1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help me please - no run or shutdown menu in cpanel

Discussion in 'Windows - Virus and spyware problems' started by deadone36, May 23, 2007.

  1. deadone36

    deadone36 Member

    Joined:
    May 16, 2007
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    16
    hi all, i dont seem to have the run command or the shutdown command in my start menu. i have tried everywere to resolve this problem but to no avail.. i also had the task manger disable but i got that back and working again.. when i try and use notepad to add anything to the regisry i get registry editing has been disabled by your administrator. i have full admin rights on my pc so i have no idea why this has haooened.. i have done a full system scan with norton with full updates, found nothing. also scanned with adaware , s+s , ccleaner but all was good. please please help me.. i have added my hijack this log file for your reference.. a big thanx in advance for helping me out :)


    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 17:27:51, on 23/05/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    C:\WINDOWS\system32\CTsvcCDA.exe
    c:\Windows\system32\Dap\mssvchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\net.exe
    C:\WINDOWS\system32\net1.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Program Files\hijackthis\HiJackThis_v2.0.0.0.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 155.53.1.28:80
    O1 - Hosts: ‰?Bc-³c÷1‚çÅD ¦vgI³
    O1 - Hosts: ¶4D¡)!�­?˜ž&úD�.³·–l
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKCU\..\Run: [IncrediMail] -C:\Program Files\IncrediMail\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [SRUUninstall] "C:\WINDOWS\system32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [SRUUninstall] "C:\WINDOWS\system32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O15 - Trusted Zone: *.musicmatch.com
    O15 - Trusted Zone: *.musicmatch.com (HKLM)
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/media/70efdf/games/files/606/popcaploader_v6.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: Google Updater Service (gusvc) - Unknown owner - -"C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" (file missing)
    O23 - Service: iPod Service (iPodService) - Unknown owner - -"C:\Program Files\iPod\bin\iPodService.exe" (file missing)
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Unknown owner - -"C:\Program Files\Norton Internet Security\isPwdSvc.exe" (file missing)
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Office Source Engine (ose) - Unknown owner - -"C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (file missing)
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
    O23 - Service: FireDaemon Service: Secure (Secure) - Unknown owner - c:\Windows\system32\Dap\\mssvchost.exe
    O23 - Service: FireDaemon Service: smss (smss) - Unknown owner - c:\Windows\system32\Dap\\mssvchost.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"C:\Program Files\MSN Messenger\usnsvc.exe" (file missing)
    O23 - Service: FireDaemon Service: WindowsUpdate (WindowsUpdate) - Unknown owner - c:\Windows\system32\Dap\\mssvchost.exe

    --
    End of file - 8477 bytes
     
  2. bluecoal

    bluecoal Guest

    Here is a little program you can run and sometimes clear restrictions:

    http://camtech2000.net/Pages/Restrictions.htm

    These three lines in your log are going to be blocking access to stuff, the last one is what is blocking your registry access.
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

    As an alternative to the program above, you can fix those lines in hjt.

    You can read about the O6 and O7 lines in this tutorial:
    http://www.bleepingcomputer.com/tutorials/tutorial42.html#O7Diag

    These two lines are indicative of a problem
    O1 - Hosts: ‰?Bc-³c÷1‚çÅD ¦vgI³
    O1 - Hosts: ¶4D¡)!�­?˜ž&úD�.³·–l
    It's not something I'm familiar with so I don't know how serious it is. One of your fix steps is likely going to involve removing or replacing the hosts file.

    Some hosts file info here:
    http://www.mvps.org/winhelp2002/hosts.htm

    The upper left corner of this link shows an online scan:
    http://www.ewido.net/en/

    You could run that as a first step in cleaning your system.
     
  3. Fredil

    Fredil Regular member

    Joined:
    Jul 19, 2006
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    26
    Bluecoal... there's more than that.

    Part of the fix requires you to reboot into Safe Mode. As you will be unable to access the Internet, it is imperative that you print out or copy these instructions to a Notepad document for reference during the fix.

    First, read this. Memorize the instructions for the F8 method of booting into Safe Mode, as you will need to.

    Trend Micro's HijackThis is a beta, and could be unreliable. Please download the current version of HijackThis. Extract it to its own folder - NOT THE DESKTOP! This is important. A good place to unzip it to would be C:\HijackThis.

    Go to Start > Run and type in appwiz.cpl. Remove Trend Micro's HijackThis beta.

    Now, open HijackThis v.1.99.1 (it functions exactly like the other one) and place check marks beside what he told you to, but check the following as well:

    O1 - Hosts: ‰?Bc-³c÷1‚çÅD ¦vgI³
    O1 - Hosts: ¶4D¡)!�­?˜ž&úD�.³·–l
    O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
    O23 - Service: FireDaemon Service: Secure (Secure) - Unknown owner - c:Windowssystem32Dap\mssvchost.exe
    O23 - Service: FireDaemon Service: smss (smss) - Unknown owner - c:Windowssystem32Dap\mssvchost.exe
    O23 - Service: FireDaemon Service: WindowsUpdate (WindowsUpdate) - Unknown owner - c:Windowssystem32Dap\mssvchost.exe


    HijackThis will ask you to restart your computer. It will do so, and using the F8 method, make it boot into Safe Mode.

    Once in Safe Mode, log in as usual. Open the Control Panel, and click Folder Options. Under the "View" tab, enable the viewing of hidden files.

    Close Folder Options and the Control Panel. Open My Computer, and open C:\WINDOWS\System32. In System32, look for a folder called Dap. Delete that folder. Go to the Desktop, and right-click on the Recycle Bin. Select "Empty Recycle Bin".

    Reboot your computer into Normal Mode and post a fresh HijackThis log.
     
  4. bluecoal

    bluecoal Guest

    Hi Fredil,

    I knew there was more than the O6 and 7 lines. Like I said I wasn't familiar with that issue. I was going to do some looking on it and I was considering asking you to take a look at the thread.

    Thanks for stopping by.
    bc
     
    Last edited by a moderator: May 23, 2007
  5. deadone36

    deadone36 Member

    Joined:
    May 16, 2007
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    16
    thanx for both of ya for helping me out on this. i appreciate your time and efforts, anyway i have done both as asked, i also did notice tho even in safe mode i still have no shutdown or run options. anyway did what was posted above and here is the updated log file from hijackthis . i did notice when i looked at this version it looks even worse than the last log but i aint got a clue what i am looking for anyway




    Logfile of HijackThis v1.99.1
    Scan saved at 15:23:35, on 24/05/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 155.53.1.28:80
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKCU\..\Run: [IncrediMail] -C:\Program Files\IncrediMail\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O15 - Trusted Zone: *.musicmatch.com
    O15 - Trusted Zone: *.musicmatch.com (HKLM)
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/media/70efdf/games/files/606/popcaploader_v6.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: RegCompact - C:\WINDOWS\SYSTEM32\RegCompact.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: Google Updater Service (gusvc) - Unknown owner - -"C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
    O23 - Service: iPod Service (iPodService) - Unknown owner - -"C:\Program Files\iPod\bin\iPodService.exe (file missing)
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Unknown owner - -"C:\Program Files\Norton Internet Security\isPwdSvc.exe (file missing)
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Office Source Engine (ose) - Unknown owner - -"C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
    O23 - Service: FireDaemon Service: Secure (Secure) - Unknown owner - c:\Windows\system32\Dap\\mssvchost.exe (file missing)
    O23 - Service: FireDaemon Service: smss (smss) - Unknown owner - c:\Windows\system32\Dap\\mssvchost.exe (file missing)
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"C:\Program Files\MSN Messenger\usnsvc.exe (file missing)
    O23 - Service: FireDaemon Service: WindowsUpdate (WindowsUpdate) - Unknown owner - c:\Windows\system32\Dap\\mssvchost.exe (file missing)


     
  6. Fredil

    Fredil Regular member

    Joined:
    Jul 19, 2006
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    26
    Odd... you don't even have those options in Safe Mode? That's incredibly strange.

    See if this works for you. I'm not sure if it will, since you removed the entries in HijackThis, but worth a try.

    Go to Start > Run and type "Services.msc" (without quotes) then hit Ok
    Scroll down and find the below services:

    FireDaemon Service: Secure (Secure)

    When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok.

    Repeat the above steps for the next two items:

    FireDaemon Service: smss (smss)
    FireDaemon Service: WindowsUpdate (WindowsUpdate)

    Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

    Secure

    Repeat the above steps with the following two items:

    smss
    WindowsUpdate

    Click OK.

    It should pull up information about the service, then ask if you want to reboot. Click YES.

    Next, try this. It could be some registry function added by an odd virus:

    Open My Computer > C: > WINDOWS > regedit.exe. Go to the HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Explorer subkey (browse in the right panel, when you are at Explorer, click on the folder and entries should appear in the right). Look for an entry named "NoClose". If it is there, and tye value is set to 1 (the Data column should list the value in brackets), then right-click it and select "Modify". Change the value to 0. Then, look for a string called NoRun Delete that or set the value to 1. Then, close the registry editor.

    Finally, go to http://www.virustotal.com and look at the top of the screen, where there's a box with a button called "Browse" next to it. Ignore the big button; we will not be using that. Paste this line into that text box:

    C:\WINDOWS\system32\net.exe

    Hit "Scan", "Submit", or something like that. When the scan is done, note any programs that have detected something wrong with that file. Press "Back" and do another scan with

    C:\WINDOWS\system32\net1.exe

    In your next reply:
    *A fresh HijackThis log in Normal Mode
    *A HijackThis log from Safe Mode (may narrow down what's disabling Run and Shutdown)
    *What you got from VirusTotal
     
  7. deadone36

    deadone36 Member

    Joined:
    May 16, 2007
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    16
    im glad you are trying to help my problem out m8, its appreciated, your last post stated Go to Start > Run and type "Services.msc" (without quotes) then hit Ok . i have not got the run command in my start menu so is there another way of me doing this..

    again thanx and look forward to your reply
     
  8. Fredil

    Fredil Regular member

    Joined:
    Jul 19, 2006
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    26
    Services.msc is in the following path:

    C:\WINDOWS\System32\services.msc

    Open up My Computer. In the URL bar above it that says "My Computer" (it is where the url would go if you were in Internet Explorer), paste C:\WINDOWS\System32\services.msc

    Follow the steps in my previous post.

    Hope to hear from you soon :)
     
  9. deadone36

    deadone36 Member

    Joined:
    May 16, 2007
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    16
    wow, very quick reply, im a noob at all this but as far as the services.msc is concerned, i could not see it in the windows / system32 folder.. what i can tell you is that if i create a new user in my account manager then all seems to be fine.. is that a possibility as i am planning a complete reformat of my hardrive as soon as i have copied my documents and music files.. would i be able to add the programs i have installed and everything i have from my documents folder onto the new user, then copy likei said then start again.. just informing you about this now instead of us getting it sorted then me reformatting anyway..
    again thanx

    mick
     
  10. Fredil

    Fredil Regular member

    Joined:
    Jul 19, 2006
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    26
    Well, if it's what you want, then I'm behind you.

    Good luck.

    Be SURE to do a complete format of all your partitions in order to completely get rid of the bug - I forgot to once, and the virus came back.

    Am I sure I'm only thirteen? God...
     
  11. deadone36

    deadone36 Member

    Joined:
    May 16, 2007
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    16
    again Fredil and bluecoal, big thanx for your support, it was appreciated.. if i ever need any help in the future then this site is def bookmarked.. you guys do a great job helping needy members out :)
     
  12. Fredil

    Fredil Regular member

    Joined:
    Jul 19, 2006
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    26
    No problem at all :D
     

Share This Page