Thread: Laptop Crippled

    #1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2010
    Posts
    2
    Rep Power
    0

    Services being stopped


    Got a laptop here that has been rendered useless.

    Upon starting up I open services tab in task manager and see that almost every service is stopped. Can't run any programs or connect to the internet.

    I boot the thing in safe mode and try selective startups, activating services manually etc. etc. Reverts back upon reboot. System restore doesn't work either.

    Found this place with a google search and tried all the things in the "If you have infection issues start here first.." thread. Being able to run these only in safe mode, got limited results. The only things I was able to do was CCleaner, ATF and Hijackthis. Also without internet access, I was unable to update anything.

    Here is the HJT report, seems short (because of safe mode??)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:42:30 AM, on 07/08/2010
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v8.00 (8.00.6001.18928)
    Boot mode: Safe mode

    Running processes:
    C:\Windows\Explorer.EXE
    C:\Windows\helppane.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = )
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
    O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    O4 - HKLM\..\Run: [Skytel] Skytel.exe
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O13 - Gopher Prefix:
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
    O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
    O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe

    --
    End of file - 4506 bytes

    any ideas? Thanks
  2. #2
  3. They're coming to take me away

    Join Date
    Jan 2005
    Location
    Florida
    Posts
    5,103
    Rep Power
    5049
    Run the scan only in hijack this and fix these items:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    Then boot into normal mode again and try the internet.

    When you try to run malwarebytes, and superantispyware, what happens? Error message? Does it close automatically?...
    "I don't need to get a life. I'm a gamer. I have lots of lives!"
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2010
    Posts
    2
    Rep Power
    0
    The items you told me to fix were all URL's. I manually removed them from my post since I'm not allowed to post them.

    In normal mode malwarebytes says it's already running, there is a process in task manager to confirm that, but does nothing at all. Tried ending the process so I could try to restart it and got a hang with 100% CPU. Had to do a hard shut down. Superantispyware does nothing either, get the spinning circle mouse pointer for a few seconds and then it stops.

    I was able to download the update files from this computer and manually update malwarebytes and superantispyware using a usb drive. Again in safe mode since it won't even detect USB in normal mode.

    In normal node literally nothing works. Almost every service is stopped so any program I try to start says dependencies needed aren't running.

    Here are my logs form malwarebytes and superantispyware. Again in safe mode......

    Malwarebytes' Anti-Malware 1.46


    Database version: 4363

    Windows 6.0.6001 Service Pack 1 (Safe Mode)
    Internet Explorer 8.0.6001.18928

    07/08/2010 1:31:46 PM
    mbam-log-2010-08-07 (13-31-46).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 234616
    Time elapsed: 52 minute(s), 46 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)




    SUPERAntiSpyware Scan Log


    Generated 08/07/2010 at 01:42 PM

    Application Version : 4.41.1000

    Core Rules Database Version : 5324
    Trace Rules Database Version: 3136

    Scan type : Complete Scan
    Total Scan Time : 00:41:58

    Memory items scanned : 331
    Memory threats detected : 0
    Registry items scanned : 7789
    Registry threats detected : 0
    File items scanned : 28737
    File threats detected : 17

    Adware.Tracking Cookie
    C:\Users\brad\AppData\Roaming\Microsoft\Windows\Cookies\Low\brad@doubleclick[1].txt
    C:\Users\brad\AppData\Roaming\Microsoft\Windows\Cookies\Low\brad@msnonecare.112.2o7[2].txt
    C:\Users\brad\AppData\Roaming\Microsoft\Windows\Cookies\Low\brad@2o7[2].txt
    C:\Users\brad\AppData\Roaming\Microsoft\Windows\Cookies\Low\brad@ad.yieldmanager[2].txt
    C:\Users\brad\AppData\Roaming\Microsoft\Windows\Cookies\Low\brad@adinterax[1].txt
    C:\Users\brad\AppData\Roaming\Microsoft\Windows\Cookies\Low\brad@atdmt[1].txt
    C:\Users\brad\AppData\Roaming\Microsoft\Windows\Cookies\Low\brad@bluestreak[2].txt
    C:\Users\brad\AppData\Roaming\Microsoft\Windows\Cookies\Low\brad@bs.serving-sys[1].txt
    C:\Users\brad\AppData\Roaming\Microsoft\Windows\Cookies\Low\brad@casalemedia[2].txt
    C:\Users\brad\AppData\Roaming\Microsoft\Windows\Cookies\Low\brad@content.yieldmanager[2].txt
    C:\Users\brad\AppData\Roaming\Microsoft\Windows\Cookies\Low\brad@content.yieldmanager[3].txt
    C:\Users\brad\AppData\Roaming\Microsoft\Windows\Cookies\Low\brad@serving-sys[2].txt
    C:\Users\brad\AppData\Roaming\Microsoft\Windows\Cookies\Low\brad@msnportal.112.2o7[1].txt
    C:\Users\brad\AppData\Roaming\Microsoft\Windows\Cookies\Low\brad@msnservices.112.2o7[2].txt
    C:\Users\brad\AppData\Roaming\Microsoft\Windows\Cookies\Low\brad@questionmarket[1].txt
    C:\Users\brad\AppData\Roaming\Microsoft\Windows\Cookies\Low\brad@richmedia.yahoo[1].txt
    C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@2o7[2].txt


    thanks for looking into it.

IMN logo majestic logo threadwatch logo seochat tools logo