View Full Version : spysheriff and commandservice
hello!
after doing a scan with spybot 1.4 updated i found many problems that i can't
fix
commandservice
globalinterntbilling
internet sys inc
coolwwwsearch
coolwwwsearchwcadw
spydheriff
eAcceleretion
i followed the instructions of the tread 1316 and now the system is going
better but i can't connect the internet yet.internet go to about blank page
I have not done online antivirus scan.I installed avast but doesn't fuond
virus.norton av found rzspy.exe that i renamed in txt.
here are the logs HJT before and after.
Logfile of HijackThis v1.99.1
Scan saved at 22.14.37, on 17/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - {8E38A1DE-F66D-A0BD-0D45-ADB0ED51C3BF} - NukeSpan.dll (file missing)
Logfile of HijackThis v1.99.1
Scan saved at 22.41.01, on 18/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\Programmi\ewido anti-malware\ewidoguard.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Launch Manager\QtZgAcer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - {8E38A1DE-F66D-A0BD-0D45-ADB0ED51C3BF} - NukeSpan.dll (file missing)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Programmi\File comuni\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [Kargo] browsebar.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [borlandg] ParisM.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Brong32] cmon14.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\progra~1\accele~1\velozd~1\asiclayer.dll' missing
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.linkautomatici.com
O15 - Trusted Zone: www.master69.biz
O15 - Trusted Zone: www.sgrunt.biz
O15 - Trusted Zone: www.skymasters.biz
O15 - Trusted Zone: www.xbeta69.com
O15 - Trusted Zone: www.yeak.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{238A192D-C884-4BEA-BDD3-C12E6CD79F63}: NameServer = 85.255.116.84,85.255.112.191
O17 - HKLM\System\CCS\Services\Tcpip\..\{8EE3C2EE-E712-44DC-8EA6-0716A0470F03}: NameServer = 85.255.116.84,85.255.112.191
O17 - HKLM\System\CCS\Services\Tcpip\..\{96A4AF10-2A6E-4210-8902-3FA9304969D7}: NameServer = 85.255.116.84,85.255.112.191
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmi\ewido anti-malware\ewidoguard.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
I stopped the start of some programs with msconfig some of these has strange symbols in the name
here the ewido report.I started ewido scan several times and
every time founds something (Downloader.Agent.uj)
---------------------------------------------------------
ewido anti-malware - Rapporto Scansione
---------------------------------------------------------
+ Creato il: 23.58.40, 18/01/2006
+ Report-Checksum: B84DE3FB
+ Risultati scansione:
[588] VM_034E0000 -> Downloader.Agent.uj : Errore durante la pulizia
[612] VM_00DA0000 -> Downloader.Agent.uj : Errore durante la pulizia
[1424] VM_009E0000 -> Downloader.Agent.uj : Errore durante la pulizia
[1708] VM_00990000 -> Downloader.Agent.uj : Errore durante la pulizia
[1908] VM_00BA0000 -> Downloader.Agent.uj : Errore durante la pulizia
[224] VM_009C0000 -> Downloader.Agent.uj : Errore durante la pulizia
[1080] VM_009C0000 -> Downloader.Agent.uj : Errore durante la pulizia
[1608] VM_003F0000 -> Downloader.Agent.uj : Errore durante la pulizia
[3588] VM_009C0000 -> Downloader.Agent.uj : Errore durante la pulizia
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP1\A0000082.exe -> Downloader.Agent.uj : Pulito con Backup
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP1\A0000090.exe -> Downloader.Agent.uj : Pulito con Backup
::Fine Rapporto
-- Report generated: 2006-01-17 13.56 ---
CoolWWWSearch.WCADW: IE Search page (Registry change, fixed)
HKEY_USERSS-1-5-21-3845519480-3465928172-1437394234-1005\Software\Microsoft\Internet Explorer\Main\Local Page=about:blank
CoolWWWSearch.WCADW: IE start page (Registry change, fixed)
HKEY_USERSS-1-5-21-3845519480-3465928172-1437394234-1005\Software\Microsoft\Internet Explorer\Main\Start Page=about:blank
CoolWWWSearch.WCADW: IE start page (Registry change, fixed)
HKEY_USERSS-1-5-21-3845519480-3465928172-1437394234-1005\Software\Microsoft\Internet Explorer\Main\Default_Page_URL=about:blank
CoolWWWSearch.WCADW: IE Search page (Registry change, fixed)
HKEY_LOCAL_MACHINESoftware\Microsoft\Internet Explorer\Main\Local Page=about:blank
CoolWWWSearch.WCADW: IE start page (Registry change, fixed)
HKEY_LOCAL_MACHINESoftware\Microsoft\Internet Explorer\Main\Start Page=about:blank
CoolWWWSearch.WCADW: IE start page (Registry change, fixed)
HKEY_LOCAL_MACHINESoftware\Microsoft\Internet Explorer\Main\Default_Page_URL=about:blank
eAcceleration: Program directory (Directory, fixing failed)
C:\Programmi\Acceleration Software\
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2006-01-16 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-01-13 Includes\Cookies.sbi (*)
2006-01-13 Includes\Dialer.sbi (*)
2006-01-13 Includes\Hijackers.sbi (*)
2006-01-13 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-01-13 Includes\Malware.sbi (*)
2006-01-13 Includes\PUPS.sbi (*)
2006-01-13 Includes\Revision.sbi (*)
2006-01-13 Includes\Security.sbi (*)
2006-01-13 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-01-13 Includes\Trojans.sbi (*)
--- Report generated: 2006-01-17 13.56 ---
CoolWWWSearch.WCADW: IE Search page (Registry change, fixed)
HKEY_USERSS-1-5-21-3845519480-3465928172-1437394234-1005\Software\Microsoft\Internet Explorer\Main\Local Page=about:blank
CoolWWWSearch.WCADW: IE start page (Registry change, fixed)
HKEY_USERSS-1-5-21-3845519480-3465928172-1437394234-1005\Software\Microsoft\Internet Explorer\Main\Start Page=about:blank
CoolWWWSearch.WCADW: IE start page (Registry change, fixed)
HKEY_USERSS-1-5-21-3845519480-3465928172-1437394234-1005\Software\Microsoft\Internet Explorer\Main\Default_Page_URL=about:blank
CoolWWWSearch.WCADW: IE Search page (Registry change, fixed)
HKEY_LOCAL_MACHINESoftware\Microsoft\Internet Explorer\Main\Local Page=about:blank
CoolWWWSearch.WCADW: IE start page (Registry change, fixed)
HKEY_LOCAL_MACHINESoftware\Microsoft\Internet Explorer\Main\Start Page=about:blank
CoolWWWSearch.WCADW: IE start page (Registry change, fixed)
HKEY_LOCAL_MACHINESoftware\Microsoft\Internet Explorer\Main\Default_Page_URL=about:blank
eAcceleration: Program directory (Directory, fixing failed)
C:\Programmi\Acceleration Software\
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2006-01-16 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-01-13 Includes\Cookies.sbi (*)
2006-01-13 Includes\Dialer.sbi (*)
2006-01-13 Includes\Hijackers.sbi (*)
2006-01-13 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-01-13 Includes\Malware.sbi (*)
2006-01-13 Includes\PUPS.sbi (*)
2006-01-13 Includes\Revision.sbi (*)
2006-01-13 Includes\Security.sbi (*)
2006-01-13 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-01-13 Includes\Trojans.sbi (*)
--- Report generated: 2006-01-17 23.16 ---
Windows.ActiveDesktop: Impostazioni utente (Modifica al registro, fixed)
HKEY_USERS\S-1-5-21-3845519480-3465928172-1437394234-500\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoHTMLWallPaper!=W=1
LonnyRJones
2006-01-22, 13:31
Welcome Daniel6
In addremove programs is eAcceleretion there ? if so uninstall it
Go start run and type in
sc delete cmdservice
Pess enter or ok
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take
longer than usual to load; this is normal.
When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items(if there):
R3 - URLSearchHook: (no name) - {8E38A1DE-F66D-A0BD-0D45-ADB0ED51C3BF} - NukeSpan.dll (file missing)
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [Kargo] browsebar.exe
O4 - HKLM\..\Run: [borlandg] ParisM.exe
O4 - HKCU\..\Run: [Brong32] cmon14.exe
O15 - Trusted Zone: www.archiviosex.net (http://www.archiviosex.net)
O15 - Trusted Zone: www.linkautomatici.com (http://www.linkautomatici.com)
O15 - Trusted Zone: www.master69.biz (http://www.master69.biz)
O15 - Trusted Zone: www.sgrunt.biz (http://www.sgrunt.biz)
O15 - Trusted Zone: www.skymasters.biz (http://www.skymasters.biz)
O15 - Trusted Zone: www.xbeta69.com (http://www.xbeta69.com)
O15 - Trusted Zone: www.yeak.net (http://www.yeak.net)
O17 - HKLM\System\CCS\Services\Tcpip\..\{238A192D-C884-4BEA-BDD3-C12E6CD79F63}: NameServer = 85.255.116.84,85.255.112.191
O17 - HKLM\System\CCS\Services\Tcpip\..\{8EE3C2EE-E712-44DC-8EA6-0716A0470F03}: NameServer = 85.255.116.84,85.255.112.191
O17 - HKLM\System\CCS\Services\Tcpip\..\{96A4AF10-2A6E-4210-8902-3FA9304969D7}: NameServer = 85.255.116.84,85.255.112.191
If you see a new item that wasnt in your last log in your O4 lines in hijackthis, starting with dm... for example:
O4 - HKLM\..\Run: [dm***.exe] C:\WINDOWS\system32\dm***.exe (the *** stand for random letters)
or starting with hg***.exe for example:
O4 - HKLM\..\Run: [hg***.exe] C:\Windows\System32\hg***.exe
or starting with cs***.exe for example:
O4 - HKLM\..\Run: [cscyd.exe] cscyd.exe
Check it as well. If your not sure, leave it and only check the ones I asked you to check
===========================================================
Click Fix Checked. Close HijackThis, and click OK to proceed.
post the contents of the fixwareout report.txt (it should open)
Since you had spyaxe fallow the instructions in this post to run smitrem and ewido while in safe mode, post the smitrem log
http://forums.spybot.info/showthread.php?t=1316
Hi LonnyRJonnes!
Logfile of HijackThis v1.99.1
Scan saved at 12.34.21, on 23/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\fixwareout\SUB\BFU.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\File comuni\hijackthis\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - {8E38A1DE-F66D-A0BD-0D45-ADB0ED51C3BF} - NukeSpan.dll (file missing)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [dmciq.exe] C:\WINDOWS\system32\
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [Kargo] browsebar.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\progra~1\accele~1\velozd~1\asiclayer.dll' missing
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.linkautomatici.com
O15 - Trusted Zone: www.master69.biz
O15 - Trusted Zone: www.sgrunt.biz
O15 - Trusted Zone: www.skymasters.biz
O15 - Trusted Zone: www.xbeta69.com
O15 - Trusted Zone: www.yeak.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{238A192D-C884-4BEA-BDD3-C12E6CD79F63}: NameServer = 85.255.116.84,85.255.112.191
O17 - HKLM\System\CCS\Services\Tcpip\..\{8EE3C2EE-E712-44DC-8EA6-0716A0470F03}: NameServer = 85.255.116.84,85.255.112.191
O17 - HKLM\System\CCS\Services\Tcpip\..\{96A4AF10-2A6E-4210-8902-3FA9304969D7}: NameServer = 85.255.116.84,85.255.112.191
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
fixwareout'sreport
Fixwareout ver 1.003
Last edited 1/12/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ypszr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\daolnwodi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\lavinraCputeS
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\CSBCQ.EXE
C:\WINDOWS\SYSTEM32\DMCIQ.EXE
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
HJT report after cleaning
Logfile of HijackThis v1.99.1
Scan saved at 12.42.07, on 23/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Launch Manager\QtZgAcer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\File comuni\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [dmciq.exe] C:\WINDOWS\system32\
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\progra~1\accele~1\velozd~1\asiclayer.dll' missing
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
I just followed the instructons of thread 1316.It was the first thing Idid.
I can't scan oline with antivirus because the internet connection is broken yet!
other system's problem are:
at boot up system 32 folder pops up
the cd dvd writer can not wite cd dvd
may be possible that i need to fix with LSPfix?
Happy to have heard you and thanks for your help!
excuse my bad english.
LonnyRJones
2006-01-23, 14:29
Hi
Delete these two files
C:\WINDOWS\SYSTEM32\CSBCQ.EXE
C:\WINDOWS\SYSTEM32\DMCIQ.EXE
Scan and fix this item with hiajckthis
O4 - HKLM\..\Run: [dmciq.exe] C:\WINDOWS\system32\
"may be possible that i need to fix with LSPfix?"
Yes, i assume you have it ?
reboot after using it
Hi
I started lspfix and now the internet connection is restored.
lspfix removed asiclayer.dll
In msconfig control panel program start i have stopped:
parisM
rundll32
unspypc
nopeZ
ipt
ctfmon
cmon14
and two programs written with chinese or similar characters
may be possible they appear so only in msconfig?
hjt report with these programs disabled
Logfile of HijackThis v1.99.1
Scan saved at 23.28.10, on 23/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Launch Manager\QtZgAcer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\File comuni\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [runload32] lpt.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
hjt log with all programs enabled
Logfile of HijackThis v1.99.1
Scan saved at 23.33.13, on 23/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Launch Manager\QtZgAcer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\File comuni\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F3 - REG:win.ini: load=???�?�
F3 - REG:win.ini: run=???�?�
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [borlandg] ParisM.exe
O4 - HKCU\..\Run: [runload32] lpt.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Programmi\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [TemplateDongle] NopeZ.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Brong32] cmon14.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
have i to fix f3?
the cd dvd writer now reads but does not write yet
thank you LonnyRJones
LonnyRJones
2006-01-24, 04:48
Hi again
Post a report from one of these online scans
Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.
Panda ActiveScan-Free online scanner,
http://www.pandasoftware.com/products/activescan.htm
Save the report and post it back here please if there are any that it is unable to deal with.
Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)
F3 - REG:win.ini: load=??? ?�
F3 - REG:win.ini: run=??? ?�
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O4 - HKLM\..\Run: ParisM.exe
O4 - HKCU\..\Run: [runload32] lpt.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Programmi\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [TemplateDongle] NopeZ.exe
O4 - HKCU\..\Run: [Brong32] cmon14.exe
====================================
Hit fix checked and close Hijackthis.
[B]Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is a normal entry but should have a comma at the end, hijackthis will put it there, then subsequent logs wont show it
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
The sc writer problems are unrelated i think, try starting the uninstall of its software and use its repair option (if there is one) if that option isnt available uninstall it reboot and install again.
Keep us informed
Hello!
before starting online antivirus scan i installed and updated
norton antivirus then i scanned system here the reports:
Rapporto di Norton AntiVirus Quarantine
Creato il: marted́ 24 gennaio 2006 20.15.57
------------------------------------------------------------------------------
Nome file
Posizione
Stato Dimensioni Nome virus
Nome utente Nome computer Dominio
Data quarantena
Data invio
------------------------------------------------------------------------------
hxdOFena.exe
Backup di un file infetto 69.0 KB Backdoor.HackDefender
SYSTEM ACER-2BFDA75BDC WORKGROUP
domenica 22 gennaio 2006 21.21.57
Non inviato
------------------------------------------------------------------------------
vqIVsZf.vbs
C:\WINDOWS\bWFyY28
Backup di un rischio di protezione eliminato 472 bytes Packed.Spyware
marco ACER-2BFDA75BDC WORKGROUP
marted́ 24 gennaio 2006 13.24.29
Non inviato
------------------------------------------------------------------------------
rdrbs100.exe
Backup di un file infetto 48.0 KB Backdoor.HackDefender
SYSTEM ACER-2BFDA75BDC WORKGROUP
domenica 22 gennaio 2006 21.21.57
Non inviato
------------------------------------------------------------------------------
Dc9.exe
C:\Recycled
Backup di un rischio di protezione eliminato 638 KB Packed.SecurityRiskOn
marco ACER-2BFDA75BDC WORKGROUP
marted́ 24 gennaio 2006 13.24.29
Non inviato
------------------------------------------------------------------------------
hxdef100.exe
Backup di un file infetto 69.0 KB Backdoor.HackDefender
SYSTEM ACER-2BFDA75BDC WORKGROUP
domenica 22 gennaio 2006 21.21.57
Non inviato
------------------------------------------------------------------------------
Dc10.exe
C:\Recycled
In quarantena 2.00 KB Trojan Horse
marco ACER-2BFDA75BDC WORKGROUP
marted́ 24 gennaio 2006 13.23.49
Non inviato
------------------------------------------------------------------------------
driver/driver.sys
Backup di un file infetto 3.27 KB Backdoor.HackDefender
SYSTEM ACER-2BFDA75BDC WORKGROUP
domenica 22 gennaio 2006 21.21.57
Non inviato
------------------------------------------------------------------------------
rzspy.txt
C:\WINDOWS\system32
In quarantena 8.13 KB Bloodhound.W32.EP
marco ACER-2BFDA75BDC WORKGROUP
sabato 21 gennaio 2006 20.00.37
Non inviato
------------------------------------------------------------------------------
bdcli100.exe
Backup di un file infetto 26.0 KB Backdoor.HackDefender
marco ACER-2BFDA75BDC WORKGROUP
marted́ 24 gennaio 2006 8.19.15
Non inviato
------------------------------------------------------------------------------
Rapporto di Norton AntiVirus Quarantine
Creato il: marted́ 24 gennaio 2006 20.16.43
------------------------------------------------------------------------------
Nome file
Posizione
Stato Dimensioni Nome virus
Nome utente Nome computer Dominio
Data quarantena
Data invio
------------------------------------------------------------------------------
hxdOFena.exe
Backup di un file infetto 69.0 KB Backdoor.HackDefender
SYSTEM ACER-2BFDA75BDC WORKGROUP
domenica 22 gennaio 2006 21.21.57
Non inviato
------------------------------------------------------------------------------
vqIVsZf.vbs
C:\WINDOWS\bWFyY28
Backup di un rischio di protezione eliminato 472 bytes Packed.Spyware
marco ACER-2BFDA75BDC WORKGROUP
marted́ 24 gennaio 2006 13.24.29
Non inviato
------------------------------------------------------------------------------
rdrbs100.exe
Backup di un file infetto 48.0 KB Backdoor.HackDefender
SYSTEM ACER-2BFDA75BDC WORKGROUP
domenica 22 gennaio 2006 21.21.57
Non inviato
------------------------------------------------------------------------------
Dc9.exe
C:\Recycled
Backup di un rischio di protezione eliminato 638 KB Packed.SecurityRiskOn
marco ACER-2BFDA75BDC WORKGROUP
marted́ 24 gennaio 2006 13.24.29
Non inviato
------------------------------------------------------------------------------
hxdef100.exe
Backup di un file infetto 69.0 KB Backdoor.HackDefender
SYSTEM ACER-2BFDA75BDC WORKGROUP
domenica 22 gennaio 2006 21.21.57
Non inviato
------------------------------------------------------------------------------
Dc10.exe
C:\Recycled
In quarantena 2.00 KB Trojan Horse
marco ACER-2BFDA75BDC WORKGROUP
marted́ 24 gennaio 2006 13.23.49
Non inviato
------------------------------------------------------------------------------
driver/driver.sys
Backup di un file infetto 3.27 KB Backdoor.HackDefender
SYSTEM ACER-2BFDA75BDC WORKGROUP
domenica 22 gennaio 2006 21.21.57
Non inviato
------------------------------------------------------------------------------
rzspy.txt
C:\WINDOWS\system32
In quarantena 8.13 KB Bloodhound.W32.EP
marco ACER-2BFDA75BDC WORKGROUP
sabato 21 gennaio 2006 20.00.37
Non inviato
------------------------------------------------------------------------------
bdcli100.exe
Backup di un file infetto 26.0 KB Backdoor.HackDefender
marco ACER-2BFDA75BDC WORKGROUP
marted́ 24 gennaio 2006 8.19.15
Non inviato
------------------------------------------------------------------------------
kaspersky online scan report
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, January 24, 2006 20:12:13
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 24/01/2006
Kaspersky Anti-Virus database records: 172924
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 17808
Number of viruses found: 10
Number of infected objects: 35
Number of suspicious objects: 0
Duration of the scan process: 744 sec
Infected Object Name - Virus Name
C:\WINDOWS\Downloaded Program Files\AUTO_80_N.exe Infected: Trojan.Win32.Dialer.hh
C:\Documents and Settings\marco\Impostazioni locali\Temp\a.exe Infected: Trojan-Downloader.Win32.PassAlert.h
C:\Programmi\Norton AntiVirus\Quarantine\2E766530 Infected: not-a-virus:AdWare.Win32.Raze.a
C:\Programmi\Norton AntiVirus\Quarantine\3ADF57D0.exe Infected: Backdoor.Win32.HacDef.ae
C:\Programmi\Norton AntiVirus\Quarantine\3332211B.exe Infected: Backdoor.Win32.HacDef.ae
C:\Programmi\Norton AntiVirus\Quarantine\532615E5.exe Infected: Backdoor.Win32.HacDef.084
C:\Programmi\Norton AntiVirus\Quarantine\3ADF57D0.sys Infected: Backdoor.Win32.HacDef.073.b
C:\Programmi\Norton AntiVirus\Quarantine\000E6962 Infected: Backdoor.Win32.HacDef.084
C:\Programmi\Norton AntiVirus\Quarantine\69297CDD Infected: Trojan.Win32.Qhost.df
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP1\A0000117.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP2\A0000130.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP2\A0000784.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP2\A0001784.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP2\A0001792.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP3\A0001926.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP3\A0001932.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP3\A0001939.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP3\A0001946.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP3\A0001953.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP3\A0001961.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP3\A0001968.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP3\A0001975.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP4\A0001985.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP4\A0001993.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP4\A0002000.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP4\A0002005.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP4\A0002011.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP4\A0002018.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP4\A0002037.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP4\A0002044.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP4\A0002051.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP5\A0002073.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP5\A0002074.exe Infected: Trojan.Win32.Small.fb
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP7\A0002327.exe Infected: Trojan.Win32.Qhost.df
C:\Recycled\Dc8.exe Infected: Trojan.Win32.Favadd.an
Scan process completed.
I have only done this today,i'll try to fix with HJT the things you told me later.
thank you LonnyRJones!
Hello
I fixed the items you told me with HJT.
here a fresh report
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Launch Manager\QtZgAcer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\File comuni\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
Thanks LonnyRJones!
LonnyRJones
2006-01-26, 18:46
Hi
Any popups, redirects or problems now ?
Run hijackthis click config misc tools > delete a file on reboot
copy then paste this line into the file name box,
C:\WINDOWS\Downloaded Program Files\AUTO_80_N.exe
click open, then let Hijackthis restart the pc
Hello!
I deleted this file with HJT
C:\WINDOWS\Downloaded Program Files\AUTO_80_N.exe
Was the same thing delete that file in f8/prompt mode?
C:\eacceleration_install.exe is ok?
now the system looks ok, no popups no redirects.
Only cd dvd writer read and write dvd but read and not write cd!
I updated cd dvd maker and i installed a new burning program too,but
the error is the same :power calibration area error
I am going to think at an hardware problem!
thank you LonnyRJones
Excuseme for the unintentional smile!
thankyou again LonnyRJones
LonnyRJones
2006-01-30, 14:17
Hi
Delete the eacceleration file
i suggest running sysclean in safe mode since HackDefender was found
Sysclean a standalone scanner
Make a new folder called C:\Sysclean
Download Sysclean from http://www.trendmicro.com/download/dcs.asp
Click the sysclean.txt link to learn how to use it. Download the latest pattern file : http://www.trendmicro.com/download/pattern.asp
lpt(xxxx).zip (AS/400, S/390, Windows)
Unzip it to the Sysclean folder.
Boot to Safe Mode. Scan the system with Sysclean. It will take awhile but
it is very thorough. When it's done, close Sysclean. restart back to a normal session.
If your system is problem free and stable after a week or so >
Purge the old System Restore points
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Then Reboot. < Dont skip that step.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
Hello
Scanned system in safe mode with trend micro sysclean
Here the report
/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/
2006-01-30, 23:23:08, Auto-clean mode specified.
2006-01-30, 23:23:08, Running scanner "C:\sysclean\TSC.BIN"...
2006-01-30, 23:24:10, Scanner "C:\sysclean\TSC.BIN" has finished running.
2006-01-30, 23:24:10, TSC Log:
Damage Cleanup Engine (DCE) 3.98(Build 1012)
Windows XP(Build 2600: Service Pack 2)
Start time : lun gen 30 2006 23:23:09
Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 700) [success]
Complete time : lun gen 30 2006 23:24:10
Execute pattern count(4688), Virus found count(0), Virus clean count(0), Clean failed count(0)
2006-01-30, 23:26:49, An error occurred while scanning file "C:\WINDOWS\system32\config\system.LOG": Accesso negato.
2006-01-30, 23:26:49, An error occurred while scanning file "C:\WINDOWS\system32\config\software.LOG": Accesso negato.
2006-01-30, 23:26:49, An error occurred while scanning file "C:\WINDOWS\system32\config\default.LOG": Accesso negato.
2006-01-30, 23:26:49, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM.LOG": Accesso negato.
2006-01-30, 23:26:49, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY.LOG": Accesso negato.
2006-01-30, 23:26:50, An error occurred while scanning file "C:\WINDOWS\system32\config\DEFAULT": Accesso negato.
2006-01-30, 23:26:50, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY": Accesso negato.
2006-01-30, 23:26:50, An error occurred while scanning file "C:\WINDOWS\system32\config\SOFTWARE": Accesso negato.
2006-01-30, 23:26:50, An error occurred while scanning file "C:\WINDOWS\system32\config\SYSTEM": Accesso negato.
2006-01-30, 23:26:50, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM": Accesso negato.
2006-01-30, 23:34:11, An error occurred while scanning file "C:\Documents and Settings\NetworkService\ntuser.dat.LOG": Accesso negato.
2006-01-30, 23:34:11, An error occurred while scanning file "C:\Documents and Settings\NetworkService\NTUSER.DAT": Accesso negato.
2006-01-30, 23:34:12, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG": Accesso negato.
2006-01-30, 23:34:12, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat": Accesso negato.
2006-01-30, 23:58:43, An error occurred while scanning file "C:\Documents and Settings\Administrator\NTUSER.DAT": Accesso negato.
2006-01-30, 23:58:43, An error occurred while scanning file "C:\Documents and Settings\Administrator\ntuser.dat.LOG": Accesso negato.
2006-01-30, 23:58:44, An error occurred while scanning file "C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG": Accesso negato.
2006-01-30, 23:58:44, An error occurred while scanning file "C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat": Accesso negato.
2006-01-31, 00:14:07, Running scanner "C:\sysclean\VSCANTM.BIN"...
2006-01-31, 00:24:47, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/31/2006 00:14:08
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 183 (121065 Patterns) (2006/01/29) (318300)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\sysclean
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP7\A0002327.exe [TROJ_TINY.AF]
19324 files have been read.
19324 files have been checked.
16518 files have been scanned.
21283 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/31/2006 00:24:47
---------*---------*---------*---------*---------*---------*---------*---------*
2006-01-31, 00:24:47, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/31/2006 00:14:08
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 183 (121065 Patterns) (2006/01/29) (318300)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\sysclean
Success Clean [ TROJ_TINY.AF]( 1) from C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP7\A0002327.exe
19324 files have been read.
19324 files have been checked.
16518 files have been scanned.
21283 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/31/2006 00:24:47 10 minutes 34 seconds (633.63 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2006-01-31, 00:24:47, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/31/2006 00:14:08
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 183 (121065 Patterns) (2006/01/29) (318300)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\sysclean
19324 files have been read.
19324 files have been checked.
16518 files have been scanned.
21283 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/31/2006 00:24:47 10 minutes 34 seconds (633.63 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2006-01-31, 00:24:47, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.
2006-01-31, 00:24:47, Running scanner "C:\sysclean\VSCANTM.BIN"...
2006-01-31, 00:24:52, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/31/2006 00:24:47
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 183 (121065 Patterns) (2006/01/29) (318300)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\sysclean
21 files have been read.
21 files have been checked.
21 files have been scanned.
21 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/31/2006 00:24:52
---------*---------*---------*---------*---------*---------*---------*---------*
2006-01-31, 00:24:52, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/31/2006 00:24:47
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 183 (121065 Patterns) (2006/01/29) (318300)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\sysclean
21 files have been read.
21 files have been checked.
21 files have been scanned.
21 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/31/2006 00:24:52 0.05 seconds has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2006-01-31, 00:24:52, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/31/2006 00:24:47
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 183 (121065 Patterns) (2006/01/29) (318300)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\sysclean
21 files have been read.
21 files have been checked.
21 files have been scanned.
21 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/31/2006 00:24:52 0.05 seconds has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2006-01-31, 00:24:52, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.
Thanks LonnyRJones!
LonnyRJones
2006-01-31, 19:46
Hi
Looks good,
Purge the old System Restore points
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Then Reboot. < Dont skip that step.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
How did that go ?
Replace it about once monthly to keep it updated
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
Hello again!
I did all the work you said to me.
After dowloading hosts file I copied it here:
Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
but here i had not hosts file
I had NOHOSTS:
127.0.0.1 localhost
127.0.0.1 localhost
have i to rename NOHOSTS?
System is going oK!
Thank you LonnyRJones
LonnyRJones
2006-02-05, 05:08
Running the bat included in the zip will put the hosts file in the correct folder
As the problems appear to be resolved, this topic will now be closed and archived. If a problem related to malware, spyware or adware returns and you need this topic re-opened, please send a PM message to me or Tashi.
Regards
Lonny