Services won't start - nothing responds

[Alberto]

Windows XP Home SP2 - I tried to solve an issue with Cryptographic services
not being able to start by using KB Article 931852, and after deleting
Catroot2 and renaming many of the DLL's and then renaming the Software
Distribution folder I couldn't get any of the services to start, and of
course now have no internet connection.
I am using another computer in the home to try to solve this issue.
I tried to find a restore point, but Msconfig won't let me find one. It
tells me to restart the computer and launch System Restore again. That does
nothing.
I tried changing the names back and then registering the DLL's but still no
luck.I've tried safe mode, safe mode w/networking, LKGF but I can't get it to
work.
I've done all this after 2 days of antivirus, antispyware cleanup. The last
step was going to be Hijack This, but I thought I would try to fix the
Cryptographic service one last time.
Help Please!

 

[Gerry]

Alberto

What do you have by way of of a Windows XP CD? Does it contain the SP2
update?

What is your computer make and model?


--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Alberto]

Gerry,

I have an eMachines T3504 which started with SP1 I believe and was updated
to SP2 through a download. I do not have a CD that came with this computer,
only the restore disk. I am trying to avoid doing a Restore - I did it once
and a few minor things got changed and I don't have all the original program
CD's for a number of applications.

I do have an XP CD from an older computer, but I am pretty sure it is also
SP1.

What were you thinking?

 

[Gerry]

Alberto

I had System File Checker in mind but given the lack of a CD that is not
practical.

What errors appear in Event Viewer?

Please post copies of all Error and Warning Reports appearing in the
System and Application logs in Event Viewer relating to the last boot in
normal mode . No Information Reports or Duplicates please. Indicate
which also appear in a previous boot.

You can access Event Viewer by selecting Start, Control Panel,
Administrative Tools, and Event Viewer. When researching the meaning
of the error, information regarding Event ID, Source and Description
are important.

A tip for posting copies of Error Reports! Run Event Viewer and double
click on the error you want to copy. In the window, which appears is a
button resembling two pages. Click the button and close Event
Viewer.Now start your message (email) and do a paste into the body of
the message. Make sure this is the first paste after exiting from
Event Viewer.

Are there any yellow question marks in Device Manager? Right click on
the My Computer icon on your Desktop and select Properties,
Hardware,Device Manager. If yes what is the Device Error code?


--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Alberto]

I will copy the Event Viewer this evening, although it seemed pretty inocuous
when I last looked at it.

I cannot get the Device Manager to function at this time. I will try it
again tonight.

Thanks

 

[Alberto]

Gerry,

Device Mgr looks OK. Nothing different from a month ago. There is an Unknown
Network Adapter with the yellow exclamation, but that was there before.

I cannot print, nor connect to the internet, so I can't copy/paste the Event
Viewer; I will have to write it out here.

Under Security I have 3 events -
Falure Audit 11/2/08 Security Policy Change #615 Network Service
Same on 11/1/08
Same on 10/28/08

Under System I have many events-
Error Service control Manager 7023 (Only 1 day is listed 11/2/08 and most of
the errors are this one).
Error PlugPlay Manager 12 (5 instances)
Error UPS 2481 (1 instance)

I cannot get any info when dbl-clicking or Rt-click and try to open Properties

Is there a way to use Recovery Console?

 

[Alberto]

Gerry,

Here is a HiJack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:10 PM, on 11/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe
C:\Documents and Settings\Owner\My Documents\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3504
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3504
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3504
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F}
- C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO -
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows
Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program
Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common
Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite
7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite
7\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe"
ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-21-1744154408-1836162969-2273777021-1003\..\Run: [PC Suite
Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray (User
'?')
O4 - HKUS\S-1-5-21-1744154408-1836162969-2273777021-1003\..\Run:
[Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe"
/NoDialog (User '?')
O4 - HKUS\S-1-5-21-1744154408-1836162969-2273777021-1003\..\Run: [MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1744154408-1836162969-2273777021-1003\..\Run:
[IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program
Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe"
ASO-616B5711-6DAE-4795-A05F-39A1E5104020 (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig -
http://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan
Agent 6.6) -
http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -
http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download
Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft -
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common
Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Application Management (AppMgmt) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Windows Audio (AudioSrv) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown
owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Computer Browser (Browser) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. -
C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Cryptographic Services (CryptSvc) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: DHCP Client (Dhcp) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: DNS Client (Dnscache) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: Error Reporting Service (ERSvc) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: COM+ Event System (EventSystem) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: Fast User Switching Compatibility
(FastUserSwitchingCompatibility) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Help and Support (helpsvc) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Server (lanmanserver) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: Workstation (lanmanworkstation) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program
Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero
BackItUp\NBService.exe (file missing)
O23 - Service: Network Connections (Netman) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common
Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown
owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: Secondary Logon (seclogon) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: System Event Notification (SENS) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity
Solution\ServiceLayer.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS)
(SharedAccess) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: System Restore Service (srservice) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: SSDP Discovery Service (SSDPSRV) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: Symantec Core LC - Unknown owner -
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Terminal Services (TermService) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: Themes - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: Universal Plug and Play Device Host (upnphost) - Unknown
owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Time (W32Time) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: WebClient - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Management Instrumentation (winmgmt) - Unknown owner
- C:\WINDOWS\system32\svchost.exe
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Unknown
owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Security Center (wscsvc) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: Wireless Zero Configuration (WZCSVC) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Provisioning Service (xmlprov) - Unknown owner -
C:\WINDOWS\System32\svchost.exe

 

[Kelly]

Alberto you need to address the unknown network adapter, first. Go to the
website of your system manufacturer then select make, model and OS. Scroll
down to find the network drivers. If this card is an add-on either use the
cd, etc that came with it or download the drivers via the net.

--

All the Best,
Kelly (MS-MVP/DTS&XP)

Happy Birthday if today is your birthday!

Taskbar Repair Tool Plus!
http://www.kellys-korner-xp.com/taskbarplus!.htm

 

[Alberto]

Kelly,

At this time I won't be able to do anything since the services aren't
working I can't get on the Net to update the drivers or research the Unknown.
I did try to update it a few weeks ago but failed. It seemed all else was
working at the time (although iTunes and Nokia applications were having some
issues) so I didn't pursue it.

If you know of any malware or other reason why most of my services will no
longer start, let me know.

Thanks,
Albert

 

[Gerry]

Alberto

I cannot help with a HijackThis log. It is a highly specialised topic
deal with by experts in forums dedicated to dealing with them. I do
think there are signs you have a malware infestation. I spotted at least
two items recommended for removal.

--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

Gerry,

Here is a HiJack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:10 PM, on 11/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe
C:\Documents and Settings\Owner\My Documents\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3504
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3504
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3504
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection -
{53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no
file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO -
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no
file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -
(no file) O3 - Toolbar: &Google -
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows
Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program
Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program
Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common
Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC
Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC
Suite 7\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background O4 - HKCU\..\Run:
[IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program
Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe"
ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-21-1744154408-1836162969-2273777021-1003\..\Run: [PC
Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe"
-onlytray (User '?')
O4 - HKUS\S-1-5-21-1744154408-1836162969-2273777021-1003\..\Run:
[Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe"
/NoDialog (User '?')
O4 - HKUS\S-1-5-21-1744154408-1836162969-2273777021-1003\..\Run:
[MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User
'?')
O4 - HKUS\S-1-5-21-1744154408-1836162969-2273777021-1003\..\Run:
[IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program
Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe"
ASO-616B5711-6DAE-4795-A05F-39A1E5104020 (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}
- C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe O16 - DPF: vzTCPConfig -
http://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro
ActiveX Scan Agent 6.6) -
http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia)
- http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI
Utility Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download
Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft -
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program
Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
O23 - Service: Application Management (AppMgmt) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -
C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Windows Audio
(AudioSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) -
Unknown
owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Computer Browser (Browser) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. -
C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccSvcHst.exe
O23 - Service: Cryptographic Services (CryptSvc) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown
owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: DHCP Client (Dhcp) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: DNS Client (Dnscache) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: Error Reporting Service (ERSvc) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: COM+ Event System (EventSystem) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: Fast User Switching Compatibility
(FastUserSwitchingCompatibility) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Help and Support (helpsvc) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Server (lanmanserver) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: Workstation (lanmanworkstation) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program
Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero
7\Nero BackItUp\NBService.exe (file missing)
O23 - Service: Network Connections (Netman) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown owner
- C:\WINDOWS\system32\svchost.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program
Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) -
Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown
owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: Secondary Logon (seclogon) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: System Event Notification (SENS) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC
Connectivity Solution\ServiceLayer.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS)
(SharedAccess) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Unknown
owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: System Restore Service (srservice) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: SSDP Discovery Service (SSDPSRV) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - Unknown
owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Symantec Core LC - Unknown owner -
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Terminal Services (TermService) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: Themes - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown
owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Universal Plug and Play Device Host (upnphost) -
Unknown
owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Time (W32Time) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: WebClient - Unknown owner -
C:\WINDOWS\system32\svchost.exe O23 - Service: Windows Management
Instrumentation (winmgmt) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) -
Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Security Center (wscsvc) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner -
C:\WINDOWS\system32\svchost.exe
O23 - Service: Wireless Zero Configuration (WZCSVC) - Unknown owner -
C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Provisioning Service (xmlprov) - Unknown owner
- C:\WINDOWS\System32\svchost.exe

Alberto

I had System File Checker in mind but given the lack of a CD that is
not practical.

What errors appear in Event Viewer?

Please post copies of all Error and Warning Reports appearing in the
System and Application logs in Event Viewer relating to the last
boot in normal mode . No Information Reports or Duplicates please.
Indicate which also appear in a previous boot.

You can access Event Viewer by selecting Start, Control Panel,
Administrative Tools, and Event Viewer. When researching the meaning
of the error, information regarding Event ID, Source and Description
are important.

A tip for posting copies of Error Reports! Run Event Viewer and
double click on the error you want to copy. In the window, which
appears is a button resembling two pages. Click the button and close
Event Viewer.Now start your message (email) and do a paste into the
body of the message. Make sure this is the first paste after exiting
from
Event Viewer.

Are there any yellow question marks in Device Manager? Right click on
the My Computer icon on your Desktop and select Properties,
Hardware,Device Manager. If yes what is the Device Error code?


--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Kelly]

Alberto,

Get the drivers from another system and save to either a pen drive or cd.

--

All the Best,
Kelly (MS-MVP/DTS&XP)

Happy Birthday if today is your birthday!

Taskbar Repair Tool Plus!
http://www.kellys-korner-xp.com/taskbarplus!.htm

 

[Kelly]

Also, the services added by third party will be listed here:

Start/Run/Msconfig - Services/Check off the box that reads hide all MS.....



--

All the Best,
Kelly (MS-MVP/DTS&XP)

Happy Birthday if today is your birthday!

Taskbar Repair Tool Plus!
http://www.kellys-korner-xp.com/taskbarplus!.htm

 

[Gerry]

Kelly

I am not sure whether you noticed the message. In the HijackThis report
Alberto posted to me there seemed to be some evidence of malware present
on his system.

--
Regards.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Alberto]

Kelly,

I'm not sure that getting the drivers for the Unknown adapter will work, but
I will try it. I assume that since the printer won't work, and trying to
"Copy" files to a backup drive doesn't work, that even if I have the drivers
I won't be able to launch the update.

I can open files, like pictures and such, and then save them individually to
a backup drive, but not as a group using Windows Explorer. Nothing happens at
all.

BTW - I have posted the HiJack log to aumha and I might try
bleepingcomputers as well.

Thanks,
Albert

 

[Kelly]

Hi Gerry,

Yes, I did scan over it. Beings the adapter is unknown - made me think that
it wasn't simply that the virus, etc disabled the adapter as I have seen
happen very often. For it to be unknown means the drivers simply aren't
installed.

If it were listed as disabled then I would have focused back again to seeing
the proxy over-ride via the HJT report and would have suggested both the LSP
and WinSockFix.

--

All the Best,
Kelly (MS-MVP/DTS&XP)

Happy Birthday if today is your birthday!

Taskbar Repair Tool Plus!
http://www.kellys-korner-xp.com/taskbarplus!.htm

 

[Kelly]

Hi Albert,

That would be the first place I would begin. I also noticed that your audio
seemed compromised. On line 371 I have a reg file that restores many
services that become disabled due to malware exploits.
http://www.kellys-korner-xp.com/xp_tweaks.htm

If you are planning to visit Louisiana soon, bring your system on over. )
--

All the Best,
Kelly (MS-MVP/DTS&XP)

Happy Birthday if today is your birthday!

Taskbar Repair Tool Plus!
http://www.kellys-korner-xp.com/taskbarplus!.htm

 

[Alberto]

Kelly,

I hope I get this fixed before I have to travel from CA to Louisiana

I'm glad you spotted the audio; that is actually when all of this started. I
called Emachines one night and after poking around the Tech tells me that the
on-board audio can sometimes die. I tried to install a Soundblaster card but
that failed. I realize now that it probably had to do with the Cryto service
not working so it couldn't/wouldn't load properly. It is also around the time
when the MS security updates started failing to install.
I will try to run the reg update you have tonight - is there anything else
you can think of to try regarding all the services being shut down, or do I
just wait for the results of my HiJack This log to be checked?

Thanks,
Albert

 

[Alberto]

Kelly,

I downloaded the reg file to a USB stick at work and brought it home; I
cannot copy & paste any files anymore, so I ran the EXE from the stick. I
couldn't detect any changes, or writing of entries, although I did get a
popup asking if I wanted to make a registry change. Nothing new on the audio
situation though - when opening "Sounds" from the Control Panel it still
says audio not installed (or not found) and I have no "sounds".

 

[Kelly]

LOL, I hear that ~ but if you change your mind. )

I spotted it because this same thing had happened to a system here for one
of my boys. The theme would change, the sound would go and many services
were disabled. So I wrote a script to change it all at once (each time the
system was woke). I forget how I finally solved this. It was with XP but
years ago.

As luck would have it, I no longer have that script; however, wrote the
smaller one for a client of mine who had similar issues - the one you used.

What you can try is a .bat file that I have stored on line 377 (right hand
side): http://www.kellys-korner-xp.com/xp_tweaks.htm

Other than that....I am still thinking. )

Also, beings you stated that this is how it all began, can you remember
exactly what was going on? You may trigger my thoughts.
--

All the Best,
Kelly (MS-MVP/DTS&XP)

Happy Birthday if today is your birthday!

Taskbar Repair Tool Plus!
http://www.kellys-korner-xp.com/taskbarplus!.htm

 

[Alberto]

No Kelly, I don't remember exactly what was happening at the time.
My high school kids use it a lot; they use MySpace and one day we booted up
and there was no sound.
But your comment about changing themes is interesting. I had issues with
strange computer behavior last year so I did a Restore. When I tried to
re-create the 4 profiles on the computer, my son's would not remain as he
left it unless I confiigured his profile as an administrator. it has been
that way ever since.
I went through my HJT log today and noticed quite a few bad entries. Now I
am waiting for instructions on what to do next so i don't mess it up even
worse.
Thanks