Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

roro53

15 Posts

1389

April 21st, 2007 15:00

Drive cleaner popups

Hello

 

I am getting randomly undesired pop-ups with messages that my computer is infected and take me to a site called Drive Cleaner, which suppose to be the solution.  I have been checking up and it seems that it is a spyware program.  It is driving me craze please help me to remove it.

I have downloaded HijackThis and created the log file written bellow.

 

Thanks

 

Logfile of HijackThis v1.99.1
Scan saved at 17:30:18, on 21/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\svehost.exe
C:\WINDOWS\system32\clcl4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\SymWSC.exe
C:\Arquivos de programas\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\tmp9.tmp.dll
O2 - BHO: (no name) - {1c260af4-c140-4c8a-a75d-1fbbd2f0c215} - C:\WINDOWS\system32\authu1.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\WINDOWS\System32\scpsssh2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Arquivos de programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARQUIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
O4 - HKLM\..\Run: [clcl4] C:\WINDOWS\system32\clcl4.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\iiihhi.dll",realset
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DVDXGhost] C:\Arquivos de programas\DVD X Studios\DVD X Utilities 1.5\DVDGhost\DVDGhost.exe
O4 - HKCU\..\Run: [multitran] C:\WINDOWS\System32\multitran.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://cpib.bradesco.com.br/scpsssh2.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/13bad201d65e2c621015/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131870260913
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O20 - AppInit_DLLs: 
O20 - Winlogon Notify: authu1 - C:\WINDOWS\SYSTEM32\authu1.dll
O20 - Winlogon Notify: dvd4free - dvd4free.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARQUIV~1\ARQUIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\SymWSC.exe

 

bamajim

10.4K Posts

April 24th, 2007 00:00


roro53

That's quite an infection you have there it will take a couple of runs at this to completely remove it so please be patient

1. Please download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

bamajim   Graduate of MRU
 
CastleCops  Instructor

roro53

15 Posts

April 24th, 2007 17:00

Thank you very much for your help.  I hope can get ride of this exasperating virus.  I followed your instructions and here I paste the contents of Vundofix.txt and new HiJackThis log.  I will be waiting for your next instructions. 
Regards,
 

VundoFix V6.3.19
Checking Java version...
Sun Java not detected
Scan started at 08:15:21 22/4/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.3.20
Checking Java version...
Sun Java not detected
Scan started at 20:02:53 24/4/2007
Listing files found while scanning....
C:\WINDOWS\system32\tmp4E9.tmp.dll
Beginning removal...
 Attempting to delete C:\WINDOWS\system32\tmp4E9.tmp.dll
C:\WINDOWS\system32\tmp4E9.tmp.dll Has been deleted!
Performing Repairs to the registry.
Done!
 
Logfile of HijackThis v1.99.1
Scan saved at 20:43:00, on 24/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\svehost.exe
C:\WINDOWS\system32\clcl6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqimzone.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\SymWSC.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Arquivos de programas\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\tmp9.tmp.dll
O2 - BHO: (no name) - {1c260af4-c140-4c8a-a75d-1fbbd2f0c215} - C:\WINDOWS\system32\authu1.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\WINDOWS\System32\scpsssh2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Arquivos de programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARQUIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\iiihhi.dll",realset
O4 - HKLM\..\Run: [clcl6] C:\WINDOWS\system32\clcl6.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DVDXGhost] C:\Arquivos de programas\DVD X Studios\DVD X Utilities 1.5\DVDGhost\DVDGhost.exe
O4 - HKCU\..\Run: [multitran] C:\WINDOWS\System32\multitran.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://cpib.bradesco.com.br/scpsssh2.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/13bad201d65e2c621015/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131870260913
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O20 - AppInit_DLLs: 
O20 - Winlogon Notify: authu1 - C:\WINDOWS\SYSTEM32\authu1.dll
O20 - Winlogon Notify: dvd4free - dvd4free.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARQUIV~1\ARQUIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\SymWSC.exe
 

bamajim

10.4K Posts

April 24th, 2007 18:00

roro53

You are most welcome

1. I need you to help us out with some research

Please go HERE

Put Your Name, and Dell HJT forum

and In the file to submit box, click Browse. Using Windows Explorer
  • (Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate the file
  • C:\WINDOWS\system32\authu1.dll

In the comments tell them that I asked you to upload the file
Then Select Send File.

2. We are going to run Vundofix again, but change the instructions slightly
Run VundoFix again
  • At the Main window Rt Click in the Open Box and Select Add Files
    A second window will open
    Copy and paste the following into the first 2 lines

    • C:\WINDOWS\system32\authu1.dll
      C:\WINDOWS\system32\1uhtua.*
      C:\WINDOWS\system32\tmp9.tmp.dll
      C:\WINDOWS\system32\pmt.9pmt.*

    Select Add Files ->> Repeat untill they are all loaded Then Close Window
  • Click the Remove Vundo button. Do not click the Scan for Vundo
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Your reply should include
  • Your C:\Vundofix.txt
    A fresh Hijackthis log
    bamajim   Graduate of MRU
    CastleCops  Instructor

    roro53

    15 Posts

    April 24th, 2007 19:00

    Thank you again.  I did what you requested.  Bellow are the contents of the files.  I runned Vundo twice because it appear that two of the files were not in the list of removed ones.
     

    VundoFix V6.3.19
    Checking Java version...
    Sun Java not detected
    Scan started at 08:15:21 22/4/2007
    Listing files found while scanning....
    No infected files were found.

    VundoFix V6.3.20
    Checking Java version...
    Sun Java not detected
    Scan started at 20:02:53 24/4/2007
    Listing files found while scanning....
    C:\WINDOWS\system32\tmp4E9.tmp.dll
    Beginning removal...
     Attempting to delete C:\WINDOWS\system32\tmp4E9.tmp.dll
    C:\WINDOWS\system32\tmp4E9.tmp.dll Has been deleted!
    Performing Repairs to the registry.
    Done!
    VundoFix V6.3.20
    Checking Java version...
    Sun Java not detected
    Scan started at 22:06:53 24/4/2007
    Listing files found while scanning....

    Beginning removal...
     Attempting to delete C:\WINDOWS\system32\authu1.dll
    C:\WINDOWS\system32\authu1.dll Has been deleted!
     Attempting to delete C:\WINDOWS\system32\tmp9.tmp.dll
    C:\WINDOWS\system32\tmp9.tmp.dll Has been deleted!
    Performing Repairs to the registry.
    Done!
    Beginning removal...
    Performing Repairs to the registry.
    Done!
     
    Logfile of HijackThis v1.99.1
    Scan saved at 22:30:45, on 24/4/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\svehost.exe
    C:\WINDOWS\system32\clcl6.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Arquivos de programas\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
    C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
    C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\SymWSC.exe
    C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\arquivos de programas\internet explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Arquivos de programas\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    C:\Arquivos de programas\Hijackthis\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\tmp9.tmp.dll (file missing)
    O2 - BHO: (no name) - {1c260af4-c140-4c8a-a75d-1fbbd2f0c215} - C:\WINDOWS\system32\authu1.dll (file missing)
    O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\WINDOWS\System32\scpsssh2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Arquivos de programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [ccApp] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARQUIV~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
    O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
    O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\iiihhi.dll",realset
    O4 - HKLM\..\Run: [clcl6] C:\WINDOWS\system32\clcl6.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [DVDXGhost] C:\Arquivos de programas\DVD X Studios\DVD X Utilities 1.5\DVDGhost\DVDGhost.exe
    O4 - HKCU\..\Run: [multitran] C:\WINDOWS\System32\multitran.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://cpib.bradesco.com.br/scpsssh2.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/13bad201d65e2c621015/netzip/RdxIE601.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131870260913
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O20 - AppInit_DLLs: 
    O20 - Winlogon Notify: dvd4free - dvd4free.dll (file missing)
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARQUIV~1\ARQUIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\SymWSC.exe
     

    bamajim

    10.4K Posts

    April 24th, 2007 20:00

    roro53

    Thanks for uploading the file

    Looking Better

    1. Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :

    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.

    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
    bamajim   Graduate of MRU
    CastleCops Instructor
     

    roro53

    15 Posts

    April 25th, 2007 04:00

    Done.  The reports are bellow.
     

    SDFix: Version 1.79
    Run by Roberto - qua 25/04/2007 -  6:47:23,46
    Microsoft Windows XP [versÆo 5.1.2600]
    Running From: C:\SDFix
    Safe Mode:
    Checking Services:
     
     

    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting...
    Normal Mode:
    Checking Files:
    Below files will be copied to Backups folder then removed:
    C:\DOCUME~1\Roberto\CONFIG~1\Temp\tmp8.tmp.exe - Deleted
    C:\DOCUME~1\Roberto\CONFIG~1\Temp\tmp9.tmp.exe - Deleted
    C:\DOCUME~1\Roberto\CONFIG~1\Temp\tmpA.tmp.exe - Deleted
    C:\DOCUME~1\Roberto\CONFIG~1\Temp\abc123.pid - Deleted
    C:\WINDOWS\system32\svehost.exe - Deleted
    C:\WINDOWS\system32\zlbw.dll - Deleted
     
    Removing Temp Files
    ADS Check:
    Checking if ADS is attached to system32 Folder
    C:\WINDOWS\system32
    No streams found.
    Checking if ADS is attached to svchost.exe
    C:\WINDOWS\system32\svchost.exe
    No streams found.
     
                                     Final Check:
    Remaining Services:
    ------------------
     
    Authorized Application Key Export:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    " \\??\\C:\\WINDOWS\\system32\\winlogon.exe"="\\??\\C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:explorer"

    Remaining Files:
    ---------------
    Backups Folder: - C:\SDFix\backups\backups.zip
    Checking For Files with Hidden Attributes:
    C:\Arquivos de programas\Arquivos comuns\Adobe\ESD\DLMCleanup.exe
    C:\Documents and Settings\Roberto\Dados de aplicativos\Microsoft\Word\~WRL3786.tmp
    C:\Documents and Settings\Roberto\Meus documentos\Jacqueline\FormulariosEscuelaDodo\~WRL0350.tmp
                                     Finished
     
     
    Logfile of HijackThis v1.99.1
    Scan saved at 07:09:46, on 25/4/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
    C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
    C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Arquivos de programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\system32\clcl6.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Arquivos de programas\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Arquivos de programas\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    C:\Arquivos de programas\Hijackthis\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\tmp9.tmp.dll (file missing)
    O2 - BHO: (no name) - {1c260af4-c140-4c8a-a75d-1fbbd2f0c215} - C:\WINDOWS\system32\authu1.dll (file missing)
    O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\WINDOWS\System32\scpsssh2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Arquivos de programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [ccApp] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARQUIV~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
    O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\iiihhi.dll",realset
    O4 - HKLM\..\Run: [clcl6] C:\WINDOWS\system32\clcl6.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [DVDXGhost] C:\Arquivos de programas\DVD X Studios\DVD X Utilities 1.5\DVDGhost\DVDGhost.exe
    O4 - HKCU\..\Run: [multitran] C:\WINDOWS\System32\multitran.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://cpib.bradesco.com.br/scpsssh2.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/13bad201d65e2c621015/netzip/RdxIE601.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131870260913
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O20 - AppInit_DLLs: 
    O20 - Winlogon Notify: dvd4free - dvd4free.dll (file missing)
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARQUIV~1\ARQUIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\SymWSC.exe
     

    bamajim

    10.4K Posts

    April 25th, 2007 13:00

    roro53

    Looking better

    1. Please download the Killbox.
    • 1)Save it to the desktop and run it.
      2) Select " Delete on Reboot", and then select "All files".
      3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:

      • C:\WINDOWS\system32\lsasss.exe
        C:\WINDOWS\iiihhi.dll
        C:\WINDOWS\system32\clcl6.exe

      4) Return to Killbox, go to the File menu, and choose " Paste from Clipboard".
      5) Click the red-and-white " Delete File" button.  Click " Yes" at the Delete on Reboot prompt.  Click " No" at the Pending Operations prompt.

    2. Rerun Hijackthis (scan only) and place checks beside the following entries
    • O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\tmp9.tmp.dll (file missing)
      O2 - BHO: (no name) - {1c260af4-c140-4c8a-a75d-1fbbd2f0c215} - C:\WINDOWS\system32\authu1.dll (file missing)
      O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
      O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\iiihhi.dll",realset
      O4 - HKLM\..\Run: [clcl6] C:\WINDOWS\system32\clcl6.exe

    Close all other open windows except Hijackthis and Select " Fix checked"

    Reboot your PC->>Rerun Hijackthis and post a fresh Hijackthis log
     
    bamajim   Graduate of MRU
    CastleCops  Instructor


    roro53

    15 Posts

    April 25th, 2007 16:00

    Sorry if you receive this twice.  I am writing it again because I am not able see the replay posted in the forum site. 
    I cannot download the Killbox.  When I follow the link you gave me it comes this message:
     
    Not Found
    The requested document was not found on this server.
     
    What can I do?

    bamajim

    10.4K Posts

    April 25th, 2007 16:00

    roro53

    Appologies,they changed the download link

    1. Please download the Killbox.
    • 1)Save it to the desktop
      2) Rt Click->>Extract all->.Extract it to your Desktop
      3) Double Click Killbox.exe to run it
      4)Select " Delete on Reboot", and then select "All files".
      5) Copy the file names below to the clipboard by highlighting them and pressing Control-C:

      • C:\WINDOWS\system32\lsasss.exe
        C:\WINDOWS\iiihhi.dll
        C:\WINDOWS\system32\clcl6.exe

      6) Return to Killbox, go to the File menu, and choose " Paste from Clipboard".
      7) Click the red-and-white " Delete File" button.  Click " Yes" at the Delete on Reboot prompt.  Click " No" at the Pending Operations prompt.
    bamajim   Graduate of MRU
    CastleCops Instructor


    Message Edited by bamajim on 04-25-2007 01:02 PM

    roro53

    15 Posts

    April 25th, 2007 17:00

    Done.  The log file is bellow.

    I have one more question; now when the computer turns on, it comes a message in the lower left end of the screen saying:

    The computer may be on risk:

     Automatic updates are not turned-n

    Norton Antivirus Is turned-on

    Also something about firewall

    I did not have those messages before.  Should I do something about it?
     
     
    Logfile of HijackThis v1.99.1
    Scan saved at 20:27:44, on 25/4/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Arquivos de programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Arquivos de programas\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
    C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
    C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\SymWSC.exe
    C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Arquivos de programas\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    C:\Arquivos de programas\Microsoft Office\Office\WINWORD.EXE
    C:\Arquivos de programas\Hijackthis\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\WINDOWS\System32\scpsssh2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Arquivos de programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [ccApp] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARQUIV~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [DVDXGhost] C:\Arquivos de programas\DVD X Studios\DVD X Utilities 1.5\DVDGhost\DVDGhost.exe
    O4 - HKCU\..\Run: [multitran] C:\WINDOWS\System32\multitran.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://cpib.bradesco.com.br/scpsssh2.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/13bad201d65e2c621015/netzip/RdxIE601.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131870260913
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O20 - AppInit_DLLs: 
    O20 - Winlogon Notify: dvd4free - dvd4free.dll (file missing)
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARQUIV~1\ARQUIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\SymWSC.exe
     

    roro53

    15 Posts

    April 25th, 2007 18:00

    When I Double Click Windows Firewall a Window open with this message:

    Due to an unidentified problem, Windows cannot show the Windows Firewall configurations

    After the reboot of the computer the “Automatic Updates” message disappear but the Norton and Firewall messages are still there.

    bamajim

    10.4K Posts

    April 25th, 2007 18:00

    roro53

    Some Malware/Spyware disables these features to protect itself. We will correc those now.

    1. Click Start->> Control Panel
    • In the left pane Select " Switch to Classic View"
      In the Rt pane Double Click Windows Firewall
      Another Window will open.
      Under the General Tab make sure the On (recommended) radio button is checked->>Select O.K.
      Close That Window

    2.Then From Control Panel Select System->>
    • Another Window will open.
      Under the " Automatic Updates" tab
      make sure the " Automatic" (recommended) radio button is checked->> Apply->> O.K.

    • Close the windows->>Reboot your PC. See if that resolves the warning issue. Then reply with the results
        bamajim   Graduate of MRU
        CastleCops  Instructor




        bamajim

        10.4K Posts

        April 25th, 2007 20:00

        roro53

        Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

        • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.

          • On the Left side of the window Select None for all categories
            On the Rt lower side
            Uncheck Non-Microsoft Only
            Place checks in the 2 boxes from the scroll down widow
            Reg-Policy Settings and Reg-Security Settings

        • Now click the Run Scan button on the toolbar.
        • When the scan is complete Notepad will open with the report file loaded in it.
        • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

        Use the Add Reply button and Copy/Paste the information back here as a reply to this thread
         
        bamajim   Graduate of MRU
        CastleCops  Instructor




        roro53

        15 Posts

        April 26th, 2007 15:00

        Hello Bamajim,
        The information you asked for is pasted bellow.
         
        WinPFind3 logfile created on: 26/4/2007 18:12:44
        WinPFind3U by OldTimer - Version 1.0.34 Folder = C:\Documents and Settings\Roberto\Desktop\WinPFind3u\
        Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
        Internet Explorer (Version = 6.0.2900.2180)
         
        383,47 Mb Total Physical Memory | 124,73 Mb Available Physical Memory | 32,53% Memory free
        922,29 Mb Paging File | 717,58 Mb Available in Paging File | 77,80% Paging File free
        Paging file location(s): C:\pagefile.sys 576 1152;
         
        %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Arquivos de programas
        Drive C: | 14,65 Gb Total Space | 0,91 Gb Free Space | 6,22% Space Free
        Drive D: | 13,30 Gb Total Space | 4,36 Gb Free Space | 32,82% Space Free
        Drive E: | 654,81 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free
        Drive F: | 976,13 Mb Total Space | 8,02 Mb Free Space | 0,82% Space Free
        Computer Name: ROBERTO-DXZX8DN
        Current User Name: Roberto
        Logged in as Administrator.
        Current Boot Mode: Normal

        [Registry - Additional Scans - All]
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->  ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ ->  ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ ->  ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ ->  ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
        < Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
        HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->  ->
        HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ ->  ->
        HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\\NoChangingWallpaper -> 0 ->
        HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\\NoComponents -> 0 ->
        HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\\NoAddingComponents -> 0 ->
        HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\\NoDeletingComponents -> 0 ->
        HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\\NoEditingComponents -> 0 ->
        HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\\NoHTMLWallPaper -> 0 ->
        HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ ->  ->
        HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 0 ->
        HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop -> 0 ->
        HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\ClassicShell -> 0 ->
        HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ ->  ->
        HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer not found. ->  ->
        < Security Settings > ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ ->  ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify -> 0 ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify -> 0 ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride -> 0 ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride -> 0 ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify -> 0 ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ ->  ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ ->  ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ ->  ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ ->  ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ ->  ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ ->  ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ ->  ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ ->  ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ ->  ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ ->  ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\\DisableMonitoring -> 1 ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ ->  ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ ->  ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ ->  ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ ->  ->
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ ->  ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\ ->  ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\Type -> 32 ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\Start -> 3 ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\ErrorControl -> 1 ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\ImagePath -> %SystemRoot%\System32\svchost.exe -k netsvcs ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\DisplayName -> Serviço de transferência inteligente de plano de fundo ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\DependOnService -> Rpcss; ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\DependOnGroup ->  ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\ObjectName -> LocalSystem ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\Description -> Transfere arquivos em segundo plano usando largura de banda de rede ociosa. Se o serviço for parado, recursos como o Windows Update e o MSN Explorer não poderão fazer o download automático de programas e outras informações. Se este serviço for desativado, os serviços que dependerem dele explicitamente talvez não transfiram arquivos, se não tiverem um mecanismo seguro para transferir arquivos diretamente pelo IE, caso o BITS tenha sido desativado. ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\FailureActions ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters\ ->  ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters\\ServiceDll -> C:\WINDOWS\System32\qmgr.dll ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Security\ ->  ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Security\\Security ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum\ ->  ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum\\0 -> Root\LEGACY_BITS\0000 ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum\\Count -> 1 ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum\\NextInstance -> 1 ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ ->  ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Start -> 2 ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName -> Firewall do Windows/Compartilhamento de Conexão com a Internet (ICS) ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService -> Netman;WinMgmt; ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\ ->  ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ ->  ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ ->  ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\ ->  ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\ ->  ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\ ->  ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\1900:UDP -> 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\2869:TCP -> 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ ->  ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall -> 0 ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ ->  ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ ->  ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\\??\C:\WINDOWS\system32\winlogon.exe -> \??\C:\WINDOWS\system32\winlogon.exe:*:Enabled:explorer ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\ ->  ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\ ->  ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1900:UDP -> 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2869:TCP -> 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ ->  ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Type -> 32 ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Start -> 2 ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl -> 1 ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath -> %systemroot%\system32\svchost.exe -k netsvcs ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName -> Atualizações Automáticas ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName -> LocalSystem ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Description -> Ativa o download e instalação das atualizações do Windows. Se este serviço for desabilitado, o computador não será capaz de usar o recurso de Atualizações Automáticas nem o site do Windows Update na web. ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ ->  ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\\ServiceDll -> C:\WINDOWS\System32\wuauserv.dll ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ ->  ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\\Security ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ ->  ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\0 -> Root\LEGACY_WUAUSERV\0000 ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\Count -> 1 ->
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\NextInstance -> 1 ->
        < End of report >

        bamajim

        10.4K Posts

        April 27th, 2007 18:00

        roro53

        Sorry for the delay, I had to check some settings

        1. Open Notepad (Not Wordpad)
        Select Edit and uncheck Wordwrap
        Copy and paste the following into Notepad
        (Making sure there is no space between the top of the window and the first line)


        Windows Registry Editor Version 5.00

        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
        "EnableFirewall"=dword:00000001
        "DoNotAllowExceptions"=dword:00000000

        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
        "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
        "C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
        After you copy and paste it your cursor should be at the end of the first line
        Hit Enter so your cursor is under the last line
        • Click File->> Save as->>type in fix.reg->>
          Under " Save as type" Select " All Files"->> save it to your Desktop
          Close Notepad

        The fix.reg file should now appear on your Desktop

        Rt Click and Select merge->>If prompted to Merge this Select Yes (it will appear that nothing has happened but that's o.k.)

        2. Then Click Start->>Control Panel->>Windows Firewall and see If the window opens
         
        bamajim   Graduate of MRU
        CastleCops  Instructor

        Was this post helpful?

        View All

        0 events found

        No Events found!

        Top