11d4-9B18-009027A5CD4F] - Result: 2318C2B1-4965-11D4-9B18-009027A5CD4F) has been checked. Hit rate: 97,22%

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
Safe. Entries found in this registry zone are potentially nasty. This application ([90222687-F593-4738-B738-FBEE9C7B26DF] - Result: 90222687-F593-4738-B738-FBEE9C7B26DF) has been checked. Hit rate: 100,00%

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
Safe. Application that implements the Intel Hotkey command.
Hit rate: 100,00 % (result)

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
Safe. WinOnCD 5
Hit rate: 100,00 % (result)

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 8.exe
Safe. Part of Hewlett-Packard Deskjet
Hit rate: 100,00 % (result)

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
Safe. Hewlett-Packard Softwre Update
Hit rate: 100,00 % (result)

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
Safe. Detection of new imaging, printing and other peripherals on HP machines such as USB printers, cameras and Bluetooth products
Hit rate: 100,00 % (result)

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
Safe. Lvcomm server. Related to Logitech Quick Cam - works fine without it but it is needed for the Logitech ImageStudio software to connect to the camera
Hit rate: 30,00 % (result)

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
Safe. Quick access to the control panel via a System Tray icon for graphics based upon the Intel chipsets (ie, i810). These chipsets are often included on motherboards. Available via Start -> Settings -> Control Panel
Hit rate: 87,50 % (result)
Not dangerous, but unnecessary.
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
Safe. Part of Tmpgenc
Hit rate: 100,00 % (result)

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
Safe.
Hit rate: 100,00 % (result)
Not dangerous, but unnecessary.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
Safe. QuickTime
Hit rate: 100,00 % (result)
Not dangerous, but unnecessary.
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
Safe. Java von Sun
Hit rate: 100,00 % (result)

O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
Unknown
Hit rate: 0,00 % (result)
Unknown application.
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Safe. Part of Norton AntiVirus 2003. Auto-protect and E-mail check will not function without this
Hit rate: 100,00 % (result)

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
Unknown
Hit rate: 0,00 % (result)
Unknown application.
O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe" -boot
Unknown
Hit rate: 0,00 % (result)
Unknown application.
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
Safe. Yahoo! Messenger allows you to send instant messages. Available via Start -> Programs
Hit rate: 100,00 % (result)

O4 - HKCU\..\Run: [System Support] system32.exe
Nasty Added as a result of the LOGPOLE.C VIRUS!
Hit rate: 67,26 % (result)
Must be fixed!
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\Go ogleToolbarNotifier.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O4 - Global Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
Unknown
Hit rate: 0,00 % (result)
Unknown application.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
Nasty Such entries should be fixed as a general rule.
To be fixed immediately!
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZRxdm103KOUS
Nasty The entry &Search has been identified as nasty.

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
Safe. The entry E&xport to Microsoft Excel has been identified as safe.
If the entry 'E&xport to Microsoft Excel ' is not needed anymore, it should be fixed.
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
Possibly nasty Entries shown in the menu that pops up when right-clicking into the Internet Explorer. Unknown entries should be fixed.
To be fixed if the entry 'Open Picture in &Microsoft PhotoDraw ' is unknown.
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
Safe. The entry has been identified as safe.
If the entry '' is not needed anymore, it should be fixed.
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
Safe. The entry Sun Java Console has been identified as safe.
If the entry 'Sun Java Console ' is not needed anymore, it should be fixed.
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\System32\shdocvw.dll
Safe. The entry Yahoo! Login has been identified as safe.
If the entry 'Yahoo! Login ' is not needed anymore, it should be fixed.
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\System32\shdocvw.dll
Safe. The entry Yahoo! Login has been identified as safe.
If the entry 'Yahoo! Login ' is not needed anymore, it should be fixed.
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
Safe. The entry AIM has been identified as safe.
If the entry 'AIM ' is not needed anymore, it should be fixed.
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
Safe. The entry Real.com has been identified as safe.
If the entry 'Real.com ' is not needed anymore, it should be fixed.
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
Safe. The entry Yahoo! Messenger has been identified as safe.
If the entry 'Yahoo! Messenger ' is not needed anymore, it should be fixed.
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
Safe. The entry Yahoo! Messenger has been identified as safe.
If the entry 'Yahoo! Messenger ' is not needed anymore, it should be fixed.
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
Safe. The entry Messenger has been identified as safe.
If the entry 'Messenger ' is not needed anymore, it should be fixed.
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
Safe. The entry Windows Messenger has been identified as safe.
If the entry 'Windows Messenger ' is not needed anymore, it should be fixed.
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...ScreenSaversFW BInitialSetup1.0.0.15.cab
Nasty This entry is possibly nasty.
Should be fixed.
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/...6/mcinsctl.cab
Safe. This entry has been identified as safe.

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by121fd.bay121.hotmail.msn.co...s/MsnPUpld.cab
Safe. This entry has been identified as safe.

O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!
Check if you know this site and fix it if you do not.
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
Safe. This entry has been identified as safe.

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
Safe. This entry has been identified as safe.

O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - https://music.msn.com/client/msnmusax2622.cab
Safe. This entry has been identified as safe.

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
This service (Ati2evxx.exe) was identified as a good one.
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
Unknown These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
Unknown service. (ccSvcHst.exe)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
Unknown These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
Unknown service. (ccSvcHst.exe)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
Unknown These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
Unknown service. (ccSvcHst.exe)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
Unknown These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
Unknown service. (comHost.exe)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
Unknown These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
Unknown service. (isPwdSvc.exe)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
This service (LUCOMS~1.EXE) was identified as a good one.
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
This service (PACSPTISVR.exe) was identified as a good one.
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
This service (SPTISRV.exe) was identified as a good one.
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
This service (symlcsvc.exe) was identified as a good one.
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Unknown These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
Unknown service. (AppSvc32.exe)
Save analysis | Short analysis
NOTICE: Your analysis will only be saved for 3 days.
You should save this file on your hard disk drive. (right click -> save target as)

**Iphone** · 17-Apr-2007, 03:42 AM

You have one of the SDBot/IRC variant there.
The log is so hard to read, for future reference only post the link to the uploaded log here please.
I suggest uninstalling "My Web Search Bar" from add/remove programs.

1. Please run Hijackthis and put a check next to these entries, while all browsers and other windows are closed click "Fix Checked":
O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKCU\..\Run: [System Support] system32.exe

And if you or another admin didn't set these restrictions, fix these also:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...ScreenSaversFW BInitialSetup1.0.0.15.cab

2. Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/R...ools/SDFix.zip
Please then reboot your computer in Safe Mode by doing the following:[*]Restart your computer[*]After hearing your computer beep once during startup, but before the Windows icon appears, tap the

F8 key continually;[*]Instead of Windows loading as normal, a menu with options should appear;[*]Select the first option, to run Windows in Safe Mode, then press "Enter".[*]Choose your usual account.[*] In Safe Mode, right click the SDFix.zip folder and choose "Extract All", [*] Open the extracted folder and double click "RunThis.bat" to start the script. [*] Type "Y" to begin the script.[*] It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. [*] Press any Key and it will restart the PC. [*] Your system will take longer that normal to restart as the fixtool will be running and removing files. [*] When the desktop loads the Fixtool will complete the removal and display "Finished", then press any

key to end the script and load your desktop icons.[*] Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back

If problem persists:
Download and install Superantispyware
SUPERAntiSpyware.com - Downloading File
Load Superantispyware and click the "check for updates" button.
Once the update is finished, close SuperAntispyware again, we'll perform the scan later in safe mode

* Start Superantispyware.
Click the :scan your computer" button.
Check "Perform Complete Scan" and then next.
Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
Make sure that they all have a check next to them and press next.
Click finish and you will be taken back to the main interface.
Click "Preferences" and then click the "statistics/logs" tab. Click the dated log and press view log and a text file will appear.

17-Apr-2007, 03:42 AM	#1 (permalink)
Iphone Fixed Error! Posts: 4,202 Join Date: Mar 2007 Rep Power: 6 IM:	Lost RUN cmd, Task Mgr and Home page option Question: I have the malware that has removed my Run command from the Start menu (XP), prevents me from bringing up the Task Manager and has locked me out of the ability to change my home page. I was running McAfee, but it failed to find most of my problems. I installed Norton 2007 and ran it. I cleaned up two worms and a number of adware programs. I then downloaded and ran RegistrySmart 2006. It found numerous problems, which have been fixed. I ran the HijackRegistry program (log is below)....what now? HijackThis log file analysis HijackThis is a program used by experienced users in order to detect browser hijackers. It allows you to identify any sort of spyware and malware (as well as some trojan horses and worms). This is achieved by scanning special zones of the registry as well as the hard disk drive, the results being listed in a structured window. Another feature of HijackThis is the creation of a log file, which can be saved as a simple text file and opened by any text editor (notepad as default). Until now, inexperienced users, who could not analyze the log file by themselves, had no other choice than posting it in a specialized forum and to hope that a more experienced user takes some time to analyze it. The script presented on this page is a way to analyze your log without help from the outside: simply copy/paste the content of the log file in the textbox below and hit the analyze button. HijackThis is free and does not need to be installed. It can be downloaded here: Due to a few misunderstandings, I just want to make it clear that this site provides only an online analysis, and not HijackThis the program. To the authors homepage \| Direct download Languages: Deutsch - French - English - Italian - Czech If you have a question concerning the analysis, you can post it in one of these forums: HijackThis.de Supportforum Deutsch \| English Forospyware.com (Spanish) Foro de Spyware, Adware, Hijackers - InfoSpyware Pchelpforum.com PC Help Forum - Computer Tech Support Tip: Copy the link at the bottom of the page (save analysis) and paste it in your post You can paste a logfile in this textbox or you can choose a logfile from your computer Show the visitors ratings The following analyses has been stored temporarily Analysis 1 29.11.2006, 00:02:50 Help us to keep this free service online! Please give us a small donation via PayPal. We didn't detect any active process of a firewall on your system. Reasons maybe: (1.) You are using the windows firewall or a hardware firewall. (2.) You are using a firewall of an unknown vendor. (3.) You are using a firewall, but for unknown reasons it is disabled (4.) You don't use any firewall at all. We recommend you to use a firewall. Download and install one or activate windows xp´s own one. In case you got questions or you want us to add the firewall you use to our database, contact us at our forum. Entry Kind (Safe, Nasty, Unknown) Description Tip Logfile of HijackThis v1.99.1 Safe. Shows the version of HijackThis an. The newest version is: v1.99.1! This should be the newest version. (v1.99.1) Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Safe. Shows the version of your Internet Explorer. Newest Version is: 6.00.2900.2180! This should be the newest version. (6.00.2900.2180) C:\WINDOWS\System32\smss.exe Safe. This entry was classified from our visitors as good. Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way. C:\WINDOWS\system32\winlogon.exe Safe. This entry was classified from our visitors as good. Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way. C:\WINDOWS\system32\services.exe Safe. This entry was classified from our visitors as good. Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way. C:\WINDOWS\system32\lsass.exe Safe. This entry was classified from our visitors as good. Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way. C:\WINDOWS\system32\svchost.exe Safe. This entry was classified from our visitors as good. Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way. C:\WINDOWS\System32\svchost.exe Safe. This entry was classified from our visitors as good. Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way. C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe Unknown running process. (ccSvcHst.exe) This is a unknown process. C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe Unknown running process. (AppSvc32.exe) This is a unknown process. C:\WINDOWS\system32\spoolsv.exe Safe. This entry was classified from our visitors as good. Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way. C:\WINDOWS\Explorer.EXE Safe. This entry was classified from our visitors as good. Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way. C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe Safe. This entry was classified from our visitors as good. Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way. C:\WINDOWS\System32\svchost.exe Safe. This entry was classified from our visitors as good. Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way. C:\WINDOWS\system32\svchost.exe Safe. This entry was classified from our visitors as good. Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way. C:\WINDOWS\system32\hkcmd.exe Safe. This entry was classified from our visitors as good. Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way. C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe Safe. running process. (DirectCD.exe) Roxio WinOnCd C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 8.exe Safe. running process. (hpztsb08.exe) Part of Hewlett Packard C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe Safe. running process. (HPWuSchd.exe) Hewlett Packard Software Update C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe Safe. running process. (hpotdd01.exe) Part of Hewlett Packard C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE Safe. running process. (LVCOMS.EXE) Possibly nasty! According to our database this process runs normally in c:\programme\common files\logitech\qcdriver3\! Check if you know this process and arrange a viruscheck where required. C:\WINDOWS\system32\ezSP_Px.exe Safe. running process. (ezSP_Px.exe) Easy Systems Drag´n Drop CD & DVD C:\Program Files\iTunes\iTunesHelper.exe Safe. running process. (iTunesHelper.exe) Apple iTunes Not dangerous, but unnecessary. C:\Program Files\QuickTime\qttask.exe Safe. running process. (qttask.exe) Part of QuickTime C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe Safe. running process. (jusched.exe) Java Runtime C:\Program Files\Common Files\Symantec Shared\ccApp.exe Safe. This entry was classified from our visitors as good. Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way. C:\Program Files\Messenger\msmsgs.exe Safe. running process. (msmsgs.exe) MSN Messenger C:\Program Files\Southwest Airlines\Ding\Ding.exe Unknown running process. (Ding.exe) This is a unknown process. C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe Safe. running process. (ymsgr_tray.exe) Yahoo! Messenger C:\Program Files\iPod\bin\iPodService.exe Safe. running process. (iPodService.exe) C:\WINDOWS\System32\svchost.exe Safe. This entry was classified from our visitors as good. Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way. C:\Program Files\Internet Explorer\IEXPLORE.EXE Safe. This entry was classified from our visitors as good. Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way. C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\Go ogleToolbarNotifier.exe Safe. running process. (GoogleToolbarNotifier.exe) Associated with GoogleToolbarNotifier from Google Inc. C:\Program Files\HijackThis 1.99.1\HijackThis.exe Safe. running process. (HijackThis.exe) Tool, mit dem sie dieses Logfile erzeugt haben. Das Programm sollte so angelegt sein ! C:\Programme\HijackThis\HijackThis.exe Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups! R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Symantec Security Response - Home Page Reset Safe. This page has been identified as safe. R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = Safe. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = Safe. O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll Safe. Entries found in this registry zone are potentially nasty. This application ([06849E9F-C8D7-4D59-B87D-784B7D6BE0B3] - Result: 06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) has been checked. Hit rate: 100,00% O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll Safe. Entries found in this registry zone are potentially nasty. This application ([1E8A6170-7264-4D0F-BEAE-D42A53123C75] - Result: 1E8A6170-7264-4D0F-BEAE-D42A53123C75) has been checked. Hit rate: 100,00% O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll Safe. Entries found in this registry zone are potentially nasty. This application ([761497BB-D6F0-462C-B6EB-D4DAF1D92D43] - Result: 761497BB-D6F0-462C-B6EB-D4DAF1D92D43) has been checked. Hit rate: 100,00% O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - (no file) Unnecessarily Entries found in this registry zone are potentially nasty. This application ([A084A565-B09B-4e4c-A497-7CC50AEAB2A7] - Result: A084A565-B09B-4E4C-A497-7CC50AEAB2A7) has been checked. Hit rate: 94,44% Must be fixed! Unnecessary (deactivated) entry that can be fixed. O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll Safe. Entries found in this registry zone are potentially nasty. This application ([AA58ED58-01DD-4d91-8333-CF10577473F7] - Result: AA58ED58-01DD-4d91-8333-CF10577473F7) has been checked. Hit rate: 100,00% O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll Safe. Entries found in this registry zone are potentially nasty. This application ([BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0] - Result: BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0) has been checked. Hit rate: 100,00% O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) Unnecessarily Entries found in this registry zone are potentially nasty. This application ([0BF43445-2F28-4351-9252-17FE6E806AA0] - Result: 0BF43445-2F28-4351-9252-17FE6E806AA0) has been checked. Hit rate: 100,00% Unnecessary (deactivated) entry that can be fixed. O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll Safe. Entries found in this registry zone are potentially nasty. This application ([2318C2B1-4965-11d4-9B18-009027A5CD4F] - Result: 2318C2B1-4965-11D4-9B18-009027A5CD4F) has been checked. Hit rate: 97,22% O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll Safe. Entries found in this registry zone are potentially nasty. This application ([90222687-F593-4738-B738-FBEE9C7B26DF] - Result: 90222687-F593-4738-B738-FBEE9C7B26DF) has been checked. Hit rate: 100,00% O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe Safe. Application that implements the Intel Hotkey command. Hit rate: 100,00 % (result) O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" Safe. WinOnCD 5 Hit rate: 100,00 % (result) O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 8.exe Safe. Part of Hewlett-Packard Deskjet Hit rate: 100,00 % (result) O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe Safe. Hewlett-Packard Softwre Update Hit rate: 100,00 % (result) O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe Safe. Detection of new imaging, printing and other peripherals on HP machines such as USB printers, cameras and Bluetooth products Hit rate: 100,00 % (result) O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE Safe. Lvcomm server. Related to Logitech Quick Cam - works fine without it but it is needed for the Logitech ImageStudio software to connect to the camera Hit rate: 30,00 % (result) O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe Safe. Quick access to the control panel via a System Tray icon for graphics based upon the Intel chipsets (ie, i810). These chipsets are often included on motherboards. Available via Start -> Settings -> Control Panel Hit rate: 87,50 % (result) Not dangerous, but unnecessary. O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe Safe. Part of Tmpgenc Hit rate: 100,00 % (result) O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" Safe. Hit rate: 100,00 % (result) Not dangerous, but unnecessary. O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime Safe. QuickTime Hit rate: 100,00 % (result) Not dangerous, but unnecessary. O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" Safe. Java von Sun Hit rate: 100,00 % (result) O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S Unknown Hit rate: 0,00 % (result) Unknown application. O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" Safe. Part of Norton AntiVirus 2003. Auto-protect and E-mail check will not function without this Hit rate: 100,00 % (result) O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" Unknown Hit rate: 0,00 % (result) Unknown application. O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe" -boot Unknown Hit rate: 0,00 % (result) Unknown application. O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background Safe. This entry was classified from our visitors as good. Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way. O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet Safe. Yahoo! Messenger allows you to send instant messages. Available via Start -> Programs Hit rate: 100,00 % (result) O4 - HKCU\..\Run: [System Support] system32.exe Nasty Added as a result of the LOGPOLE.C VIRUS! Hit rate: 67,26 % (result) Must be fixed! O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\Go ogleToolbarNotifier.exe Safe. This entry was classified from our visitors as good. Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way. O4 - Global Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe Unknown Hit rate: 0,00 % (result) Unknown application. O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present Safe. This entry was classified from our visitors as good. Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way. O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 Nasty Such entries should be fixed as a general rule. To be fixed immediately! O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm Safe. This entry was classified from our visitors as good. Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way. O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZRxdm103KOUS Nasty The entry &Search has been identified as nasty. O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 Safe. The entry E&xport to Microsoft Excel has been identified as safe. If the entry 'E&xport to Microsoft Excel ' is not needed anymore, it should be fixed. O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm Possibly nasty Entries shown in the menu that pops up when right-clicking into the Internet Explorer. Unknown entries should be fixed. To be fixed if the entry 'Open Picture in &Microsoft PhotoDraw ' is unknown. O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll Safe. The entry has been identified as safe. If the entry '' is not needed anymore, it should be fixed. O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll Safe. The entry Sun Java Console has been identified as safe. If the entry 'Sun Java Console ' is not needed anymore, it should be fixed. O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\System32\shdocvw.dll Safe. The entry Yahoo! Login has been identified as safe. If the entry 'Yahoo! Login ' is not needed anymore, it should be fixed. O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\System32\shdocvw.dll Safe. The entry Yahoo! Login has been identified as safe. If the entry 'Yahoo! Login ' is not needed anymore, it should be fixed. O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe Safe. The entry AIM has been identified as safe. If the entry 'AIM ' is not needed anymore, it should be fixed. O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll Safe. The entry Real.com has been identified as safe. If the entry 'Real.com ' is not needed anymore, it should be fixed. O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe Safe. The entry Yahoo! Messenger has been identified as safe. If the entry 'Yahoo! Messenger ' is not needed anymore, it should be fixed. O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe Safe. The entry Yahoo! Messenger has been identified as safe. If the entry 'Yahoo! Messenger ' is not needed anymore, it should be fixed. O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe Safe. The entry Messenger has been identified as safe. If the entry 'Messenger ' is not needed anymore, it should be fixed. O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe Safe. The entry Windows Messenger has been identified as safe. If the entry 'Windows Messenger ' is not needed anymore, it should be fixed. O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...ScreenSaversFW BInitialSetup1.0.0.15.cab Nasty This entry is possibly nasty. Should be fixed. O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/...6/mcinsctl.cab Safe. This entry has been identified as safe. O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by121fd.bay121.hotmail.msn.co...s/MsnPUpld.cab Safe. This entry has been identified as safe. O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not. O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab Safe. This entry has been identified as safe. O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab Safe. This entry has been identified as safe. O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - https://music.msn.com/client/msnmusax2622.cab Safe. This entry has been identified as safe. O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll Safe. This entry was classified from our visitors as good. Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way. O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll Safe. This entry was classified from our visitors as good. Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way. O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. This service (Ati2evxx.exe) was identified as a good one. O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe Safe. This entry was classified from our visitors as good. Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way. O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) Unknown These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. Unknown service. (ccSvcHst.exe) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) Unknown These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. Unknown service. (ccSvcHst.exe) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) Unknown These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. Unknown service. (ccSvcHst.exe) O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe Unknown These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. Unknown service. (comHost.exe) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe Safe. This entry was classified from our visitors as good. Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way. O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe Safe. This entry was classified from our visitors as good. Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way. O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe Unknown These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. Unknown service. (isPwdSvc.exe) O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. This service (LUCOMS~1.EXE) was identified as a good one. O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. This service (PACSPTISVR.exe) was identified as a good one. O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. This service (SPTISRV.exe) was identified as a good one. O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. This service (symlcsvc.exe) was identified as a good one. O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe Unknown These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. Unknown service. (AppSvc32.exe) Save analysis \| Short analysis NOTICE: Your analysis will only be saved for 3 days. You should save this file on your hard disk drive. (right click -> save target as)

17-Apr-2007, 03:42 AM	#2 (permalink)
Iphone Fixed Error! Posts: 4,202 Join Date: Mar 2007 Rep Power: 6 IM:	Re: Lost RUN cmd, Task Mgr and Home page option You have one of the SDBot/IRC variant there. The log is so hard to read, for future reference only post the link to the uploaded log here please. I suggest uninstalling "My Web Search Bar" from add/remove programs. 1. Please run Hijackthis and put a check next to these entries, while all browsers and other windows are closed click "Fix Checked": O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - (no file) O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S O4 - HKCU\..\Run: [System Support] system32.exe And if you or another admin didn't set these restrictions, fix these also: O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...ScreenSaversFW BInitialSetup1.0.0.15.cab 2. Download SDFix and save it to your desktop. http://downloads.andymanchesta.com/R...ools/SDFix.zip Please then reboot your computer in Safe Mode by doing the following:[]Restart your computer[]After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;[]Instead of Windows loading as normal, a menu with options should appear;[]Select the first option, to run Windows in Safe Mode, then press "Enter".[]Choose your usual account.[] In Safe Mode, right click the SDFix.zip folder and choose "Extract All", [] Open the extracted folder and double click "RunThis.bat" to start the script. [] Type "Y" to begin the script.[] It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. [] Press any Key and it will restart the PC. [] Your system will take longer that normal to restart as the fixtool will be running and removing files. [] When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.[] Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back If problem persists: Download and install Superantispyware SUPERAntiSpyware.com - Downloading File Load Superantispyware and click the "check for updates" button. Once the update is finished, close SuperAntispyware again, we'll perform the scan later in safe mode Start Superantispyware. Click the :scan your computer" button. Check "Perform Complete Scan" and then next. Superantispyware will now scan your computer and when its finished it will list all the infections it has found. Make sure that they all have a check next to them and press next. Click finish and you will be taken back to the main interface. Click "Preferences" and then click the "statistics/logs" tab. Click the dated log and press view log and a text file will appear.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)