-
Ok, I didn't find any of those things in Hijack This, here are the logs:
--------------------------------report.txt---------------------------------
Fixwareout ver 1.003
Post this report in the forums please
Reg Entries that were deleted
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\CSNHWE~1.REN
C:\WINDOWS\SYSTEM32\DMBBBE~1.REN
C:\WINDOWS\SYSTEM32\FAVSET~1.REN
C:\WINDOWS\SYSTEM32\HOWIPE~1.REN
C:\WINDOWS\SYSTEM32\PPPCGM~1.REN
C:\WINDOWS\SYSTEM32\SPHLP3~1.REN
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
----------------------------------------------------------------------
----------------------------hijackthis.log------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 16.27.57, on 25/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Executive Software\Diskeeper\DkService.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~2\SCROLL~1\2.2\ARTMOUSE.EXE
C:\Programmi\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Programmi\Logitech\iTouch\iTouch.exe
C:\Programmi\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe
C:\Programmi\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hijackthis 199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = UNiVERSE
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programmi\SpywareGuard\dlprotect.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [LWBMOUSE] C:\PROGRA~2\SCROLL~1\2.2\ARTMOUSE.EXE
O4 - HKCU\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [NVMixerTray] "C:\Programmi\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Programmi\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [zBrowser Launcher] C:\Programmi\Logitech\iTouch\iTouch.exe
O4 - HKCU\..\Run: [PCTVRemote] C:\Programmi\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKCU\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKCU\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli" runtime
O4 - HKCU\..\Run: [CnxDslTaskBar] C:\Programmi\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKCU\..\Run: [DiskeeperSystray] "C:\Programmi\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKCU\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKCU\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Programmi\NVIDIA Corporation\nTune\nTune.exe" clear
O4 - HKCU\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe /SYNC
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: ATI CATALYST System Tray.lnk = C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe
O4 - Startup: Pinnacle Scheduler.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Scarica con FlashGet - C:\Programmi\FlashGet\jc_link.htm
O8 - Extra context menu item: Scarica tutto con FlashGet - C:\Programmi\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD6EA9ED-E6F3-48B1-B9E5-C2C36399BE76}: NameServer = 85.255.113.130 85.255.112.68
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programmi\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programmi\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Programmi\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
-
I fotgot to say something... first, before doing that fix, I've been able to do a complete scan with spybot search & destroy without having any hang up or slowdown. Second, once that I ran the fix, and restarted my pc, I didn't have hijack this installed, then the program didn't load and I've had to restart the fix. I think this changed something in the report.txt file, if I'm not wrong I noticed more files in the "search by size and names", then in the second there were less names, don't know how much. I don't think this will cause any problem, in any case, sorry about this >_< and thanks again for you great help 
-
Hellooo? 
Do I have to do some other thing? >____<
-
Hi
Thats fine you ran it twice
Could you please zip these up and send the files to me ? there are a couple that i need to look at, Thanks
C:\WINDOWS\SYSTEM32\CSNHWE~1.REN
C:\WINDOWS\SYSTEM32\DMBBBE~1.REN
C:\WINDOWS\SYSTEM32\FAVSET~1.REN
C:\WINDOWS\SYSTEM32\HOWIPE~1.REN
C:\WINDOWS\SYSTEM32\PPPCGM~1.REN
C:\WINDOWS\SYSTEM32\SPHLP3~1.REN
Then they can be deleted
An easy way to zip/compress them:
Download "Suspicious File Packer" Third one on this page >
http://www.safer-networking.org/en/tools/index.html
To your desktop, unzip the file inside
run sfp.exe copy then paste the list below into it and hit continue.
C:\WINDOWS\SYSTEM32\CSNHWE~1.REN
C:\WINDOWS\SYSTEM32\DMBBBE~1.REN
C:\WINDOWS\SYSTEM32\FAVSET~1.REN
C:\WINDOWS\SYSTEM32\HOWIPE~1.REN
C:\WINDOWS\SYSTEM32\PPPCGM~1.REN
C:\WINDOWS\SYSTEM32\SPHLP3~1.REN
Send to lonnyATsubratam.org
Replace AT with @ and include a link back to this thread.
the cab and the original files can then be deleted
Fix this with hiajckthis
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD6EA9ED-E6F3-48B1-B9E5-C2C36399BE76}: NameServer = 85.255.113.130 85.255.112.68
If there are any connection problems >
(These instruction's are basicly for home users.)
Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable one some systems
-
Ok, I fixed 017 with HijackThis, and I specified to Obtain DNS Servers automatically. As to the sending those files to you... ehm... -____- when I've come back home this evening, I discovered that norton antivirus had done an automated scan, one of those in the "planned operations" (don't know how to spell) and found that one of those .ren files was infected by a virus, so I deleted it... then I searched for all the .ren files which were present in the c:\windows\system32 folder and deleted them all -_- I don't know if I can get them back with some application, like getdataback, I'm going to try this tomorrow, and I will let you know asap.
1000 thanks for you help! :o 
-
Thats ok never mind sending
-
:( I tried with GetDataBack, and it wasn't able to find those *.ren files (or *.exe.ren), if you know how to restore them tell me which program to use, I would be glad to help you discover what are those viruses about, as you helped me to get back my system clean.
-
Hi
Its ok, the only one i wanted was SPHLP3~1.REN the others are known
I can get a copy elsewhere, no problem.
Are there any problems now ?
-
Uhm no I think not... I can do a scan with spybot search & destroy without getting a pause, and I'm not finding those sites I talked about anymore, when I open a page that isn't available. Also some sites now open faster, I didn't know there was that dns in the tcp/ip preferences, it caused an overall internet explorer slowdown (probably other programs too, when trying to download). I'm sorry I can't send you the files :( Thanks for everything!
-
Great
jre1.5.0_01, go update suns java manualy
Sun Java V1.5.0_05 is Available
http://java.com/en/index.jsp
Put in place a good hosts file http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file: http://www.mvps.org/winhelp2002/hosts2.htm
How did that go ?
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
