WiredWX Hobby Weather ToolsLog in

 


descriptionWindows/system32/services.exe  1073741819 EmptyWindows/system32/services.exe 1073741819

more_horiz
I have this bug in my laptop. Windows/system32/services.exe

Error # 1073741819 shut down in 60 sec. etc.

I have this only on main user ID and can use my other user id to connect for now. I have done a selected startup on my main ID to to diagnosis and run all kinds of software.

I have updated McAffee and have done a full scan

Things I have tried:
Norton W32.Blaster.Worm Removal Tool
C Cleaner
Malwarebytes (MBAM): http://malwarebytes.org/
( this picked up some stuff but unsucessful in fixing)
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/
McAfee Stinger
Trojan Hunter

I am running AVG now and rerunning Norton tool again

*********************************

I have a combofix log

ComboFix 09-10-25.02 - Sun Devils 10/26/2009 10:34.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.587 [GMT -4:00]
Running from: c:\documents and settings\Sun Devils\My Documents\My downloads\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\rundll22.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-26 to 2009-10-26 )))))))))))))))))))))))))))))))
.

2009-10-26 13:43 . 2009-10-26 13:43 -------- d-----w- c:\documents and settings\Sun Devils\Application Data\TrojanHunter
2009-10-26 13:43 . 2009-10-26 13:43 -------- d-----w- c:\program files\Trend Micro
2009-10-26 13:29 . 2009-10-26 13:30 -------- d-----w- c:\program files\TrojanHunter 5.2
2009-10-26 13:20 . 2009-10-26 13:20 -------- d-----w- c:\documents and settings\Sun Devils\Local Settings\Application Data\Mozilla
2009-10-25 21:52 . 2009-10-25 21:52 -------- d-----w- c:\documents and settings\MTI\Application Data\SUPERAntiSpyware.com
2009-10-25 21:11 . 2009-10-25 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-25 21:11 . 2009-10-25 21:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-25 21:11 . 2009-10-25 21:11 -------- d-----w- c:\documents and settings\Sun Devils\Application Data\SUPERAntiSpyware.com
2009-10-25 15:55 . 2009-10-25 15:55 -------- d-----w- c:\documents and settings\MTI\Application Data\Malwarebytes
2009-10-25 15:26 . 2004-08-04 10:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll
2009-10-25 15:26 . 2004-08-04 10:00 185344 ----a-w- c:\windows\system32\dllcache\thawbrkr.dll
2009-10-25 15:26 . 2004-08-04 10:00 10752 ----a-w- c:\windows\system32\dllcache\c_iscii.dll
2009-10-25 15:26 . 2004-08-04 10:00 10752 ----a-w- c:\windows\system32\c_iscii.dll
2009-10-25 15:26 . 2004-08-04 10:00 5632 ----a-w- c:\windows\system32\kbdusa.dll
2009-10-25 15:26 . 2004-08-04 10:00 5632 ----a-w- c:\windows\system32\dllcache\kbdusa.dll
2009-10-25 15:25 . 2004-08-04 10:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll
2009-10-25 15:25 . 2004-08-04 10:00 6144 ----a-w- c:\windows\system32\dllcache\ftlx041e.dll
2009-10-25 15:23 . 2009-10-25 15:23 -------- d-----w- c:\documents and settings\Sun Devils\Application Data\Malwarebytes
2009-10-25 15:23 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-25 15:23 . 2009-10-25 15:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-25 15:23 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-25 15:23 . 2009-10-25 15:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-25 05:26 . 2009-10-25 05:26 -------- d-----w- c:\program files\Macrovision Corporation
2009-10-25 05:26 . 2009-10-25 05:26 -------- d-----w- c:\documents and settings\MTI\Application Data\InstallShield
2009-10-25 05:25 . 2009-10-25 05:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2009-10-24 15:42 . 2009-10-24 15:42 -------- d-sh--w- c:\documents and settings\Sun Devils\PrivacIE
2009-10-23 08:21 . 2009-10-24 06:53 -------- d-----w- c:\documents and settings\MTI\Application Data\U3
2009-10-20 18:38 . 2009-10-21 19:09 223728 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-15 07:46 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-10-15 07:46 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2009-10-15 07:46 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-10-15 07:46 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-10-07 18:39 . 2009-10-07 18:39 -------- d-sh--w- c:\documents and settings\Eddie\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-26 05:28 . 2009-06-24 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-10-25 21:10 . 2005-09-08 00:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-25 05:31 . 2005-10-13 15:13 -------- d-----w- c:\program files\Google
2009-10-22 06:27 . 2007-04-19 14:02 -------- d-----w- c:\program files\McAfee
2009-09-18 07:30 . 2009-05-12 06:22 73376 ----a-w- c:\documents and settings\MTI\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-16 14:22 . 2007-04-19 14:04 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2007-04-19 14:04 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2007-04-19 14:04 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2007-04-19 14:04 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2007-04-19 14:04 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 14:41 . 2008-10-06 20:14 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 21:03 . 2004-08-10 17:51 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-10 17:51 247326 ------w- c:\windows\system32\strmdll.dll
2009-08-05 09:01 . 2004-08-10 17:51 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44 . 2004-08-10 17:51 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 03:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe" [2008-08-14 240112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-17 98304]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"medicsp2"="c:\program files\twc\medicsp2\bin\sprtcmd.exe" [2007-03-07 198184]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"CPMonitor"="c:\program files\Roxio Creator 2009\5.0\CPMonitor.exe" [2008-08-10 80368]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-01 339968]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-01-31 155648]
"THGuard"="c:\program files\TrojanHunter 5.2\THGuard.exe" [2009-10-12 1063072]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-17 24576]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2009-6-17 315392]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/6/2008 1:50 PM 210216]
R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);c:\program files\twc\medicsp2\bin\sprtsvc.exe [4/22/2009 9:50 AM 202280]
S2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUpnpService11.exe [8/14/2008 12:25 AM 367088]
S2 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe [8/14/2008 12:24 AM 309744]
S2 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe [8/14/2008 12:24 AM 170480]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [9/9/2005 12:45 PM 8960]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [8/14/2008 12:25 AM 313840]
S3 RoxMediaDB11;RoxMediaDB11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe [8/14/2008 12:23 AM 1124848]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3806094889-1438186864-4107439402-1007Core.job
- c:\documents and settings\MTI\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-18 07:31]

2009-10-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3806094889-1438186864-4107439402-1007UA.job
- c:\documents and settings\MTI\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-18 07:31]

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2004-08-10 00:12]

2007-04-19 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-04-19 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sundevilscorps.org/
FF - ProfilePath - c:\documents and settings\Sun Devils\Application Data\Mozilla\Firefox\Profiles\di98er0p.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-26 10:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2009-10-26 10:46
ComboFix-quarantined-files.txt 2009-10-26 14:46

Pre-Run: 54,755,680,256 bytes free
Post-Run: 55,050,305,536 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 411EF3F5E190F9A8066688737EDA0DE9

descriptionWindows/system32/services.exe  1073741819 EmptyRe: Windows/system32/services.exe 1073741819

more_horiz
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Windows/system32/services.exe  1073741819 CF_Cleanup

This will also reset your restore points.

How is the machine running now?

descriptionWindows/system32/services.exe  1073741819 Emptywow

more_horiz
Belahzur wrote:
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Windows/system32/services.exe  1073741819 CF_Cleanup

This will also reset your restore points.

How is the machine running now?


wow, it's fȋxed. Right On!

descriptionWindows/system32/services.exe  1073741819 EmptyRe: Windows/system32/services.exe 1073741819

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum