Help on Adware.Look2Me [Archive] - Safer-Networking Forums

View Full Version : Help on Adware.Look2Me

roberto71

2006-05-01, 01:46

Hello,
I am pretty new to the forum. I have seen the Look2Me has been widely discussed, yet I couldn't find a way to fully remove it (tried many).

Here's the hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 1.44.28, on 01/05/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\slserv.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\Programmi\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Programmi\Ahead\InCD\InCD.exe
C:\Programmi\Bill's Calendar\bilcal32.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\Messenger\MSMSGS.EXE
C:\Programmi\MightyFax NT\MFNTCTL.EXE
C:\Programmi\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programmi\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Bill's Calendar] C:\Programmi\Bill's Calendar\bilcal32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [idx32] rundll32.exe C:\WINDOWS\System32\idx32.dll,start
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MightyFAX Controller.lnk = C:\Programmi\MightyFax NT\MFNTCTL.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137694716035
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\dnns0157e.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe

Any help will be appreciated.
Thank you.
Roberto

steamwiz

2006-05-01, 12:58

HI

please download and run Look2Me-Destroyer by Atribune

Follow the instructions here :-

http://www.atribune.org/content/view/28/

Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

cheers

steam

roberto71

2006-05-01, 19:05

Hi steam, thanks for your reply.

---------------------------------
Here's the Look2Me-Destroyer log:
---------------------------------
Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 01/05/06 18.40.07

Infected! C:\WINDOWS\system32\ioencode.dll
Infected! C:\WINDOWS\system32\fxeploy.dll
Infected! C:\WINDOWS\system32\ioencode.dll
Infected! C:\WINDOWS\system32\j8n2li5o18.dll
Infected! C:\WINDOWS\system32\m682lglo16qc.dll
Infected! C:\WINDOWS\system32\swrrnit.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\ioencode.dll
C:\WINDOWS\system32\ioencode.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\fxeploy.dll
C:\WINDOWS\system32\fxeploy.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ioencode.dll
C:\WINDOWS\system32\ioencode.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\j8n2li5o18.dll
C:\WINDOWS\system32\j8n2li5o18.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\m682lglo16qc.dll
C:\WINDOWS\system32\m682lglo16qc.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\swrrnit.dll
C:\WINDOWS\system32\swrrnit.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Unimodem

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{6CAC6F40-CF8A-4D77-91EB-F53E0139E2F3}"
HKCR\Clsid\{6CAC6F40-CF8A-4D77-91EB-F53E0139E2F3}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{EA2BC3AC-6BAC-4045-BE37-AA1A802E7014}"
HKCR\Clsid\{EA2BC3AC-6BAC-4045-BE37-AA1A802E7014}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{55BF6140-4283-4623-8570-0FC6CF7B4F7E}"
HKCR\Clsid\{55BF6140-4283-4623-8570-0FC6CF7B4F7E}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

-----------------------
Here's the new HJT log:
-----------------------

Logfile of HijackThis v1.99.1
Scan saved at 18.47.29, on 01/05/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\slserv.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\Programmi\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Programmi\Ahead\InCD\InCD.exe
C:\Programmi\Bill's Calendar\bilcal32.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\Messenger\MSMSGS.EXE
C:\Programmi\MightyFax NT\MFNTCTL.EXE
C:\Programmi\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programmi\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Bill's Calendar] C:\Programmi\Bill's Calendar\bilcal32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [idx32] rundll32.exe C:\WINDOWS\System32\idx32.dll,start
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MightyFAX Controller.lnk = C:\Programmi\MightyFax NT\MFNTCTL.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137694716035
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe

----------------

I have also done a new Spybot scan which returned the three objetcts of the Command Service (which I have seen discussed widely as well), and the WindowsSecurityCenter.AntiVirusDisableNotify.

Those entries were identified also during the Look2Me infections, and I attempted to removed them - usually two of them gets removed, two not, but on startup all four of them are there again...
So the Look2Me seems gone, now it's a matter of removing those registry entries?

I have one more question:
I keep getting the RUNDLL error, failing to load the IDX32.DLL on startup, what can I do about it?

Thanks again for your support, highly appreciated.
Ciao,
Roberto

steamwiz

2006-05-01, 19:49

Hi

Yes you've got rid of L2M

I have also done a new Spybot scan which returned the three objetcts of the Command Service

Please download delcmdservice (http://users.telenet.be/marcvn/tools/delcmdservice.zip) (by Marckie), and save it to your Desktop.

1. Unzip to your Desktop (a folder named delcmdservice)
2. Open the delcmdservice folder
3. Double-click on delreg.bat to launch the tool
4. When the tool has finished, please reboot your computer
5. please scan with HijackThis! and post the new log, in your next reply.

and the WindowsSecurityCenter.AntiVirusDisableNotify

Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

I presume this is the entry you are reffering too ?

This is not a problem... it's giving you information...

This is a registry key which will tell you if your AntiVirus becomes disabled ... only in your case it wont because the key is not enabled... do you want to be informed if your AntiVirus becomes disabled ? ... if you do, then fix this.

In other words, your AntiVirus is NOT being monitored to see if it becomes disabled...so as it is you will NOT be informed if it does become disabled.. if you fix this entry, it will enable the key, your AntiVirus WILL be monitored, & you WILL be informed if it becomes disabled.

I have one more question:
I keep getting the RUNDLL error, failing to load the IDX32.DLL on startup, what can I do about it?

You are getting this error because windows is looking for the file to run, and it has been removed (malware)

You just need to remove the run key from the registry, to stop windows looking for it...

Run hijackthis and place a checkmark next to this entry, and click "fix checked"

O4 - HKLM\..\Run: [idx32] rundll32.exe C:\WINDOWS\System32\idx32.dll,start

cheers

steam

roberto71

2006-05-01, 23:14

Hello steam, thanks again.

I used the delcmdservice; here is the new HJT log (I haven't run Spybot yet):

-------
HJT log
-------

Logfile of HijackThis v1.99.1
Scan saved at 23.04.06, on 01/05/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\slserv.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\Programmi\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Programmi\Ahead\InCD\InCD.exe
C:\Programmi\Bill's Calendar\bilcal32.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\Messenger\MSMSGS.EXE
C:\Programmi\MightyFax NT\MFNTCTL.EXE
C:\Programmi\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programmi\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: C:\Programmi\Bill's Calendar\bilcal32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [idx32] rundll32.exe C:\WINDOWS\System32\idx32.dll,start
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MightyFAX Controller.lnk = C:\Programmi\MightyFax NT\MFNTCTL.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137694716035
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe

------
Rundll
------
I used Hijackthis to fix the entry as you suggested.
(the log above is just before fixing)

Regarding the
[B]Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Yes it is exactly this entry. That entry doesn't show up with Hjt but it does with Spybot, so I was worried about it - Spybot doesn't fix it, so if I shall fix I need to know why (other manual editing the registry). My antivirus engine was giving the error 0x20000058 which forces me to restart manually the service each time I want to scan.

Any help is appreciated!
Thank you and ciao,
Roberto

roberto71

2006-05-01, 23:15

... so if I shall fix I need to know why (other manual editing the registry).

Uops, I meant: I need to know HOW (other THAN manual editing?).
Sorry about that.
Roberto

steamwiz

2006-05-03, 00:19

Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

I presume this is the entry you are referring too ?

This is not a problem... it's giving you information...

This is a registry key which will tell you if your AntiVirus becomes disabled ... only in your case it wont because the key is not enabled... do you want to be informed if your AntiVirus becomes disabled ? ... if you do, then fix this.

In other words, your AntiVirus is NOT being monitored to see if it becomes disabled...so as it is you will NOT be informed if it does become disabled.. if you fix this entry, it will enable the key, your AntiVirus WILL be monitored, & you WILL be informed if it becomes disabled.

Hi Roberto

Did you read what i said above ?

I say again...This is not a problem... it's giving you information...It was probably set this way by your Norton anti-virus...

I'm not sure exactly what you want ?

do you want to be informed if your AntiVirus becomes disabled ?

If you don't, then just leave it and exclude it from future scans...

have a look here :

http://forums.spybot.info/showthread.php?t=1059

==
Your Symantec error is addressed here:

http://service1.symantec.com/SUPPORT/ent-security.nsf/pfdocs/2000051013322148

Error: "Scan Engine Error 0x20000046 or 0x20000058" when scanning with Norton AntiVirus Corporate Edition or Symantec AntiVirus Corporate Edition

steam

roberto71

2006-05-03, 13:55

Hello steam,

yes I have read what you said above; I was just pointing out that the entry is coming up in Spybot so I was worried - but of course, as you said, "it's not a problem".

I also knew that the ""Scan Engine Error 0x20000046 or 0x20000058" was a different issue. I was worried the two things could be related.

Anyhow, now everything seems solved and the threads you pointed to may help me out in this case, if I need further assistance.

Again, thank you very much for your help!!
And greetings to everyone in this resourceful forum!!

Ciao
Roberto

steamwiz

2006-05-03, 20:20

Hi roberto

You're very welcome :)

steam

tashi

2006-05-08, 20:40

As the problem appears to be resolved this topic will be archived. :)

If you need it re-opened please send me a pm and provide a link to the thread.