PDA

View Full Version : Help, slow scanning! + Hijackthis log



UNiVERSE
2005-11-23, 04:03
---> Hijack This log...

Logfile of HijackThis v1.99.1
Scan saved at 3.00.10, on 23/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Executive Software\Diskeeper\DkService.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Programmi\SpywareGuard\sgmain.exe
C:\Programmi\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Programmi\BitTorrent\bittorrent.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Hijackthis 199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = UNiVERSE
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programmi\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [LWBMOUSE] C:\PROGRA~2\SCROLL~1\2.2\ARTMOUSE.EXE
O4 - HKCU\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [NVMixerTray] "C:\Programmi\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Programmi\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [zBrowser Launcher] C:\Programmi\Logitech\iTouch\iTouch.exe
O4 - HKCU\..\Run: [PCTVRemote] C:\Programmi\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKCU\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKCU\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli" runtime
O4 - HKCU\..\Run: [CnxDslTaskBar] C:\Programmi\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKCU\..\Run: [DiskeeperSystray] "C:\Programmi\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKCU\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKCU\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Programmi\NVIDIA Corporation\nTune\nTune.exe" clear
O4 - HKCU\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe /SYNC
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ATI CATALYST System Tray.lnk = C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe
O4 - Startup: Pinnacle Scheduler.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Scarica con FlashGet - C:\Programmi\FlashGet\jc_link.htm
O8 - Extra context menu item: Scarica tutto con FlashGet - C:\Programmi\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD6EA9ED-E6F3-48B1-B9E5-C2C36399BE76}: NameServer = 85.255.113.130 85.255.112.68
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programmi\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Programmi\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

LonnyRJones
2005-11-23, 06:19
Hi UNiVERSE
Do you know at which site it was the problem started ?

Download and run blacklite
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.

tashi
2005-11-25, 03:44
UNiVERSE.
Please do not start new topics in the malware removal forum; please respond to this one.

Thank you. :)

UNiVERSE
2005-11-25, 04:47
I had to divide the post in 2 posts, because there was too many characters. Hijack This log is way too long...

I installed F-Secure Internet Security and uninstalled it, immediately, because it lets windows crash after the restart, without even loading the icons in the systray, just crashed everything after every restart, until I selected windows xp safe mode and removed the application, then everything went like before, except Ad-Aware... I have to reinstall it because F-Secure Internet Security uninstalled it before proceeding with the installation. Did I do anything wrong? How can I install this software without having all this trouble?

LonnyRJones
2005-11-25, 05:03
Hi

I didnt suggest installing "F-Secure Internet Security"

UNiVERSE
2005-11-25, 13:50
Ops! Sorry... I thought it was part of the F-Secure Internet Security! :eek:
I'm going to install it... and will let you know soon, thank you. :o

UNiVERSE
2005-11-25, 14:06
Here's the log... those files look very suspicious -____- I can't be sure if they'r associated to applications I use

11/25/05 12:59:55 [Info]: BlackLight Engine 1.0.25 initialized
11/25/05 12:59:55 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/25/05 12:59:55 [Note]: 4019 4
11/25/05 12:59:55 [Note]: 4005 0
11/25/05 12:59:57 [Note]: 4006 0
11/25/05 12:59:57 [Note]: 4011 1748
11/25/05 12:59:57 [Note]: FSRAW library version 1.7.1013
11/25/05 13:00:52 [Info]: Hidden file: C:\WINDOWS\system32\wbem\wbemtest.exe
11/25/05 13:00:52 [Note]: 10002 1
11/25/05 13:01:10 [Info]: Hidden file: C:\WINDOWS\system32\favset.exe
11/25/05 13:01:10 [Note]: 10002 1
11/25/05 13:01:14 [Info]: Hidden file: C:\WINDOWS\system32\howiper.exe
11/25/05 13:01:14 [Note]: 10002 1
11/25/05 13:01:15 [Info]: Hidden file: C:\WINDOWS\system32\csnhw.exe
11/25/05 13:01:15 [Note]: 4002 32
11/25/05 13:01:15 [Note]: 4003 1
11/25/05 13:01:15 [Note]: 10002 1
11/25/05 13:01:19 [Info]: Hidden file: C:\WINDOWS\system32\dmbbb.exe
11/25/05 13:01:19 [Note]: 4002 32
11/25/05 13:01:19 [Note]: 4003 1
11/25/05 13:01:19 [Note]: 10002 1
11/25/05 13:01:19 [Info]: Hidden file: C:\WINDOWS\system32\sphlp32.exe
11/25/05 13:01:19 [Note]: 10002 1
11/25/05 13:01:20 [Info]: Hidden file: C:\WINDOWS\system32\pppcgm.exe
11/25/05 13:01:20 [Note]: 10002 1
11/25/05 13:04:47 [Note]: 4007 0

LonnyRJones
2005-11-25, 15:09
Hi

Run blacklite again and have it rename all those files except for

C:\WINDOWS\system32\wbem\wbemtest.exe
Let blacklite restart the PC

There will be more to do, let us know when your ready for the next steps

UNiVERSE
2005-11-25, 15:59
Ok, I renamed all files, but... when I restarted and ran lavasoft ad-watch, it found a registry change, precisely in HKEY_LOCAL_MACHINE, Run key, new data was "C:\WINDOWS\system32\dmbbb.exe, I blocked it. The file dmbbb.exe is not present in the C:\WINDOWS\system32 folder, the only file I found with similar criteria is the renamed (dmbbb.exe.ren) from blacklight. What do I do now? Thanks for your help! :bigthumb:

LonnyRJones
2005-11-25, 16:15
Hi

Turn off both tea timer and adwatch for now please, from inside each programs options page, not just using the tray icon controls (clock area)

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items:

O17 - HKLM\System\CCS\Services\Tcpip\..\{FD6EA9ED-E6F3-48B1-B9E5-C2C36399BE76}: NameServer = 85.255.113.130 85.255.112.68

there will be one maybe two items that look like:
O4 - HKLM\..\Run: [dmcup.exe] C:\WINDOWS\System\dmcup.exe
O4 - HKLM\..\Run: [pcbac.exe] pcbac.exe
dmcup and pcbac.exe are random named file's and are usualy not visible, they need to be fixed, BUT if you have any doubt dont fix anything.
Click Fix Checked. Close HijackThis, and click OK to proceed.
Finally, please post the contents of report.txt (it should open), along with a new HijackThis log.

UNiVERSE
2005-11-25, 17:27
Ok, I didn't find any of those things in Hijack This, here are the logs:


--------------------------------report.txt---------------------------------
Fixwareout ver 1.003
Post this report in the forums please

Reg Entries that were deleted

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Search by size and names...
C:\WINDOWS\SYSTEM32\CSNHWE~1.REN
C:\WINDOWS\SYSTEM32\DMBBBE~1.REN
C:\WINDOWS\SYSTEM32\FAVSET~1.REN
C:\WINDOWS\SYSTEM32\HOWIPE~1.REN
C:\WINDOWS\SYSTEM32\PPPCGM~1.REN
C:\WINDOWS\SYSTEM32\SPHLP3~1.REN

Misc files

Checking for older varients covered by the Rem3 tool
----------------------------------------------------------------------

----------------------------hijackthis.log------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 16.27.57, on 25/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Executive Software\Diskeeper\DkService.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~2\SCROLL~1\2.2\ARTMOUSE.EXE
C:\Programmi\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Programmi\Logitech\iTouch\iTouch.exe
C:\Programmi\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe
C:\Programmi\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hijackthis 199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = UNiVERSE
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programmi\SpywareGuard\dlprotect.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [LWBMOUSE] C:\PROGRA~2\SCROLL~1\2.2\ARTMOUSE.EXE
O4 - HKCU\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [NVMixerTray] "C:\Programmi\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Programmi\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [zBrowser Launcher] C:\Programmi\Logitech\iTouch\iTouch.exe
O4 - HKCU\..\Run: [PCTVRemote] C:\Programmi\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKCU\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKCU\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli" runtime
O4 - HKCU\..\Run: [CnxDslTaskBar] C:\Programmi\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKCU\..\Run: [DiskeeperSystray] "C:\Programmi\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKCU\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKCU\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Programmi\NVIDIA Corporation\nTune\nTune.exe" clear
O4 - HKCU\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe /SYNC
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: ATI CATALYST System Tray.lnk = C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe
O4 - Startup: Pinnacle Scheduler.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Scarica con FlashGet - C:\Programmi\FlashGet\jc_link.htm
O8 - Extra context menu item: Scarica tutto con FlashGet - C:\Programmi\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD6EA9ED-E6F3-48B1-B9E5-C2C36399BE76}: NameServer = 85.255.113.130 85.255.112.68
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programmi\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Programmi\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

UNiVERSE
2005-11-25, 17:36
I fotgot to say something... first, before doing that fix, I've been able to do a complete scan with spybot search & destroy without having any hang up or slowdown. Second, once that I ran the fix, and restarted my pc, I didn't have hijack this installed, then the program didn't load and I've had to restart the fix. I think this changed something in the report.txt file, if I'm not wrong I noticed more files in the "search by size and names", then in the second there were less names, don't know how much. I don't think this will cause any problem, in any case, sorry about this >_< and thanks again for you great help :bow:

UNiVERSE
2005-11-26, 00:39
Hellooo? :confused: Do I have to do some other thing? >____<

LonnyRJones
2005-11-26, 00:42
Hi

Thats fine you ran it twice

Could you please zip these up and send the files to me ? there are a couple that i need to look at, Thanks
C:\WINDOWS\SYSTEM32\CSNHWE~1.REN
C:\WINDOWS\SYSTEM32\DMBBBE~1.REN
C:\WINDOWS\SYSTEM32\FAVSET~1.REN
C:\WINDOWS\SYSTEM32\HOWIPE~1.REN
C:\WINDOWS\SYSTEM32\PPPCGM~1.REN
C:\WINDOWS\SYSTEM32\SPHLP3~1.REN

Then they can be deleted

An easy way to zip/compress them:
Download "Suspicious File Packer" Third one on this page >
http://www.safer-networking.org/en/tools/index.html
To your desktop, unzip the file inside
run sfp.exe copy then paste the list below into it and hit continue.

C:\WINDOWS\SYSTEM32\CSNHWE~1.REN
C:\WINDOWS\SYSTEM32\DMBBBE~1.REN
C:\WINDOWS\SYSTEM32\FAVSET~1.REN
C:\WINDOWS\SYSTEM32\HOWIPE~1.REN
C:\WINDOWS\SYSTEM32\PPPCGM~1.REN
C:\WINDOWS\SYSTEM32\SPHLP3~1.REN

Send to lonnyATsubratam.org
Replace AT with @ and include a link back to this thread.

the cab and the original files can then be deleted

Fix this with hiajckthis
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD6EA9ED-E6F3-48B1-B9E5-C2C36399BE76}: NameServer = 85.255.113.130 85.255.112.68


If there are any connection problems >
(These instruction's are basicly for home users.)
Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable one some systems

UNiVERSE
2005-11-26, 02:27
Ok, I fixed 017 with HijackThis, and I specified to Obtain DNS Servers automatically. As to the sending those files to you... ehm... -____- when I've come back home this evening, I discovered that norton antivirus had done an automated scan, one of those in the "planned operations" (don't know how to spell) and found that one of those .ren files was infected by a virus, so I deleted it... then I searched for all the .ren files which were present in the c:\windows\system32 folder and deleted them all -_- I don't know if I can get them back with some application, like getdataback, I'm going to try this tomorrow, and I will let you know asap.
1000 thanks for you help! :o :bigthumb:

LonnyRJones
2005-11-26, 02:30
Thats ok never mind sending

UNiVERSE
2005-11-26, 14:49
:( I tried with GetDataBack, and it wasn't able to find those *.ren files (or *.exe.ren), if you know how to restore them tell me which program to use, I would be glad to help you discover what are those viruses about, as you helped me to get back my system clean. :bow:

LonnyRJones
2005-11-26, 16:09
Hi

Its ok, the only one i wanted was SPHLP3~1.REN the others are known
I can get a copy elsewhere, no problem.

Are there any problems now ?

UNiVERSE
2005-11-26, 18:12
Uhm no I think not... I can do a scan with spybot search & destroy without getting a pause, and I'm not finding those sites I talked about anymore, when I open a page that isn't available. Also some sites now open faster, I didn't know there was that dns in the tcp/ip preferences, it caused an overall internet explorer slowdown (probably other programs too, when trying to download). I'm sorry I can't send you the files :( Thanks for everything! :bow:

LonnyRJones
2005-11-27, 09:18
Great

jre1.5.0_01, go update suns java manualy
Sun Java V1.5.0_05 is Available
http://java.com/en/index.jsp


Put in place a good hosts file http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file: http://www.mvps.org/winhelp2002/hosts2.htm
How did that go ?
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

UNiVERSE
2005-11-29, 21:28
Ok, I did all those things, how did you know my hosts file was infected? :confused: from a hijack this log? I guess that mvps.bat it has done its work, even if I don't see all the procedure, the command prompt closes itself, even if I start cmd from start - run, so I don't see if there is any error, but I guess not, otherwise the batch would have informed me from the command prompt :confused:
Always my best thanks :bow:

tashi
2005-12-04, 13:02
Hi UNiVERSE.
As the problem appears to be resolved this topic will be archived.
If you need the topic reopened please pm me. :)