1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Need help with Hijack log Mssvc error

Discussion in 'Virus & Other Malware Removal' started by unctarheels1, Sep 17, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. unctarheels1

    unctarheels1 Thread Starter

    Joined:
    Sep 17, 2003
    Messages:
    14
    Everytime I start my computer I get an memory error for MSSvc.exe. Also noted that I do not have control over certain functions. Like I went to device manager and it said I did not have access. Thanks in advance for the help.

    Logfile of HijackThis v1.97.2
    Scan saved at 11:07:15 PM, on 9/17/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\ltmsg.exe
    C:\WINDOWS\MMKeybd.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb01.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Cadence\license_manager\lmgrd.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Cadence\license_manager\cdslmd.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\services.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Netropa\Traymon.exe
    C:\Program Files\Netropa\OSD.exe
    C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\csrss.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\explorer.exe
    C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\John and Angie\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchcomplete.com/redir?lang={SUB_RFC1766}
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchcomplete.com/redir?lang={SUB_RFC1766}
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchcomplete.com/redir?lang={SUB_RFC1766}
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchcomplete.com/redir?lang={SUB_RFC1766}
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchcomplete.com/redir?lang={SUB_RFC1766}
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: iWon Co-Pilot BHO - {C298FB42-E3E2-11D3-ADCD-0050DAC24E8F} - C:\Program Files\iWon\iWonBar\2.bin\IWONBAR.DLL
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\Program Files\iWon\iWonBar\2.bin\IWONBAR.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb01.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSCONFIG.EXE /auto
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SysDbg] c:\windows\system32\sysdbg.exe
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
    O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
    O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht0_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
    O16 - DPF: {00053077-755D-4DEB-8CC8-1E687FD17D61} (Checkers Control) - http://mirror.worldwinner.com//games/v40/checkers/checkers.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {1D2DCA0D-B30F-40AD-9690-087105F214EC} (IEDial Class) - http://download.nocreditcard.com/download/Object/ieaccess2DbNb.cab
    O16 - DPF: {25064DE4-9CC0-11D5-BB86-0050DAC5EBD0} (printQuick Browser Add In) - http://www.pqvalet.com/plugin/axversion/1000/printQuick.cab
    O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v44/pool/pool.cab
    O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
    O16 - DPF: {4EE301F2-2A6A-4BE0-9FBD-97CDAA40E3E4} - http://i1img.com/images/nocache/copilot/i1initialsetup1.0.0.5.cab
    O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://www.worldwinner.com/games/shared/dephlp.cab
    O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://download.iwon.com/ct/pm3/iwonpm_8_1,0,2,5.cab
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
    O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldwinner.com/games/v40/sol/sol.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37372.7922106481
    O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
    O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com//games/v43/h2hpool/h2hpool.cab
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    read this about your mssvc.exe error:
    http://www.computing.net/windowsxp/wwwboard/forum/76004.html



    run hijackthis again and put a checkmark against these entries....double check
    in case you miss anything
    .....then,close all browser and outlook windows and "fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchcomplete.com/redir?lang={SUB_RFC1766}
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchcomplete.com/redir?lang={SUB_RFC1766}
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchcomplete.com/redir?lang={SUB_RFC1766}
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchcomplete.com/redir?lang={SUB_RFC1766}
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchcomplete.com/redir?lang={SUB_RFC1766}
    O2 - BHO: iWon Co-Pilot BHO - {C298FB42-E3E2-11D3-ADCD-0050DAC24E8F} - C:\Program Files\iWon\iWonBar\2.bin\IWONBAR.DLL
    O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\Program Files\iWon\iWonBar\2.bin\IWONBAR.DLL
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [SysDbg] c:\windows\system32\sysdbg.exe
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O16 - DPF: {1D2DCA0D-B30F-40AD-9690-087105F214EC} (IEDial Class) - http://download.nocreditcard.com/do...access2DbNb.cab
    O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://download.iwon.com/ct/pm3/iwonpm_8_1,0,2,5.cab
     
  3. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Not sure what this file is:
    O4 - HKLM\..\Run: [SysDbg] c:\windows\system32\sysdbg.exe

    right click on sysdbg.exe and then go to properties and Version tab and check the description and also the company name.

    Now download Spybot - Search & Destroy (if you haven't got the program installed already)

    After installing, first press Online, and search for, put a check mark at, and install all updates.

    Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

    Reboot

    Last, run HJT again and post your log again to see if anything was missed.

    Thanks
     
  4. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    hawk..im guessing its system debug although i cant find anything either.
    (y)
     
  5. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Yep, that's what the name would imply, but you know how sneeky these malware writers are. Nice legit sounding names hiding a load of crap inside.
     
  6. TCEDMON

    TCEDMON

    Joined:
    Sep 14, 2003
    Messages:
    11
    I'm having the same problem.

    I'm getting several different guesses, but no solutions.

    I’ve been told it is something from a program called stealthdisk, which I never installed to a back door virus, to a missing file.

    I’m really confused now.

    Hope you have better luck then I have with it, I will be watch your thread for a solution.

    From: Rollin' Rog
    From what I've seen of this problem in the past you are lucky it isn't much worse. Fortunately there is nothing in the startups relating to it, so the file must be missing. That's a good thing.

    It was configured to start as a service -- so you must go to Administrative Tools > Services and search for it there and disable it.

    If you have trouble finding it, run HijackThis, only instead of posting a Scanlog, post a startuplist instead. This is done by clicking Config > Misc Tools, put a check in "list minor sections", and then click Generate StartupList. This will show services.

    To remove the service itself from the service profile you will have to find it in the registry key under:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

    By the way, since this service is NOT starting, it is not the source of your resource issue. That is probably due to having too many things starting and running. Uncheck a few of them by running msconfig and clearing some checks under the Startuptab.

    From: http://www.computing.net/windowsxp/wwwboard/forum/76004.html
    Don't know if this is the case with You, but thsi is something i hdread on another site concerning MSSvc:
    Thank you for all the help though they did not solve my problem.
    I wish to share my experience here in solving this problem.
    I got the help from a guru from another forum. I could not share his name as the thread had been removed and I had forogtten.
    I thanked him profusely in that forum anyway.
    1. When stealthdisk is installed, the following files are copied to the c:\windows\system folders:
    csguid.dll, MSSVC.EXE, Ridger.adr, sdbdc.exe
    2. when stealthdisk runs, it creates another 2 files in the same foler: izteri.fex, typerg.fre
    3. it also creates the following registry entries:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\T234GF
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "PF_AccessData35"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SysPool"
    The last registry entry causes MSSVC.EXE, the root of stealthdisk to be loaded when windows starts. It listens to the activation hotkey. MSSVC.EXE also masqurades as a windows system progam that did not show up in task manager list. It showed up only when viewed with showdll 5.0 with no version number & no vendor description.
    When you tried to terminate or delete it, it complained that it is being used by windows!
    Hence, the proper way to do a clean removal when all else failed:
    1. delete these 5 files from c:\windows\system folder:
    csguid.dll, Ridger.adr, sdbdc.exe, izteri.fex, typerg.fre
    2. run regedit.exe and remove the 3 registry entries stated above.
    3. reboot your system. Now you can and must delete MSSVC.EXE from c:\windows\system folder.
    You are done!
    I did check with reinstallation and uninstalling the stealthdisk 3.6 pro successfully. This technique really works!!!
    But be forewarned. I am not sure if this method will help you recover your hidden files and folders if you have.
    If you don't have anything hidden using this program yet this is the way to go.
     
  7. unctarheels1

    unctarheels1 Thread Starter

    Joined:
    Sep 17, 2003
    Messages:
    14
    I ran hijack, deleted the items, then ran search and destroy and fixed the red items, but I still get the MSSvc.exe error on startup. Here is a updated hijack log after doing all this.


    Logfile of HijackThis v1.97.2
    Scan saved at 10:07:11 PM, on 9/18/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Cadence\license_manager\lmgrd.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
    C:\Cadence\license_manager\cdslmd.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\services.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\ltmsg.exe
    C:\WINDOWS\MMKeybd.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb01.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\system32\dumprep.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Netropa\Traymon.exe
    C:\Program Files\Netropa\OSD.exe
    C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
    C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\csrss.exe
    C:\WINDOWS\System32\dwwin.exe
    C:\Documents and Settings\John and Angie\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb01.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSCONFIG.EXE /auto
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
    O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
    O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht0_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
    O16 - DPF: {00053077-755D-4DEB-8CC8-1E687FD17D61} (Checkers Control) - http://mirror.worldwinner.com//games/v40/checkers/checkers.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {25064DE4-9CC0-11D5-BB86-0050DAC5EBD0} (printQuick Browser Add In) - http://www.pqvalet.com/plugin/axversion/1000/printQuick.cab
    O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v44/pool/pool.cab
    O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
    O16 - DPF: {4EE301F2-2A6A-4BE0-9FBD-97CDAA40E3E4} - http://i1img.com/images/nocache/copilot/i1initialsetup1.0.0.5.cab
    O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://www.worldwinner.com/games/shared/dephlp.cab
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
    O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldwinner.com/games/v40/sol/sol.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37372.7922106481
    O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
    O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com//games/v43/h2hpool/h2hpool.cab
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    The mssvc.exe problems have proved very difficult to resolve for some and have even required a reinstall in a couple of cases.

    But for starters, it is loaded as a "service" and so must be disabled under the Services Profile in Administrative Tools, and then manually removed from the Service profile in the registry.

    Let us see a Startuplist which includes services. To post this, run HijackThis, then:

    click Config > Misc Tools, put a check in "list minor sections", then click Generate Startuplist.

    Now copy/paste that here.

    By the way, since this exploits the Microsoft Dcom vulnerability I would also go here and use Steve Gibson's decombob to fix the vulnerability issue.

    http://grc.com/dcom/

    And, perhaps to save a little time if you want to take the initiative, the file you will be looking for in the registry should be found under:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

    See Alan Carre's post here:

    http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=utf-8&newwindow=1&th=6d53997483f70781&rnum=1
     
  9. unctarheels1

    unctarheels1 Thread Starter

    Joined:
    Sep 17, 2003
    Messages:
    14
    Hijack startup log. Thanks for helping.


    StartupList report, 9/18/2003, 11:13:20 PM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\John and Angie\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Cadence\license_manager\lmgrd.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
    C:\Cadence\license_manager\cdslmd.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\services.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\ltmsg.exe
    C:\WINDOWS\MMKeybd.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb01.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Netropa\Traymon.exe
    C:\Program Files\Netropa\OSD.exe
    C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
    C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\csrss.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\John and Angie\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    LTWinModem1 = ltmsg.exe 9
    AHQInit = C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    DellTouch = C:\WINDOWS\MMKeybd.exe
    HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb01.exe
    MSConfig = C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSCONFIG.EXE /auto
    ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
    H/PC Connection Agent = "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
    (no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Disk Defragmenter.job
    LiveUpdate - Norton AntiVirus.job
    Norton AntiVirus - Scan my computer.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Checkers Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\checkers.ocx
    CODEBASE = http://mirror.worldwinner.com//games/v40/checkers/checkers.cab

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [printQuick Browser Add In]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\PRINTQ~1.DLL
    CODEBASE = http://www.pqvalet.com/plugin/axversion/1000/printQuick.cab

    [Pool Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\pool.ocx
    CODEBASE = http://mirror.worldwinner.com/games/v44/pool/pool.cab

    [OTXMovie Class]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\OTXMedia.dll
    CODEBASE = http://otx.ifilm.com/OTXMedia/OTXMedia.dll

    [{4EE301F2-2A6A-4BE0-9FBD-97CDAA40E3E4}]
    CODEBASE = http://i1img.com/images/nocache/copilot/i1initialsetup1.0.0.5.cab

    [DepHlp Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\dephlp.ocx
    CODEBASE = http://www.worldwinner.com/games/shared/dephlp.cab

    [AcDcToday Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\ACDCTO~1.OCX
    CODEBASE = file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx

    [Sol Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\sol.ocx
    CODEBASE = http://mirror.worldwinner.com/games/v40/sol/sol.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37372.7922106481

    [NOXLATE-BANR]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\InstBanr.ocx
    CODEBASE = file://C:\Program Files\AutoCAD 2002\InstBanr.ocx

    [InstaFred]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\InstFred.ocx
    CODEBASE = file://C:\Program Files\AutoCAD 2002\InstFred.ocx

    [AcPreview Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\ACPREV~1.OCX
    CODEBASE = file://C:\Program Files\AutoCAD 2002\AcPreview.ocx

    [H2hPool Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\h2hpool.ocx
    CODEBASE = http://mirror.worldwinner.com//games/v43/h2hpool/h2hpool.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 7,619 bytes
    Report generated in 0.031 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  10. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You didn't check the "list minor sections" box before clicking Generate Startuplist, so the results do not show services.

    See also my edit above. You will see what you are going to be looking for in the Google groups post.

    You may need to restart in Safe Mode, log in as Administrator to run regedit and remove the entry from the Services key in the registry.
     
  11. unctarheels1

    unctarheels1 Thread Starter

    Joined:
    Sep 17, 2003
    Messages:
    14
    Here is the new hijack log file with the mirror selected. I think I know what to do, but would really like someone to confirm before I tamper with the registry.


    StartupList report, 9/21/2003, 12:06:16 AM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\John and Angie\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Cadence\license_manager\lmgrd.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
    C:\Cadence\license_manager\cdslmd.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\services.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\ltmsg.exe
    C:\WINDOWS\MMKeybd.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb01.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Netropa\Traymon.exe
    C:\Program Files\Netropa\OSD.exe
    C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\csrss.exe
    C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
    C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
    C:\Program Files\DC++\DCPlusPlus.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\John and Angie\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    LTWinModem1 = ltmsg.exe 9
    AHQInit = C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    DellTouch = C:\WINDOWS\MMKeybd.exe
    HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb01.exe
    MSConfig = C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSCONFIG.EXE /auto
    ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
    H/PC Connection Agent = "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: *Registry key not found*
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
    (no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Disk Defragmenter.job
    LiveUpdate - Norton AntiVirus.job
    Norton AntiVirus - Scan my computer.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Checkers Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\checkers.ocx
    CODEBASE = http://mirror.worldwinner.com//games/v40/checkers/checkers.cab

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [printQuick Browser Add In]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\PRINTQ~1.DLL
    CODEBASE = http://www.pqvalet.com/plugin/axversion/1000/printQuick.cab

    [Pool Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\pool.ocx
    CODEBASE = http://mirror.worldwinner.com/games/v44/pool/pool.cab

    [OTXMovie Class]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\OTXMedia.dll
    CODEBASE = http://otx.ifilm.com/OTXMedia/OTXMedia.dll

    [{4EE301F2-2A6A-4BE0-9FBD-97CDAA40E3E4}]
    CODEBASE = http://i1img.com/images/nocache/copilot/i1initialsetup1.0.0.5.cab

    [DepHlp Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\dephlp.ocx
    CODEBASE = http://www.worldwinner.com/games/shared/dephlp.cab

    [AcDcToday Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\ACDCTO~1.OCX
    CODEBASE = file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx

    [Sol Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\sol.ocx
    CODEBASE = http://mirror.worldwinner.com/games/v40/sol/sol.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37372.7922106481

    [NOXLATE-BANR]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\InstBanr.ocx
    CODEBASE = file://C:\Program Files\AutoCAD 2002\InstBanr.ocx

    [InstaFred]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\InstFred.ocx
    CODEBASE = file://C:\Program Files\AutoCAD 2002\InstFred.ocx

    [AcPreview Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\ACPREV~1.OCX
    CODEBASE = file://C:\Program Files\AutoCAD 2002\AcPreview.ocx

    [H2hPool Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\h2hpool.ocx
    CODEBASE = http://mirror.worldwinner.com//games/v43/h2hpool/h2hpool.cab

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Cadence License Manager: C:\Cadence\license_manager\lmgrd.exe (autostart)
    Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
    Creative Service for CDROM Access: C:\WINDOWS\System32\CTsvcCDA.EXE (autostart)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    MATLAB Server: C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe (autostart)
    Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
    Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart)
    Norton Unerase Protection: "C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE" (autostart)
    NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
    PfModNT: \??\C:\WINDOWS\System32\PfModNT.sys (autostart)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    SAVRTPEL: \??\C:\WINDOWS\System32\Drivers\SAVRTPEL.SYS (autostart)
    ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Secdrv: System32\DRIVERS\secdrv.sys (autostart)
    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Microsoft DHCP Routing Client: C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\MSSvc.EXE (autostart)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
    SYMTDI: \??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS (autostart)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Windows Time: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    WMDM PMSP Service: C:\WINDOWS\System32\MsPMSPSv.exe (autostart)
    Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 13,375 bytes
    Report generated in 0.641 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  12. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    First go to Administrative tools > Services, find this entry and set it to disabled. One way or another that should stop the startup error:

    Microsoft DHCP Routing Client: C:\RECYCLER\S-1-5-21-458573308-1249257218-1260325492-1443\system32\MSSvc.EXE (autostart)

    Double click the item in Services to get the properties page and set to disabled.

    Then run regedit and navigate to:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

    Look for the service item in the list there and delete it.

    Also look under the other CurrentControlSet keys, there may be up to 3 and delete it wherever found. CCS 2 or 3 will usually be "last known good configuration" and you don't want it coming back if that gets loaded.

    Reboot and empty your recycle bin, I'm not sure what if anything is hiding in there.

    Then post another Startuplist with minor sections and we'll see how it looks.

    Test what ever utilities or processes you were having problems with to see if those issues are resolved.
     
  13. unctarheels1

    unctarheels1 Thread Starter

    Joined:
    Sep 17, 2003
    Messages:
    14
    I have tried everything to get my Admin. priv back. I started in safe mode, logged in as Admin. , still no luck.

    Can not even open the services under admin tools.

    Any idea's on this. I think it looking more and more like a reformat, but would like to avoid that if possible.
     
  14. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Jaken here encountered the exact same problem, and I've seen also in Google > Groups threads.

    He and at least one other was able to restore priveleges by doing a "repair" reinstall, which is different than a full format.

    http://forums.techguy.org/showthread.php?s=&threadid=157903&highlight=mssvc.exe

    http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q315341&

    See also the

    How to Repair Install: (also called "In place reinstall")

    instructions on this link, includes screen shots...

    http://www.webtree.ca/windowsxp/repair_xp.htm#How to Repair Windows XP by Installing Over top of Existing Setup:

    Be advised you will have to reinstall Security updates after doing this.

    I would have the very lastest saved in My Documents and ready to go before doing a reinstall

    http://www.microsoft.com/downloads/...AE-A1BA-4D4A-B424-95D32CFC8CBA&displaylang=en
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/165572

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice