also @ TechSpot: Updated Microsoft EULA prohibits class action lawsuits

TechSpot
Register now for a live online demo to see how the Office 365 suite of tools
- professional email, calendars, video conferencing, and file sharing -

[Referring for driver assist] System Check issue

Discussion in 'Virus and Malware Removal' started by cbusch, Jan 20, 2012.

Thread Status:
Not open for further replies.
Page 2 of 2

  1. Bobbye Helper on the Fringe

    I just went back to a thread where I had someone else running OTL. He said "by the way, it took over 6 hours!" It's going to take a long as how many files/folders, etc. it has to scan. The more, the longer.

    If you see 'not responding' from the Task Manager, that it usually given when you close something and it hangs, it doesn't close. Then you usually get a small screen asking if you wanted to "End Task."

    Is that what happened? Please try it again. Make sure OTL has been closed, as it was after you ran the scan. Then double click on the icon to run again. That's when you do the copy/paste of the script in the Custom Fixes.
    -----------------------------
    You have several Trojans and other malware:
    Internet Security 2012 (Trojan.FakeAlert)
    (Trojan.Agent/Gen-FakePrivacy)
    Trojan;QHost.BG
    BEAGLE.M or BEAGLE.N WORMS!
    TDSSKiller found the ZeroAccess Rootkit

    and the main infector is Internet Security 2012, not System Check. We have not been successful in removing any significant amount of the infections. If we cannot do that, then your only choice will be to do a reformat/reinstall
    =======================================
    Since the Virtual Memory has become a problem, please be sure that all other programs are closed when you're running the scans or the fixes. Before you try OTL again, please reboot the computer.
    Bobbye, Feb 5, 2012
    #21

  2. Bobbye Helper on the Fringe

    Reopened at request of member.
    Bobbye, Feb 16, 2012
    #22

  3. cbusch Newcomer, in training

    otl not working

    I tried to run OTL as instructed, made sure nothing else was running, It ran for over 24 hours with no results. I opened task manager again and it said program not responding, I did not try and close the program,OTL. I did a restart of the computer and tried again, same results. I copied and pasted the info into the box as instructed and when I hit run fix it seems to freeze up. I cannot access the internet from the computer so I have been saving the info onto a usb drive and transfering to the infected computer. Could there be something wrong with the commands that is causing this to freeze?
    I was able to remove all of the old java stuff and remove the Norton stuff.
    What would u like me to do next?

    What antivirus and malware programs do you recommend just for future reference for myself since Bullgaurd and Ad-Aware didn't seem to catch all of the things on my computer?
    Thanks for the help
    Chris
    cbusch, Feb 16, 2012
    #23

  4. Bobbye Helper on the Fringe

    Please download Farbar Service Scanner
    • Check ALL boxes to include all files.
    • Press the Scan button
    • Log named FSS.txt will be created in the same directory as the tool
    • Please paste the log into your next reply

    -------------------------
    Again, I need you to clarify what mode the system will run:
    1. Safe Mode?
    2. Safe Mode with Networking?
    3. Normal Mode?
    =====================================
    Please try to follow the Bulguard disable instructions I gave you.

    And let's see if the very basic will run:
    First, set up a Directory for HijackThis as follows:
    Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
    Exit Explorer
    You now have a folder C:\HijackThis
    -----------------------------------------
    Download HijackThis and save to your desktop.
    • Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
    • Extract it to the directory on your hard drive you created C:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
    Bobbye, Feb 18, 2012
    #24

  5. cbusch Newcomer, in training

    hijack and fss logs

    1. I can boot in Safe Mode
    2. I can boot in Safe Mode with Networking but I cannot access the internet
    3. I cannot access in Normal Mode. Endless loop of restarts if I try

    Here are my logs:

    Farbar Service Scanner Version: 01-02-2012 03
    Ran by Chris (administrator) on 19-02-2012 at 07:47:45
    Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
    Boot Mode: Nerwork
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============
    mpsdrv Service is not running. Checking service configuration:
    The start type of mpsdrv service is OK.
    The ImagePath of mpsdrv service is OK.

    MpsSvc Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
    Checking LEGACY_MpsSvc: Attention! Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

    bfe Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.
    Checking LEGACY_bfe: Attention! Unable to open LEGACY_bfe\0000 registry key. The key does not exist.


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============
    SDRSVC Service is not running. Checking service configuration:
    The start type of SDRSVC service is OK.
    The ImagePath of SDRSVC service is OK.
    The ServiceDll of SDRSVC service is OK.
    Checking LEGACY_SDRSVC: Attention! Unable to open LEGACY_SDRSVC\0000 registry key. The key does not exist.

    VSS Service is not running. Checking service configuration:
    The start type of VSS service is OK.
    The ImagePath of VSS service is OK.


    System Restore Disabled Policy:
    ========================


    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
    Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


    Windows Update:
    ===========
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is OK.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv service is OK.

    BITS Service is not running. Checking service configuration:
    The start type of BITS service is OK.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS service is OK.
    Checking LEGACY_BITS: Attention! Unable to open LEGACY_BITS\0000 registry key. The key does not exist.

    EventSystem Service is not running. Checking service configuration:
    The start type of EventSystem service is OK.
    The ImagePath of EventSystem service is OK.
    The ServiceDll of EventSystem service is OK.


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys
    [2011-06-15 12:02] - [2011-04-21 07:58] - 0273408 ____A () 112B72544A3E4293E7332D123EAE305E

    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll
    [2009-07-04 14:06] - [2009-04-11 00:28] - 0758784 ____A (Microsoft Corporation) 93952506C6D67330367F7E7934B6A02F

    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll
    [2009-07-04 14:04] - [2009-04-11 00:28] - 0129024 ____A (Microsoft Corporation) FB27772BEAF8E1D28CCD825C09DA939B

    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 7:58:41 AM, on 2/19/2012
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.19170)
    Boot mode: Safe mode with network support

    Running processes:
    C:\Windows\Explorer.EXE
    C:\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O1 - Hosts: ÿþ
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll (file missing)
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll (file missing)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [isCfgWiz] "c:\Program Files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe" -G:{77CCBE0B-A541-49a9-883E-14F8337EC861} -T:Config -REBOOT
    O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe" -boot
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Report to BullGuard - {27FD17FB-CF63-486b-B2BE-8D8781CBEA01} - C:\Program Files\BullGuard Ltd\BullGuard\Antiphishing\IE\BGAntiphishingIE.dll
    O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
    O20 - AppInit_DLLs: BgGamingMonitor.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: BullGuard behavioural detection service (BsBhvScan) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardBhvScanner.exe
    O23 - Service: BullGuard scanning service (BsScanner) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardScanner.exe
    O23 - Service: BullGuard update service (BsUpdate) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
    O23 - Service: COM Host (comHost) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe (file missing)
    O23 - Service: GameConsoleService - Unknown owner - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe (file missing)
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LiveUpdate - Unknown owner - c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE (file missing)
    O23 - Service: LiveUpdate Notice - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 8891 bytes
    cbusch, Feb 19, 2012
    #25

  6. Bobbye Helper on the Fringe

    Well, sometimes it's the simple things that work best! HJT shows several Norton/Symantec processes still on the system, including several Services. So either you idn't run the Norton Removal or it didn't complete.

    Most of the Norton entries show 'file missing', but one entry does not show that and when it runs, it causes the reboot. This would only be in Normal Mode so that makes sense. So we need to remove ALL of the Norton processes including the Services: I can do that with script, but first let's just stop then and see if this is the cause. The entry below in Red is what I think is causing the reboots.
    -------------------------------
    Please reopen HijackThis to 'do system scan only.' Check each of the following if present: (you may not find all of the entries- that's okay)

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll (file missing)
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll (file missing)
    O4 - HKLM\..\Run: [isCfgWiz] "c:\Program Files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe" -G:{77CCBE0B-A541-49a9-883E-14F8337EC861} -T:Config -REBOOT
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: COM Host (comHost) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe (file missing)
    O23 - Service: LiveUpdate - Unknown owner - c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE (file missing)
    O23 - Service: LiveUpdate Notice - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe


    Close all Windows except HijackThis and click on "Fix Checked."
    =================================
    Since you are already in Safe Mode, go right into this:
    Click on Start> Rum> type in msconfig> Enter> Selective Startup> Startup tab> Uncheck ALL Symantec processes. If you are not sure of the entry, hold eft mouse buton down on top frame at the dividing line between 'Command' and 'Location' and move to the right to expand the Command column.

    Close when finished.
    --------------------------------------------
    Now click on Start> Run> type in services.msc> Enter> Double click to open each of the Services below> Change Startup type to Disabled> Stop the Service
    Symantec Event Manager
    Symantec Settings Manager
    CLTNetCnService
    Symantec Core LC
    COM Host
    LiveUpdate or LuComServer_3_4
    LiveUpdate Notice or ccSvcHst.exe
    Exit Services:
    =====================================
    See if you can reboot into Normal Mode.
    NOTE- you will get a nag message when you reboot because of the msconfig removal. Ignore the message, click 'don't show this message again. Stay in Selective Startup'

    Let me know.
    Bobbye, Feb 26, 2012
    #26

  7. cbusch Newcomer, in training

    norton removal

    I tried all of the steps listed multiple times with no success. I even ran the norton removal tool again that did not work either. After running msconfig and services.msc and restarting the computer it did go a bit further into start up before it rebooted, but the system still will not load in normal mode
    What would you like me to do next?
    thanks
    cbusch, Feb 28, 2012
    #27

  8. cbusch Newcomer, in training

    I forgot to add that each time I did what was instructed and then restarted everything went back to the way it was before I did the HJThis fixes and disabled everything in msconfig and services.msc
    cbusch, Feb 28, 2012
    #28

  9. Bobbye Helper on the Fringe

    Please tell me what you did before this started:
    Did it ever work in Normal Mode since we started?

    Steps on #11: Did you even try this? What happened?

    ---------------------------------
    If you did and there were no restore points, please do the following:

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Last good configuration option when the Windows Advanced Options menu appears, and then press ENTER.

    Will this solve the reboot/Normal Mode problem??
    =============================
    You need to run the system through Error Checking. This may take a while if you don't do it as part of the regular maintenance;

    Using Windows Explorer:
    Right click on Start> Explore> My Computer> Right click on Local Drive (usually C)> Properties> Tools> Error Check> check both boxes on the screen that comes up> Apply> Close the message and reboot for the Error Checking to start.

    Let it complete. System will reboot when finished.
    Bobbye, Feb 28, 2012
    #29

  10. cbusch Newcomer, in training

    1) Q:What was I doing before this started? "The computer will start in normal mode but will then turn off and restart. I was able to enter the system in safe mode but am lost from what to do from here."

    A:I was downloading one of the files instructed to from your post when Internet Security 2012 started to run. The system restarted and this is when it began to go into the reboot loop. I was lost then because I had never had to do anything in safe mode before

    2) Q:For some reason the internet will not work on the computer AGAIN.

    A: When I first posted the internet would not work on the computer in any mode, you had me go into, I believe, Proxy settings and change some settings and the internet began to work. Then when the computer went into the reboot loop it stopped working in all modes again, I even went into the settings again as instructed but the settings did not need to be changed like before. So I have no access to the internet on the computer

    3) Q:"I have run Rkill.com but am not sure if it worked reading the log."

    A: In the log for Rkill.com it stated at the end "Processes terminated by Rkill or while it was running:" So I wasn't sure if Rkill was terminated or another program

    4) Yes it worked in normal mode for a short period until Internet Security 2012 started to run

    5) Yes I tried the steps in #11 but the computer did not come with an instillation disk so I had to do this from the system menu. I used a restore point that was from before I noticed the computer acting up but it did not stop the endless reboot loop.
    I did this again today and went back to and even earlier restore point and still have no luck getting the computer to reboot into normal mode, it continues to do an endless reboot.

    6)Q:"You need to run the system through Error Checking. This may take a while if you don't do it as part of the regular maintenance;"

    A: I tried to do this but don't think it worked because the computer went into the reboot loop. Is my thinking on this correct?

    Do I need to reinstall all of the software you have had me download since we began working on the system because I searched for them and did not find any of the actual programs just the logs. Jijackthis, rkill, farbar service scanner, mbam, etc? I used a restore point from 11 days prior to the system acting up

    What would you like me to do next?
    thanks for all of the help
    cbusch, Mar 5, 2012
    #30

  11. Bobbye Helper on the Fringe

    The purpose of RKill is to terminate any processes that are interfering with running the programs> The processes were terminated by RKill.


    When you used the system restore point, it didn't have the programs you had downloaded. So essentially, you removed anything we had done after 11 days ago to the present. So basically, you have to start over.
    ------------------------
    Safe Mode shouldn't be 'scary.' It just makes a difference in what runs. The screen looks pale in color and slightly less than sharp> this is because some drivers don't load in Safe Mode or Safe Mode with Networking>>>

    FYI:
    If a symptom does not reappear when you start in Safe Mode, you can eliminate the default settings and minimum device drivers as possible causes. If a newly added device or a changed driver is causing problems, you can use Safe Mode to remove the device or reverse the change.

    Using Safe Mode to determine a basic source of a problem:The choices:
    • Safe Mode: Loads the minimum set of device drivers (serial or PS/2 mouse devices, standard keyboards, hard disks, CD-ROM drives, and standard VGA devices)and system services required to start Windows XP/2000/2003.(Event Log, Plug and Play, remote procedure calls (RPCs), and Logical Disk Manager.) User specific startup programs do not run. This is helpful in determining whether problems are due to specific programs.
    • Safe Mode with Networking: Includes the services and drivers needed for network connectivity. Safe mode with networking enables logging on to the network, logon scripts, security, and Group Policy settings. Nonessential services and startup programs not related to networking do not run. Helpful if needed but should be used with caution as the security programs don't load in this mode.
    • Safe Mode with Command Prompt: Starts the computer in safe mode, but displays the command prompt rather than the Windows GUI interface.
    • Last Known Good Configuration, which starts your computer using the registry information that was saved at the last shutdown.

    So by using the different options of Safe Mode, you can sometimes determine what the area of problem is- and isn't.

    For the same reasons above, we have you do some scans in Safe Mode because we need to prevent some processes from running to allow us to remove malware.
    ======================================
    Since everything we've done has been wiped out, I'd like you to try this option:

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Last Known Good Configuration option when the Windows Advanced Options menu appears, and then press ENTER.

    See if this allows you to stay running and not reboot until do want it to.

    Let me know.

    If this doesn't work, I'm going to have you thread moved to a forum that can help find the drivers that are causing the problem.
    Bobbye, Mar 6, 2012
    #31

  12. cbusch Newcomer, in training

    last good config point

    Thanks for the info it was informative. i did as you wanted but am still not able to boot into normal mode.
    cbusch, Mar 13, 2012
    #32

  13. Bobbye Helper on the Fringe

    One more question:

    What happens when you boot into Normal Mode?
    Bobbye, Mar 14, 2012
    #33

  14. cbusch Newcomer, in training

    The computer starts like it normally would but when it gets to the windows emblem and windows start up chime it turns off and back on, I have not been able to get past this point in normal mode.
    cbusch, Mar 16, 2012
    #34

  15. Bobbye Helper on the Fringe

    I'd like you to run the following please. Be sure that the loop is recent, even if you have to force it. Some processes don't start in safe Mode so they aren't of any use to us. Hopefully this will show the Event Error that happens when the startup fails:

    You can also check the computer clock when the startup fails and let me know the time. This will help me with the Event Errors.

    Please download VEW and save it to your Desktop:

    Setting up the program

    Double-click VEW.exe to run.

    • Select log to query, select
    • Application
    • System

      Under Select type to list, select:
    • Critical (Vista only)
    • Error

      Click the radio button for Number of events
    • Type 20 in the 1 to 20 box
    • Then click the Run button.
    • Notepad will open with the output log.

      Load the log
    • In Notepad, click Edit> Select all
    • Then press Edit > Copy
    • Press Ctrl+V on your keyboard to paste the log to your next reply.

    (Courtesy rev-Olie)
    Bobbye, Mar 16, 2012
    #35

  16. cbusch Newcomer, in training

    Vino's Event Viewer v01c run on Windows Vista in English
    Report run at 20/03/2012 5:34:01 PM

    Note: All dates below are in the format dd/mm/yyyy

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'Application' Log - Critical Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'Application' Log - Error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - Critical Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - Error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    cbusch, Mar 20, 2012
    #36

  17. cbusch Newcomer, in training

    I ran the program and this is what I got, not sure if there should have been more or not. i checked all of the boxes as instructed. the only difference is where you said "Critical ( vista only) I did not have that it said Critical ( not XP )
    cbusch, Mar 20, 2012
    #37

  18. Bobbye Helper on the Fringe

    Sorry Chris- been sick.

    In view of the fact that the system is unstable now and we cannot successfully run the scans, I'd like you to start a new thread in the Windows BSOD forum. Suggest Subject: Caught in reboot loop (or something describing the problem)

    The fact that you can run in Safe Mode but loop in Normal Mode suggest a corrupt driver. I don't do the minidumps, but someone there can have you run, then interpret which driver(s) is corrupt. If that handles the problem, send me a PM and we can check to make sure the malware is gone and Services started.

    If someone suggest posting here, tell them we've been working but can't complete>>>need driver help.
    Bobbye, Mar 31, 2012
    #38
Page 2 of 2
Thread Status:
Not open for further replies.