1. Welcome to Tacoma World!

    You are currently viewing as a guest! To get full-access, you need to register for a FREE account.

    As a registered member, you’ll be able to:
    • Participate in all Tacoma discussion topics
    • Communicate privately with other Tacoma owners from around the world
    • Post your own photos in our Members Gallery
    • Access all special features of the site

Computer Geeks...

Discussion in 'Technology' started by MyToyTaco, Jun 15, 2010.

  1. Jun 15, 2010 at 3:26 PM
    #1
    MyToyTaco

    MyToyTaco [OP] ╒╪╕

    Joined:
    Sep 23, 2008
    Member:
    #9417
    Messages:
    4,320
    Gender:
    Male
    First Name:
    Nick
    Port Hueneme
    Vehicle:
    08 Taco
    After hours of googling, I can't find an answer.

    One of our office computers got loaded with a bunch of malware. I managed to clean it all up, computer is running much better - I THINK I have it all removed. One last problem that I can't figure out for the life of me... One of the problems this malware caused is with services.msc. It disabled DHCP Client, Computer browser, and Themes (may be more, these are just ones that I know of for sure). They are set to automatic, but every time the computer reboots, I have to manually go into services and "start" them.


    WTF is disabling these services? Any ideas? :confused:
     
  2. Jun 16, 2010 at 10:34 AM
    #2
    zuter

    zuter Well-Known Member

    Joined:
    Jun 22, 2008
    Member:
    #7480
    Messages:
    85
    Gender:
    Male
    Calgary, AB
    Vehicle:
    09 SR5 4x4 4 cyl
    2nd filter, undercover, debaged, bug deflector, more to follow!
    What software(s) did you use to get rid of the malware?

    If you have "hijackthis" you should run it and post the log file...it'll help to determine what may still be active. If you don't have it google it and download it.
     
  3. Jun 16, 2010 at 10:36 AM
    #3
    Finks99Taco

    Finks99Taco Well-Known Member

    Joined:
    Jun 7, 2010
    Member:
    #38531
    Messages:
    1,633
    Gender:
    Male
    First Name:
    'Fink'
    Coconut Creek, Florida
    Vehicle:
    1993 pickup
    There maybe a simple little program that loads when you boot up that kicks them off. Try booting into safe mode and see if it still happens.

    Also go with the 'hijackthis' route.
     
  4. Jun 16, 2010 at 10:45 AM
    #4
    MyToyTaco

    MyToyTaco [OP] ╒╪╕

    Joined:
    Sep 23, 2008
    Member:
    #9417
    Messages:
    4,320
    Gender:
    Male
    First Name:
    Nick
    Port Hueneme
    Vehicle:
    08 Taco
    We used malwarebytes, spybot, and hijackthis. I even had McAfee remote in 3 times, each time telling me that there is no sign of infection left. This happens in safe mode too. I have since un-installed HijackThis. Let me download again and re-run. Stay tuned for log.
     
  5. Jun 16, 2010 at 11:05 AM
    #5
    MyToyTaco

    MyToyTaco [OP] ╒╪╕

    Joined:
    Sep 23, 2008
    Member:
    #9417
    Messages:
    4,320
    Gender:
    Male
    First Name:
    Nick
    Port Hueneme
    Vehicle:
    08 Taco
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:02:44 AM, on 06/16/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17023)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
    C:\Program Files\Firebird\Firebird_1_5\bin\fb_inet_server.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
    C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
    C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Brother\ControlCenter2\brctrcen.exe
    C:\WINDOWS\system32\WDBtnMgr.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\My Book\WD Backup\uBBMonitor.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Java\jre6\bin\javaws.exe
    C:\Program Files\Java\jre6\bin\javaw.exe
    C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
    C:\Program Files\Firebird\Firebird_1_5\bin\fb_inet_server.exe
    E:\WinFSC\Program\fsc.exe
    C:\Program Files\FSC\FSC Manager\ImsWin.Exe
    C:\Program Files\Firebird\Firebird_1_5\bin\fb_inet_server.exe
    C:\Program Files\Firebird\Firebird_1_5\bin\fb_inet_server.exe
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\Managed VirusScan\VScan\ScriptSn.20100412131527.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe" /LOGON
    O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05c\BrStDvPt.exe
    O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - https://secure.financepro.net/financepro/Reports/ScriptX.cab
    O16 - DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} (RSClientPrint 2005 Class) - https://sims-portal.acmclaims.com/P...&UICulture=1033&ReportStack=1&OpType=PrintCab
    O16 - DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} (DDI Print Control Class v2.1 [ENU]) - http://www.westernunited.com/esav/content/iejpwenu.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://stoneriverfsc.webex.com/client/wbs26-vzbprodcn/support/ieatgpc.cab
    O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
    O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fb_inet_server.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Update Service (gupdate1c9d018f4ef9cca) (gupdate1c9d018f4ef9cca) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
    O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

    --
    End of file - 9290 bytes
     
  6. Jun 16, 2010 at 11:08 AM
    #6
    ::childstoy::

    ::childstoy:: Hi-Tech Rednek

    Joined:
    Sep 30, 2009
    Member:
    #23556
    Messages:
    723
    Gender:
    Male
    First Name:
    Mike
    Southeast, PA
    Vehicle:
    Black 2010 TRD Sport
    TRD Exhaust, Tint, Stubby Ant., Debadged, Weathertech Mats, Grillcraft... Currently collecting donations for a New Tires Fund.
    You might be better off just saving time and reinstalling the thing man.
     
  7. Jun 16, 2010 at 11:10 AM
    #7
    MyToyTaco

    MyToyTaco [OP] ╒╪╕

    Joined:
    Sep 23, 2008
    Member:
    #9417
    Messages:
    4,320
    Gender:
    Male
    First Name:
    Nick
    Port Hueneme
    Vehicle:
    08 Taco
    I would have backed up & bombed the HD and re-installed XP, but the boss didn't want to go that route. :rolleyes:
     
  8. Jun 16, 2010 at 11:14 AM
    #8
    T@co_Pr3runn3r

    T@co_Pr3runn3r XXXXXXXXXXXXXXXXXXX

    Joined:
    Jan 20, 2009
    Member:
    #12767
    Messages:
    11,951
    Gender:
    Male
    <----------------->
    Vehicle:
    08 RC Prerunner SR5
    Punt! Quit wasting time and just delete the partition on the hard drive, repartition the hard drive & reinstall OS AND..........don't surf without firewall/virus software/malware protection AND stay away from known trashslingin sights like social networking, file sharing sites, porn, etc etc etc....you know, all the good places, lol.
     
  9. Jun 16, 2010 at 11:52 AM
    #9
    ::childstoy::

    ::childstoy:: Hi-Tech Rednek

    Joined:
    Sep 30, 2009
    Member:
    #23556
    Messages:
    723
    Gender:
    Male
    First Name:
    Mike
    Southeast, PA
    Vehicle:
    Black 2010 TRD Sport
    TRD Exhaust, Tint, Stubby Ant., Debadged, Weathertech Mats, Grillcraft... Currently collecting donations for a New Tires Fund.
    You prolly have already tried but sometimes a quick restore to before you got infected is worth a try. Unless the virus jacked your restore points.
     
  10. Jun 16, 2010 at 11:56 AM
    #10
    Manwithoutaplan

    Manwithoutaplan the full Monty

    Joined:
    Jan 30, 2008
    Member:
    #4500
    Messages:
    49,557
    Gender:
    Male
    ID
    Vehicle:
    07 Tacoma Speedway Blue Trd 4x4
    -Nitro 4.56 gears - Arb Front and Rear lockers. -Rear Swing out bumper Curiosity of ( Dept .94) https://www.facebook.com/Dept94 -Tinted, -ProComp 6 inch lift with Icon Coil overs and Bilstein's 7100Resi -315/70/17 - 17x8 in Pro Comp Matte black rims 4.5 bs -East Coast Gear Supply Sliders -ALL Pro EXP LEaf pack -Camburg UCA's -CAB mount CHOP
    Try also scanning with Malwarebytes and ccleaner.
     
  11. Jun 16, 2010 at 11:58 AM
    #11
    thecoldone06

    thecoldone06 Well-Known Member

    Joined:
    Sep 20, 2007
    Member:
    #2750
    Messages:
    241
    Gender:
    Male
    If you go to start > control panel > administrative tools > event viewer. Click on both the system and application event logs and see if there are any errors on those services around the time you started up the computer.
     
  12. Jun 16, 2010 at 1:18 PM
    #12
    zuter

    zuter Well-Known Member

    Joined:
    Jun 22, 2008
    Member:
    #7480
    Messages:
    85
    Gender:
    Male
    Calgary, AB
    Vehicle:
    09 SR5 4x4 4 cyl
    2nd filter, undercover, debaged, bug deflector, more to follow!
    I wouldn't ditch the system just yet! The log looks like nothing serious is going on. There are other things you can try first:

    1.
    Go here and download winsockfix
    http://www.softpedia.com/progDownload/WinS...load-15337.html

    Try your internet, if it doesn't work then,

    2.
    Start/Run/cmd
    at the command prompt, type
    ipconfig /all
    (note the space is necessary)
    hit the enter key
    and copy the output into your reply so we can see what is currently going on,
    when you have finished type
    exit
    hit the enter key

    Show us what it says.
     
  13. Jun 16, 2010 at 6:23 PM
    #13
    MyToyTaco

    MyToyTaco [OP] ╒╪╕

    Joined:
    Sep 23, 2008
    Member:
    #9417
    Messages:
    4,320
    Gender:
    Male
    First Name:
    Nick
    Port Hueneme
    Vehicle:
    08 Taco
    I ended up reinstalling XP (repairing w/o full blown fresh start) keeping all existing files, programs etc. All seems to be fine now.
     
  14. Jun 16, 2010 at 6:27 PM
    #14
    jrdbrn

    jrdbrn Borne Fishing

    Joined:
    Aug 10, 2009
    Member:
    #20973
    Messages:
    1,428
    Gender:
    Male
    First Name:
    Jared
    Louisiana
    Vehicle:
    '16 Inferno Tacoma TSS
    Hijackthis is useless

    Run combofix and malwarebytes in safe mode. If it continues, reformat.
     
To Top