spysheriff and commandservice

Daniel6

Daniel6

New member
hello!
after doing a scan with spybot 1.4 updated i found many problems that i can't
fix
commandservice
globalinterntbilling
internet sys inc
coolwwwsearch
coolwwwsearchwcadw
spydheriff
eAcceleretion

i followed the instructions of the tread 1316 and now the system is going
better but i can't connect the internet yet.internet go to about blank page
I have not done online antivirus scan.I installed avast but doesn't fuond
virus.norton av found rzspy.exe that i renamed in txt.
here are the logs HJT before and after.


Logfile of HijackThis v1.99.1
Scan saved at 22.14.37, on 17/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - {8E38A1DE-F66D-A0BD-0D45-ADB0ED51C3BF} - NukeSpan.dll (file missing)



Logfile of HijackThis v1.99.1
Scan saved at 22.41.01, on 18/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\Programmi\ewido anti-malware\ewidoguard.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Launch Manager\QtZgAcer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - {8E38A1DE-F66D-A0BD-0D45-ADB0ED51C3BF} - NukeSpan.dll (file missing)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Programmi\File comuni\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [Kargo] browsebar.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [borlandg] ParisM.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Brong32] cmon14.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\progra~1\accele~1\velozd~1\asiclayer.dll' missing
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.linkautomatici.com
O15 - Trusted Zone: www.master69.biz
O15 - Trusted Zone: www.sgrunt.biz
O15 - Trusted Zone: www.skymasters.biz
O15 - Trusted Zone: www.xbeta69.com
O15 - Trusted Zone: www.yeak.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{238A192D-C884-4BEA-BDD3-C12E6CD79F63}: NameServer = 85.255.116.84,85.255.112.191
O17 - HKLM\System\CCS\Services\Tcpip\..\{8EE3C2EE-E712-44DC-8EA6-0716A0470F03}: NameServer = 85.255.116.84,85.255.112.191
O17 - HKLM\System\CCS\Services\Tcpip\..\{96A4AF10-2A6E-4210-8902-3FA9304969D7}: NameServer = 85.255.116.84,85.255.112.191
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmi\ewido anti-malware\ewidoguard.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe


I stopped the start of some programs with msconfig some of these has strange symbols in the name



here the ewido report.I started ewido scan several times and
every time founds something (Downloader.Agent.uj)



---------------------------------------------------------
ewido anti-malware - Rapporto Scansione
---------------------------------------------------------

+ Creato il: 23.58.40, 18/01/2006
+ Report-Checksum: B84DE3FB

+ Risultati scansione:

[588] VM_034E0000 -> Downloader.Agent.uj : Errore durante la pulizia
[612] VM_00DA0000 -> Downloader.Agent.uj : Errore durante la pulizia
[1424] VM_009E0000 -> Downloader.Agent.uj : Errore durante la pulizia
[1708] VM_00990000 -> Downloader.Agent.uj : Errore durante la pulizia
[1908] VM_00BA0000 -> Downloader.Agent.uj : Errore durante la pulizia
[224] VM_009C0000 -> Downloader.Agent.uj : Errore durante la pulizia
[1080] VM_009C0000 -> Downloader.Agent.uj : Errore durante la pulizia
[1608] VM_003F0000 -> Downloader.Agent.uj : Errore durante la pulizia
[3588] VM_009C0000 -> Downloader.Agent.uj : Errore durante la pulizia
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP1\A0000082.exe -> Downloader.Agent.uj : Pulito con Backup
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP1\A0000090.exe -> Downloader.Agent.uj : Pulito con Backup


::Fine Rapporto

-- Report generated: 2006-01-17 13.56 ---

CoolWWWSearch.WCADW: IE Search page (Registry change, fixed)
HKEY_USERSS-1-5-21-3845519480-3465928172-1437394234-1005\Software\Microsoft\Internet Explorer\Main\Local Page=about:blank

CoolWWWSearch.WCADW: IE start page (Registry change, fixed)
HKEY_USERSS-1-5-21-3845519480-3465928172-1437394234-1005\Software\Microsoft\Internet Explorer\Main\Start Page=about:blank

CoolWWWSearch.WCADW: IE start page (Registry change, fixed)
HKEY_USERSS-1-5-21-3845519480-3465928172-1437394234-1005\Software\Microsoft\Internet Explorer\Main\Default_Page_URL=about:blank

CoolWWWSearch.WCADW: IE Search page (Registry change, fixed)
HKEY_LOCAL_MACHINESoftware\Microsoft\Internet Explorer\Main\Local Page=about:blank

CoolWWWSearch.WCADW: IE start page (Registry change, fixed)
HKEY_LOCAL_MACHINESoftware\Microsoft\Internet Explorer\Main\Start Page=about:blank

CoolWWWSearch.WCADW: IE start page (Registry change, fixed)
HKEY_LOCAL_MACHINESoftware\Microsoft\Internet Explorer\Main\Default_Page_URL=about:blank

eAcceleration: Program directory (Directory, fixing failed)
C:\Programmi\Acceleration Software\


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2006-01-16 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-01-13 Includes\Cookies.sbi (*)
2006-01-13 Includes\Dialer.sbi (*)
2006-01-13 Includes\Hijackers.sbi (*)
2006-01-13 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-01-13 Includes\Malware.sbi (*)
2006-01-13 Includes\PUPS.sbi (*)
2006-01-13 Includes\Revision.sbi (*)
2006-01-13 Includes\Security.sbi (*)
2006-01-13 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-01-13 Includes\Trojans.sbi (*)


--- Report generated: 2006-01-17 13.56 ---

CoolWWWSearch.WCADW: IE Search page (Registry change, fixed)
HKEY_USERSS-1-5-21-3845519480-3465928172-1437394234-1005\Software\Microsoft\Internet Explorer\Main\Local Page=about:blank

CoolWWWSearch.WCADW: IE start page (Registry change, fixed)
HKEY_USERSS-1-5-21-3845519480-3465928172-1437394234-1005\Software\Microsoft\Internet Explorer\Main\Start Page=about:blank

CoolWWWSearch.WCADW: IE start page (Registry change, fixed)
HKEY_USERSS-1-5-21-3845519480-3465928172-1437394234-1005\Software\Microsoft\Internet Explorer\Main\Default_Page_URL=about:blank

CoolWWWSearch.WCADW: IE Search page (Registry change, fixed)
HKEY_LOCAL_MACHINESoftware\Microsoft\Internet Explorer\Main\Local Page=about:blank

CoolWWWSearch.WCADW: IE start page (Registry change, fixed)
HKEY_LOCAL_MACHINESoftware\Microsoft\Internet Explorer\Main\Start Page=about:blank

CoolWWWSearch.WCADW: IE start page (Registry change, fixed)
HKEY_LOCAL_MACHINESoftware\Microsoft\Internet Explorer\Main\Default_Page_URL=about:blank

eAcceleration: Program directory (Directory, fixing failed)
C:\Programmi\Acceleration Software\


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2006-01-16 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-01-13 Includes\Cookies.sbi (*)
2006-01-13 Includes\Dialer.sbi (*)
2006-01-13 Includes\Hijackers.sbi (*)
2006-01-13 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-01-13 Includes\Malware.sbi (*)
2006-01-13 Includes\PUPS.sbi (*)
2006-01-13 Includes\Revision.sbi (*)
2006-01-13 Includes\Security.sbi (*)
2006-01-13 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-01-13 Includes\Trojans.sbi (*)


--- Report generated: 2006-01-17 23.16 ---

Windows.ActiveDesktop: Impostazioni utente (Modifica al registro, fixed)
HKEY_USERS\S-1-5-21-3845519480-3465928172-1437394234-500\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoHTMLWallPaper!=W=1
 
Welcome Daniel6

In addremove programs is eAcceleretion there ? if so uninstall it

Go start run and type in
sc delete cmdservice
Pess enter or ok

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take
longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items(if there):
R3 - URLSearchHook: (no name) - {8E38A1DE-F66D-A0BD-0D45-ADB0ED51C3BF} - NukeSpan.dll (file missing)
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [Kargo] browsebar.exe
O4 - HKLM\..\Run: [borlandg] ParisM.exe
O4 - HKCU\..\Run: [Brong32] cmon14.exe
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.linkautomatici.com
O15 - Trusted Zone: www.master69.biz
O15 - Trusted Zone: www.sgrunt.biz
O15 - Trusted Zone: www.skymasters.biz
O15 - Trusted Zone: www.xbeta69.com
O15 - Trusted Zone: www.yeak.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{238A192D-C884-4BEA-BDD3-C12E6CD79F63}: NameServer = 85.255.116.84,85.255.112.191
O17 - HKLM\System\CCS\Services\Tcpip\..\{8EE3C2EE-E712-44DC-8EA6-0716A0470F03}: NameServer = 85.255.116.84,85.255.112.191
O17 - HKLM\System\CCS\Services\Tcpip\..\{96A4AF10-2A6E-4210-8902-3FA9304969D7}: NameServer = 85.255.116.84,85.255.112.191


If you see a new item that wasnt in your last log in your O4 lines in hijackthis, starting with dm... for example:
O4 - HKLM\..\Run: [dm***.exe] C:\WINDOWS\system32\dm***.exe (the *** stand for random letters)
or starting with hg***.exe for example:
O4 - HKLM\..\Run: [hg***.exe] C:\Windows\System32\hg***.exe
or starting with cs***.exe for example:
O4 - HKLM\..\Run: [cscyd.exe] cscyd.exe
Check it as well. If your not sure, leave it and only check the ones I asked you to check
===========================================================
Click Fix Checked. Close HijackThis, and click OK to proceed.

post the contents of the fixwareout report.txt (it should open)

Since you had spyaxe fallow the instructions in this post to run smitrem and ewido while in safe mode, post the smitrem log
http://forums.spybot.info/showthread.php?t=1316
 
Hi LonnyRJonnes!



Logfile of HijackThis v1.99.1
Scan saved at 12.34.21, on 23/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\fixwareout\SUB\BFU.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\File comuni\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - {8E38A1DE-F66D-A0BD-0D45-ADB0ED51C3BF} - NukeSpan.dll (file missing)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [dmciq.exe] C:\WINDOWS\system32\
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [Kargo] browsebar.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\progra~1\accele~1\velozd~1\asiclayer.dll' missing
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.linkautomatici.com
O15 - Trusted Zone: www.master69.biz
O15 - Trusted Zone: www.sgrunt.biz
O15 - Trusted Zone: www.skymasters.biz
O15 - Trusted Zone: www.xbeta69.com
O15 - Trusted Zone: www.yeak.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{238A192D-C884-4BEA-BDD3-C12E6CD79F63}: NameServer = 85.255.116.84,85.255.112.191
O17 - HKLM\System\CCS\Services\Tcpip\..\{8EE3C2EE-E712-44DC-8EA6-0716A0470F03}: NameServer = 85.255.116.84,85.255.112.191
O17 - HKLM\System\CCS\Services\Tcpip\..\{96A4AF10-2A6E-4210-8902-3FA9304969D7}: NameServer = 85.255.116.84,85.255.112.191
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe


fixwareout'sreport


Fixwareout ver 1.003
Last edited 1/12/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ypszr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\daolnwodi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\lavinraCputeS

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\CSBCQ.EXE
C:\WINDOWS\SYSTEM32\DMCIQ.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool



HJT report after cleaning


Logfile of HijackThis v1.99.1
Scan saved at 12.42.07, on 23/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Launch Manager\QtZgAcer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\File comuni\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [dmciq.exe] C:\WINDOWS\system32\
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\progra~1\accele~1\velozd~1\asiclayer.dll' missing
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe


I just followed the instructons of thread 1316.It was the first thing Idid.
I can't scan oline with antivirus because the internet connection is broken yet!
other system's problem are:
at boot up system 32 folder pops up
the cd dvd writer can not wite cd dvd

may be possible that i need to fix with LSPfix?

Happy to have heard you and thanks for your help!
excuse my bad english.
 
Hi
Delete these two files
C:\WINDOWS\SYSTEM32\CSBCQ.EXE
C:\WINDOWS\SYSTEM32\DMCIQ.EXE

Scan and fix this item with hiajckthis
O4 - HKLM\..\Run: [dmciq.exe] C:\WINDOWS\system32\


"may be possible that i need to fix with LSPfix?"

Yes, i assume you have it ?
reboot after using it
 
Hi
I started lspfix and now the internet connection is restored.
lspfix removed asiclayer.dll


In msconfig control panel program start i have stopped:
parisM
rundll32
unspypc
nopeZ
ipt
ctfmon
cmon14
and two programs written with chinese or similar characters
may be possible they appear so only in msconfig?


hjt report with these programs disabled


Logfile of HijackThis v1.99.1
Scan saved at 23.28.10, on 23/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Launch Manager\QtZgAcer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\File comuni\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [runload32] lpt.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe



hjt log with all programs enabled


Logfile of HijackThis v1.99.1
Scan saved at 23.33.13, on 23/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Launch Manager\QtZgAcer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\File comuni\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F3 - REG:win.ini: load=??? ?
F3 - REG:win.ini: run=??? ?
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [borlandg] ParisM.exe
O4 - HKCU\..\Run: [runload32] lpt.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Programmi\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [TemplateDongle] NopeZ.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Brong32] cmon14.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe



have i to fix f3?
the cd dvd writer now reads but does not write yet

thank you LonnyRJones
 
Hi again

Post a report from one of these online scans
Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.

Panda ActiveScan-Free online scanner,
http://www.pandasoftware.com/products/activescan.htm
Save the report and post it back here please if there are any that it is unable to deal with.


Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)
F3 - REG:win.ini: load=??? ?
F3 - REG:win.ini: run=??? ?
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O4 - HKLM\..\Run: [borlandg] ParisM.exe
O4 - HKCU\..\Run: [runload32] lpt.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Programmi\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [TemplateDongle] NopeZ.exe
O4 - HKCU\..\Run: [Brong32] cmon14.exe
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is a normal entry but should have a comma at the end, hijackthis will put it there, then subsequent logs wont show it
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe

The sc writer problems are unrelated i think, try starting the uninstall of its software and use its repair option (if there is one) if that option isnt available uninstall it reboot and install again.
Keep us informed
 
Hello!
before starting online antivirus scan i installed and updated
norton antivirus then i scanned system here the reports:


Rapporto di Norton AntiVirus Quarantine
Creato il: martedì 24 gennaio 2006 20.15.57
------------------------------------------------------------------------------

Nome file
Posizione
Stato Dimensioni Nome virus
Nome utente Nome computer Dominio
Data quarantena
Data invio

------------------------------------------------------------------------------

hxdOFena.exe

Backup di un file infetto 69.0 KB Backdoor.HackDefender
SYSTEM ACER-2BFDA75BDC WORKGROUP
domenica 22 gennaio 2006 21.21.57
Non inviato

------------------------------------------------------------------------------

vqIVsZf.vbs
C:\WINDOWS\bWFyY28
Backup di un rischio di protezione eliminato 472 bytes Packed.Spyware
marco ACER-2BFDA75BDC WORKGROUP
martedì 24 gennaio 2006 13.24.29
Non inviato

------------------------------------------------------------------------------

rdrbs100.exe

Backup di un file infetto 48.0 KB Backdoor.HackDefender
SYSTEM ACER-2BFDA75BDC WORKGROUP
domenica 22 gennaio 2006 21.21.57
Non inviato

------------------------------------------------------------------------------

Dc9.exe
C:\Recycled
Backup di un rischio di protezione eliminato 638 KB Packed.SecurityRiskOn
marco ACER-2BFDA75BDC WORKGROUP
martedì 24 gennaio 2006 13.24.29
Non inviato

------------------------------------------------------------------------------

hxdef100.exe

Backup di un file infetto 69.0 KB Backdoor.HackDefender
SYSTEM ACER-2BFDA75BDC WORKGROUP
domenica 22 gennaio 2006 21.21.57
Non inviato

------------------------------------------------------------------------------

Dc10.exe
C:\Recycled
In quarantena 2.00 KB Trojan Horse
marco ACER-2BFDA75BDC WORKGROUP
martedì 24 gennaio 2006 13.23.49
Non inviato

------------------------------------------------------------------------------

driver/driver.sys

Backup di un file infetto 3.27 KB Backdoor.HackDefender
SYSTEM ACER-2BFDA75BDC WORKGROUP
domenica 22 gennaio 2006 21.21.57
Non inviato

------------------------------------------------------------------------------

rzspy.txt
C:\WINDOWS\system32
In quarantena 8.13 KB Bloodhound.W32.EP
marco ACER-2BFDA75BDC WORKGROUP
sabato 21 gennaio 2006 20.00.37
Non inviato

------------------------------------------------------------------------------

bdcli100.exe

Backup di un file infetto 26.0 KB Backdoor.HackDefender
marco ACER-2BFDA75BDC WORKGROUP
martedì 24 gennaio 2006 8.19.15
Non inviato

------------------------------------------------------------------------------


Rapporto di Norton AntiVirus Quarantine
Creato il: martedì 24 gennaio 2006 20.16.43
------------------------------------------------------------------------------

Nome file
Posizione
Stato Dimensioni Nome virus
Nome utente Nome computer Dominio
Data quarantena
Data invio

------------------------------------------------------------------------------

hxdOFena.exe

Backup di un file infetto 69.0 KB Backdoor.HackDefender
SYSTEM ACER-2BFDA75BDC WORKGROUP
domenica 22 gennaio 2006 21.21.57
Non inviato

------------------------------------------------------------------------------

vqIVsZf.vbs
C:\WINDOWS\bWFyY28
Backup di un rischio di protezione eliminato 472 bytes Packed.Spyware
marco ACER-2BFDA75BDC WORKGROUP
martedì 24 gennaio 2006 13.24.29
Non inviato

------------------------------------------------------------------------------

rdrbs100.exe

Backup di un file infetto 48.0 KB Backdoor.HackDefender
SYSTEM ACER-2BFDA75BDC WORKGROUP
domenica 22 gennaio 2006 21.21.57
Non inviato

------------------------------------------------------------------------------

Dc9.exe
C:\Recycled
Backup di un rischio di protezione eliminato 638 KB Packed.SecurityRiskOn
marco ACER-2BFDA75BDC WORKGROUP
martedì 24 gennaio 2006 13.24.29
Non inviato

------------------------------------------------------------------------------

hxdef100.exe

Backup di un file infetto 69.0 KB Backdoor.HackDefender
SYSTEM ACER-2BFDA75BDC WORKGROUP
domenica 22 gennaio 2006 21.21.57
Non inviato

------------------------------------------------------------------------------

Dc10.exe
C:\Recycled
In quarantena 2.00 KB Trojan Horse
marco ACER-2BFDA75BDC WORKGROUP
martedì 24 gennaio 2006 13.23.49
Non inviato

------------------------------------------------------------------------------

driver/driver.sys

Backup di un file infetto 3.27 KB Backdoor.HackDefender
SYSTEM ACER-2BFDA75BDC WORKGROUP
domenica 22 gennaio 2006 21.21.57
Non inviato

------------------------------------------------------------------------------

rzspy.txt
C:\WINDOWS\system32
In quarantena 8.13 KB Bloodhound.W32.EP
marco ACER-2BFDA75BDC WORKGROUP
sabato 21 gennaio 2006 20.00.37
Non inviato

------------------------------------------------------------------------------

bdcli100.exe

Backup di un file infetto 26.0 KB Backdoor.HackDefender
marco ACER-2BFDA75BDC WORKGROUP
martedì 24 gennaio 2006 8.19.15
Non inviato

------------------------------------------------------------------------------


kaspersky online scan report


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, January 24, 2006 20:12:13
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 24/01/2006
Kaspersky Anti-Virus database records: 172924
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 17808
Number of viruses found: 10
Number of infected objects: 35
Number of suspicious objects: 0
Duration of the scan process: 744 sec

Infected Object Name - Virus Name
C:\WINDOWS\Downloaded Program Files\AUTO_80_N.exe Infected: Trojan.Win32.Dialer.hh
C:\Documents and Settings\marco\Impostazioni locali\Temp\a.exe Infected: Trojan-Downloader.Win32.PassAlert.h
C:\Programmi\Norton AntiVirus\Quarantine\2E766530 Infected: not-a-virus:AdWare.Win32.Raze.a
C:\Programmi\Norton AntiVirus\Quarantine\3ADF57D0.exe Infected: Backdoor.Win32.HacDef.ae
C:\Programmi\Norton AntiVirus\Quarantine\3332211B.exe Infected: Backdoor.Win32.HacDef.ae
C:\Programmi\Norton AntiVirus\Quarantine\532615E5.exe Infected: Backdoor.Win32.HacDef.084
C:\Programmi\Norton AntiVirus\Quarantine\3ADF57D0.sys Infected: Backdoor.Win32.HacDef.073.b
C:\Programmi\Norton AntiVirus\Quarantine\000E6962 Infected: Backdoor.Win32.HacDef.084
C:\Programmi\Norton AntiVirus\Quarantine\69297CDD Infected: Trojan.Win32.Qhost.df
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP1\A0000117.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP2\A0000130.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP2\A0000784.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP2\A0001784.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP2\A0001792.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP3\A0001926.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP3\A0001932.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP3\A0001939.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP3\A0001946.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP3\A0001953.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP3\A0001961.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP3\A0001968.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP3\A0001975.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP4\A0001985.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP4\A0001993.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP4\A0002000.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP4\A0002005.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP4\A0002011.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP4\A0002018.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP4\A0002037.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP4\A0002044.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP4\A0002051.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP5\A0002073.exe Infected: Trojan-Downloader.Win32.Agent.uj
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP5\A0002074.exe Infected: Trojan.Win32.Small.fb
C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP7\A0002327.exe Infected: Trojan.Win32.Qhost.df
C:\Recycled\Dc8.exe Infected: Trojan.Win32.Favadd.an

Scan process completed.

I have only done this today,i'll try to fix with HJT the things you told me later.


thank you LonnyRJones!
 
Hello
I fixed the items you told me with HJT.
here a fresh report


C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Launch Manager\QtZgAcer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\File comuni\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe


Thanks LonnyRJones!
 
Hi

Any popups, redirects or problems now ?

Run hijackthis click config misc tools > delete a file on reboot
copy then paste this line into the file name box,
C:\WINDOWS\Downloaded Program Files\AUTO_80_N.exe
click open, then let Hijackthis restart the pc
 
Hello!
I deleted this file with HJT

C:\WINDOWS\Downloaded Program Files\AUTO_80_N.exe

Was the same thing delete that file in f8/prompt mode?

C:\eacceleration_install.exe is ok?

now the system looks ok, no popups no redirects.
Only cd dvd writer read and write dvd but read and not write cd!
I updated cd dvd maker and i installed a new burning program too,but
the error is the same :power calibration area error
I am going to think at an hardware problem!


thank you LonnyRJones
 
Hi

Delete the eacceleration file

i suggest running sysclean in safe mode since HackDefender was found
Sysclean a standalone scanner
Make a new folder called C:\Sysclean
Download Sysclean from http://www.trendmicro.com/download/dcs.asp
Click the sysclean.txt link to learn how to use it. Download the latest pattern file : http://www.trendmicro.com/download/pattern.asp
lpt(xxxx).zip (AS/400, S/390, Windows)
Unzip it to the Sysclean folder.
Boot to Safe Mode. Scan the system with Sysclean. It will take awhile but
it is very thorough. When it's done, close Sysclean. restart back to a normal session.



If your system is problem free and stable after a week or so >
Purge the old System Restore points
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Then Reboot. < Dont skip that step.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
 
Hello

Scanned system in safe mode with trend micro sysclean
Here the report



/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2006-01-30, 23:23:08, Auto-clean mode specified.
2006-01-30, 23:23:08, Running scanner "C:\sysclean\TSC.BIN"...
2006-01-30, 23:24:10, Scanner "C:\sysclean\TSC.BIN" has finished running.
2006-01-30, 23:24:10, TSC Log:

Damage Cleanup Engine (DCE) 3.98(Build 1012)
Windows XP(Build 2600: Service Pack 2)

Start time : lun gen 30 2006 23:23:09

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 700) [success]

Complete time : lun gen 30 2006 23:24:10
Execute pattern count(4688), Virus found count(0), Virus clean count(0), Clean failed count(0)

2006-01-30, 23:26:49, An error occurred while scanning file "C:\WINDOWS\system32\config\system.LOG": Accesso negato.
2006-01-30, 23:26:49, An error occurred while scanning file "C:\WINDOWS\system32\config\software.LOG": Accesso negato.
2006-01-30, 23:26:49, An error occurred while scanning file "C:\WINDOWS\system32\config\default.LOG": Accesso negato.
2006-01-30, 23:26:49, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM.LOG": Accesso negato.
2006-01-30, 23:26:49, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY.LOG": Accesso negato.
2006-01-30, 23:26:50, An error occurred while scanning file "C:\WINDOWS\system32\config\DEFAULT": Accesso negato.
2006-01-30, 23:26:50, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY": Accesso negato.
2006-01-30, 23:26:50, An error occurred while scanning file "C:\WINDOWS\system32\config\SOFTWARE": Accesso negato.
2006-01-30, 23:26:50, An error occurred while scanning file "C:\WINDOWS\system32\config\SYSTEM": Accesso negato.
2006-01-30, 23:26:50, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM": Accesso negato.
2006-01-30, 23:34:11, An error occurred while scanning file "C:\Documents and Settings\NetworkService\ntuser.dat.LOG": Accesso negato.
2006-01-30, 23:34:11, An error occurred while scanning file "C:\Documents and Settings\NetworkService\NTUSER.DAT": Accesso negato.
2006-01-30, 23:34:12, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG": Accesso negato.
2006-01-30, 23:34:12, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat": Accesso negato.
2006-01-30, 23:58:43, An error occurred while scanning file "C:\Documents and Settings\Administrator\NTUSER.DAT": Accesso negato.
2006-01-30, 23:58:43, An error occurred while scanning file "C:\Documents and Settings\Administrator\ntuser.dat.LOG": Accesso negato.
2006-01-30, 23:58:44, An error occurred while scanning file "C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG": Accesso negato.
2006-01-30, 23:58:44, An error occurred while scanning file "C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat": Accesso negato.
2006-01-31, 00:14:07, Running scanner "C:\sysclean\VSCANTM.BIN"...
2006-01-31, 00:24:47, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/31/2006 00:14:08
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 183 (121065 Patterns) (2006/01/29) (318300)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\sysclean

C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP7\A0002327.exe [TROJ_TINY.AF]
19324 files have been read.
19324 files have been checked.
16518 files have been scanned.
21283 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/31/2006 00:24:47
---------*---------*---------*---------*---------*---------*---------*---------*
2006-01-31, 00:24:47, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/31/2006 00:14:08
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 183 (121065 Patterns) (2006/01/29) (318300)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\sysclean

Success Clean [ TROJ_TINY.AF]( 1) from C:\System Volume Information\_restore{4590D3B6-A4F8-4C24-A77F-7807049BE777}\RP7\A0002327.exe
19324 files have been read.
19324 files have been checked.
16518 files have been scanned.
21283 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/31/2006 00:24:47 10 minutes 34 seconds (633.63 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-01-31, 00:24:47, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/31/2006 00:14:08
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 183 (121065 Patterns) (2006/01/29) (318300)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\sysclean

19324 files have been read.
19324 files have been checked.
16518 files have been scanned.
21283 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/31/2006 00:24:47 10 minutes 34 seconds (633.63 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-01-31, 00:24:47, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.
2006-01-31, 00:24:47, Running scanner "C:\sysclean\VSCANTM.BIN"...
2006-01-31, 00:24:52, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/31/2006 00:24:47
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 183 (121065 Patterns) (2006/01/29) (318300)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\sysclean

21 files have been read.
21 files have been checked.
21 files have been scanned.
21 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/31/2006 00:24:52
---------*---------*---------*---------*---------*---------*---------*---------*
2006-01-31, 00:24:52, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/31/2006 00:24:47
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 183 (121065 Patterns) (2006/01/29) (318300)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\sysclean

21 files have been read.
21 files have been checked.
21 files have been scanned.
21 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/31/2006 00:24:52 0.05 seconds has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-01-31, 00:24:52, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/31/2006 00:24:47
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 183 (121065 Patterns) (2006/01/29) (318300)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\sysclean

21 files have been read.
21 files have been checked.
21 files have been scanned.
21 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/31/2006 00:24:52 0.05 seconds has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-01-31, 00:24:52, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.


Thanks LonnyRJones!
 
Hi
Looks good,
Purge the old System Restore points
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Then Reboot. < Dont skip that step.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.


Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
How did that go ?
Replace it about once monthly to keep it updated

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
 
Hello again!

I did all the work you said to me.
After dowloading hosts file I copied it here:
Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC

but here i had not hosts file
I had NOHOSTS:
127.0.0.1 localhost

127.0.0.1 localhost


have i to rename NOHOSTS?

System is going oK!
Thank you LonnyRJones
 
Running the bat included in the zip will put the hosts file in the correct folder

As the problems appear to be resolved, this topic will now be closed and archived. If a problem related to malware, spyware or adware returns and you need this topic re-opened, please send a PM message to me or Tashi.

Regards
Lonny
 
You must log in or register to reply here.
Back
Top