|
| Computing.Net: Over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to sign up now, it's free! |
Programms closes inmediatly
|
Original Message
|
Name: pepo1979
Date: March 26, 2006 at 05:54:38 Pacific
Subject: Programms closes inmediatlyOS: WIN XP SP2CPU/Ram: Athlon 1.8Manufacturer/Model: AMD |
Comment: I detected the java_bytever.a with an online virus check (housecall), and deteled it. But cannot install a new antivirus program and any program i want to open, closes inmediatly. What's the problem? THANKS! Thanks for your support.
Report Offensive Message For Removal
|
|
Response Number 1
|
Name: jabuck
Date: March 26, 2006 at 06:41:25 Pacific
|
Reply: Thry this first http://support.microsoft.com/?kbid=811151 If that does not help if you can please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified. You can download Hijack This at this link http://www.tomcoyote.org/hjt/ then place it into a folder of it's on, such as C:\HJT, so that back up copies can be made and not clutter your desktop or other folders and the backup copies of deleted items can be easily located if needed. Once saved double click HijackThis.exe, and press "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents into the text editor at this forum. Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.
 Report Offensive Follow Up For Removal
|
|
Response Number 2
|
Name: savo (by sradevic)
Date: March 26, 2006 at 06:43:43 Pacific
|
Reply: Hello, can you run
1) Go to start -> run and type:
iexplore http://securityresponse.symantec.com/avcenter/UnHookExec.inf
Try and download on your desktop that file (UnHookExec.inf) 2) Locate the file on desktop.
3) Right-click on UnHookExec.inf and click Install I hope that solves the running of programs, so we can go on.
Report Offensive Follow Up For Removal
|
|
Response Number 5
|
Name: jabuck
Date: March 26, 2006 at 07:57:26 Pacific
|
Reply: Did you try the user profile fix? If you did and had no success try this online scan from Panda When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to the desktop, then copy/paste into the text editor and post it
Report Offensive Follow Up For Removal
|
|
Response Number 7
|
Name: pepo1979
Date: March 26, 2006 at 10:38:37 Pacific
|
Reply: Now, computer allow me to run some programs. So, i-ve installed trend micro pc/cillin 2005. it is good?
So thanks a lot for your cooperation. THANKS!!!! Thanks for your support.
Report Offensive Follow Up For Removal
|
|
Response Number 8
|
Name: jabuck
Date: March 26, 2006 at 10:53:59 Pacific
|
Reply: Yes trend micro is good, be sure to update it.It would be good for your computer to install a free anti spyware program such as "spywareblaster". Another good free antivirus is "AVG". You might also want to post your HT log so we can try to get your computer cleaned. It probably has other baddies if you ran it online without an antivirus.
Report Offensive Follow Up For Removal
|
|
Response Number 9
|
Name: pepo1979
Date: March 26, 2006 at 11:18:36 Pacific
|
Reply: Okey, here goes. THANKS! Logfile of HijackThis v1.99.1
Scan saved at 04:14:01 p.m., on 26/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Archivos de programa\Belkin\Software Bluetooth\bin\btwdins.exe
C:\WINDOWS\system32\crypserv.exe
C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\pctspk.exe
C:\Archivos de programa\TraySoft\PhoneTray\PhoneTray.exe
C:\WINDOWS\System32\svchost.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe
C:\Archivos de programa\Microsoft Hardware\Mouse\point32.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Archivos de programa\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Belkin\Software Bluetooth\BTTray.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Archivos de programa\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqgalry.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\WinRAR\WinRAR.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\sysclean\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 322144:3422
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\o4127027.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\j6127022.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Archivos de programa\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] C:\Archivos de programa\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Archivos de programa\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [A1878r] "C:\WINDOWS\j6127022.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [f5919Jua] "C:\WINDOWS\system32\s13737\zh593600084y.exe"
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Inicio rápido de HP Image Zone.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - http://kz.bar.need2find.com/KZ/menusearch.html?p=KZ
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Enviar a &Bluetooth - C:\Archivos de programa\Belkin\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\Belkin\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\Belkin\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://200.80.43.23/activex/AxisCamControl.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://www.neyra.com.ar/plugin/h263ctrl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\System32\btxppanel.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Archivos de programa\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Archivos de programa\Belkin\Software Bluetooth\bin\btwdins.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: PhoneTray - Unknown owner - C:\Archivos de programa\TraySoft\PhoneTray\PhoneTray.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe Thanks for your support.
Report Offensive Follow Up For Removal
|
|
Response Number 10
|
Name: pepo1979
Date: March 26, 2006 at 12:21:21 Pacific
|
Reply: Again programs shutdown automatically.
ALso two strange exe appears in task manager> m17988.exe and qm17988.exe helpppp Thanks for your support.
Report Offensive Follow Up For Removal
|
|
Response Number 11
|
Name: pepo1979
Date: March 26, 2006 at 12:30:37 Pacific
|
Reply: WOW , look at this
i could do a quick (insted the program shut down automatically) and could save the log file. look!!!!! Logfile of HijackThis v1.99.1
Scan saved at 05:29:26 p.m., on 26/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Archivos de programa\Belkin\Software Bluetooth\bin\btwdins.exe
C:\WINDOWS\system32\crypserv.exe
C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\pctspk.exe
C:\Archivos de programa\TraySoft\PhoneTray\PhoneTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe
C:\Archivos de programa\Microsoft Hardware\Mouse\point32.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\Belkin\Software Bluetooth\BTTray.exe
C:\WINDOWS\system32\s13737\winlogon.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\s13737\services.exe
C:\WINDOWS\system32\s13737\csrss.exe
C:\WINDOWS\system32\s13737\lsass.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\System32\dllhost.exe
C:\sysclean\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 322144:3422
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\o4127027.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\j6127022.exe
O1 - Hosts: 127.0.0.22 mcafee.com
O1 - Hosts: 127.0.0.22 www.mcafee.com
O1 - Hosts: 127.0.0.22 mcafee.net
O1 - Hosts: 127.0.0.22 www.mcafee.net
O1 - Hosts: 127.0.0.22 mcafee.org
O1 - Hosts: 127.0.0.22 www.mcafee.org
O1 - Hosts: 127.0.0.22 mcafeesecurity.com
O1 - Hosts: 127.0.0.22 www.mcafeesecurity.com
O1 - Hosts: 127.0.0.22 mcafeesecurity.net
O1 - Hosts: 127.0.0.22 www.mcafeesecurity.net
O1 - Hosts: 127.0.0.22 mcafeesecurity.org
O1 - Hosts: 127.0.0.22 www.mcafeesecurity.org
O1 - Hosts: 127.0.0.22 mcafeeb2b.com
O1 - Hosts: 127.0.0.22 www.mcafeeb2b.com
O1 - Hosts: 127.0.0.22 mcafeeb2b.net
O1 - Hosts: 127.0.0.22 www.mcafeeb2b.net
O1 - Hosts: 127.0.0.22 mcafeeb2b.org
O1 - Hosts: 127.0.0.22 www.mcafeeb2b.org
O1 - Hosts: 127.0.0.22 nai.com
O1 - Hosts: 127.0.0.22 www.nai.com
O1 - Hosts: 127.0.0.22 nai.net
O1 - Hosts: 127.0.0.22 www.nai.net
O1 - Hosts: 127.0.0.22 nai.org
O1 - Hosts: 127.0.0.22 www.nai.org
O1 - Hosts: 127.0.0.22 vil.nai.com
O1 - Hosts: 127.0.0.22 www.vil.nai.com
O1 - Hosts: 127.0.0.22 vil.nai.net
O1 - Hosts: 127.0.0.22 www.vil.nai.net
O1 - Hosts: 127.0.0.22 vil.nai.org
O1 - Hosts: 127.0.0.22 www.vil.nai.org
O1 - Hosts: 127.0.0.22 grisoft.com
O1 - Hosts: 127.0.0.22 www.grisoft.com
O1 - Hosts: 127.0.0.22 grisoft.net
O1 - Hosts: 127.0.0.22 www.grisoft.net
O1 - Hosts: 127.0.0.22 grisoft.org
O1 - Hosts: 127.0.0.22 www.grisoft.org
O1 - Hosts: 127.0.0.22 kaspersky-labs.com
O1 - Hosts: 127.0.0.22 www.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 kaspersky.com
O1 - Hosts: 127.0.0.22 www.kaspersky.com
O1 - Hosts: 127.0.0.22 kaspersky.net
O1 - Hosts: 127.0.0.22 www.kaspersky.net
O1 - Hosts: 127.0.0.22 kaspersky.org
O1 - Hosts: 127.0.0.22 www.kaspersky.org
O1 - Hosts: 127.0.0.22 downloads1.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 www.downloads1.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 downloads1.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.downloads1.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 downloads1.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.downloads1.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 downloads2.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 www.downloads2.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 downloads2.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.downloads2.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 downloads2.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.downloads2.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 downloads3.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 www.downloads3.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 downloads3.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.downloads3.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 downloads3.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.downloads3.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 downloads4.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 www.downloads4.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 downloads4.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.downloads4.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 downloads4.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.downloads4.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 download.mcafee.com
O1 - Hosts: 127.0.0.22 www.download.mcafee.com
O1 - Hosts: 127.0.0.22 download.mcafee.net
O1 - Hosts: 127.0.0.22 www.download.mcafee.net
O1 - Hosts: 127.0.0.22 download.mcafee.org
O1 - Hosts: 127.0.0.22 www.download.mcafee.org
O1 - Hosts: 127.0.0.22 norton.com
O1 - Hosts: 127.0.0.22 www.norton.com
O1 - Hosts: 127.0.0.22 norton.net
O1 - Hosts: 127.0.0.22 www.norton.net
O1 - Hosts: 127.0.0.22 norton.org
O1 - Hosts: 127.0.0.22 www.norton.org
O1 - Hosts: 127.0.0.22 symantec.com
O1 - Hosts: 127.0.0.22 www.symantec.com
O1 - Hosts: 127.0.0.22 symantec.net
O1 - Hosts: 127.0.0.22 www.symantec.net
O1 - Hosts: 127.0.0.22 symantec.org
O1 - Hosts: 127.0.0.22 www.symantec.org
O1 - Hosts: 127.0.0.22 liveupdate.symantecliveupdate.com
O1 - Hosts: 127.0.0.22 www.liveupdate.symantecliveupdate.com
O1 - Hosts: 127.0.0.22 liveupdate.symantecliveupdate.net
O1 - Hosts: 127.0.0.22 www.liveupdate.symantecliveupdate.net
O1 - Hosts: 127.0.0.22 liveupdate.symantecliveupdate.org
O1 - Hosts: 127.0.0.22 www.liveupdate.symantecliveupdate.org
O1 - Hosts: 127.0.0.22 liveupdate.symantec.com
O1 - Hosts: 127.0.0.22 www.liveupdate.symantec.com
O1 - Hosts: 127.0.0.22 liveupdate.symantec.net
O1 - Hosts: 127.0.0.22 www.liveupdate.symantec.net
O1 - Hosts: 127.0.0.22 liveupdate.symantec.org
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Archivos de programa\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] C:\Archivos de programa\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Archivos de programa\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [A1878r] "C:\WINDOWS\j6127022.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [f5919Jua] "C:\WINDOWS\system32\s13737\zh593600084y.exe"
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Inicio rápido de HP Image Zone.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://kz.bar.need2find.com/KZ/menusearch.html?p=KZ
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Enviar a &Bluetooth - C:\Archivos de programa\Belkin\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\Belkin\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\Belkin\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://200.80.43.23/activex/AxisCamControl.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://www.neyra.com.ar/plugin/h263ctrl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\System32\btxppanel.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Archivos de programa\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Archivos de programa\Belkin\Software Bluetooth\bin\btwdins.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: PhoneTray - Unknown owner - C:\Archivos de programa\TraySoft\PhoneTray\PhoneTray.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe Thanks for your support.
Report Offensive Follow Up For Removal
|
|
Response Number 12
|
Name: jabuck
Date: March 26, 2006 at 12:34:01 Pacific
|
Reply: Download killbox from this link Killbox We will run it in safe mode laterPlease download
http://www.atribune.org/content/view/19/2/ by Atribune. We will run it in safe mode later alsoReboot into safe mode by following these directions if you need them How to Boot into Safe Mode From safe mode run HT again, close any browsers or windows that you have open except for HT. place a check to the left of the following items and press "fix checked": R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\o4127027.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\j6127022.exe O4 - HKLM\..\Run: [A1878r] "C:\WINDOWS\j6127022.exe" O4 - HKCU\..\Run: [f5919Jua] "C:\WINDOWS\system32\s13737\zh593600084y.exe" O8 - Extra context menu item: &Search - http://kz.bar.need2find.com/KZ/menusearch.html?p=KZ Run Killbox from safe mode. Double-click on Killbox.exe to run it.
Put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time. C:\WINDOWS\o4127027.exe C:\WINDOWS\j6127022.exe
Click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Set up the computer to view hidden files by going to start>control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside "hide extensions of known file types" and "hide protected system operating files">apply>ok. Navigate to an delete this folder if found: C:\WINDOWS\system32\s13737 From safe mode run ATF_Cleaner.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button. Please post a new HT log. Can you verify that you have this proxy set up on your computer R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 322144:3422
Report Offensive Follow Up For Removal
|
|
Response Number 13
|
Name: pepo1979
Date: March 26, 2006 at 13:07:06 Pacific
|
Reply: do you have msn? i will appreciate if you have time to help me...
mine is aronmilanesio hot.... Thanks for your support.
Report Offensive Follow Up For Removal
|
|
Response Number 15
|
Name: jabuck
Date: March 26, 2006 at 13:27:51 Pacific
|
Reply: Go through the procedure again in response 6 then do response 12 immediatley then post a new HT log and we will clean up the host files.
Report Offensive Follow Up For Removal
|
|
Response Number 17
|
Name: pepo1979
Date: March 26, 2006 at 13:35:21 Pacific
|
Reply: i found the j6127022.exe in STARTUP in msconfig and uncheck it, but when restart, it is checked again! also another> zh593600084y Thanks for your support.
Report Offensive Follow Up For Removal
|
|
Response Number 18
|
Name: jabuck
Date: March 26, 2006 at 13:53:23 Pacific
|
Reply: Try this: In safe mode go to start>run>type "attrib -h -s -r -a c:\windows\system32\s13737 /s" without the quotes then click ok (there is a space after attrib,-h,-s,-r,-a,s13737) Then in run type "deltree c:\windows\system32\s13737" without the quotes then click ok ( there is a space after deltree).
Report Offensive Follow Up For Removal
|
|
Response Number 20
|
Name: jabuck
Date: March 26, 2006 at 14:13:37 Pacific
|
Reply: I is dangerous to communicate with email while you are infected. If there is anything you want to post privately click "private messages" at the bottom right of one of my post. We want the fixes posted on the forum though.
Report Offensive Follow Up For Removal
|
|
Response Number 21
|
Name: pepo1979
Date: March 26, 2006 at 14:19:38 Pacific
|
Reply: OK... but i have another pc right here, where i-m reading the forum. but, dont problem. which else can do! tomorrow have to work!! thanks a lot!!!!! Thanks for your support.
Report Offensive Follow Up For Removal
|
|
Response Number 22
|
Name: jabuck
Date: March 26, 2006 at 14:43:57 Pacific
|
Reply: Reboot the infected computer into safe mode. Set up the computer to view hidden files by going to start>control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside "hide extensions of known file types" and "hide protected system operating files">apply>ok. Navigate to and delete this folder if found: c:\windows\system32\s13737
Report Offensive Follow Up For Removal
|
|
Response Number 24
|
Name: jabuck
Date: March 26, 2006 at 15:05:40 Pacific
|
Reply: In safe mode do a manual search for s13737 and see if it turns up Then search for and delete these if found: C:\WINDOWS\j6127022.exe C:\WINDOWS\o4127027.exe
Report Offensive Follow Up For Removal
|
|
Response Number 25
|
Name: pepo1979
Date: March 26, 2006 at 15:11:19 Pacific
|
Reply: well.. i used killbox QUICLY and deteled both files.
then i search it and not found
but programs continue shutdown inmediatly...
Thanks for your support.
Report Offensive Follow Up For Removal
|
|
Response Number 26
|
Name: jabuck
Date: March 26, 2006 at 15:28:40 Pacific
|
Reply: Navigate to C:\windows\system32 then on the right side of the screen click "date modified" then make a list of the ones modified today, 03/26/2006, and post them. Don't try to delete them.
Report Offensive Follow Up For Removal
|
|
Response Number 28
|
Name: pepo1979
Date: March 26, 2006 at 15:39:00 Pacific
|
Reply: the virus is W32/Rontokbro.U@MM
I THINK! take a look on intenret
also i have the BACA BRO!!.TXT!! in c:/
Thanks for your support.
Report Offensive Follow Up For Removal
|
|
Response Number 30
|
Name: pepo1979
Date: March 26, 2006 at 15:50:14 Pacific
|
Reply: folders
ju36948
In15366
Ad20712
files
j61227022.exe (with an icon like a folder)
o4127027.exe (the same)
_default12702 without extension with an icon like MS DOS command line
another suspicious is
Lic.xxx Thanks for your support.
Report Offensive Follow Up For Removal
|
|
Response Number 31
|
Name: pepo1979
Date: March 26, 2006 at 15:51:19 Pacific
|
Reply: if i delete it
they copie again
and hide the extensions automatically
the virus is still on memory Thanks for your support.
Report Offensive Follow Up For Removal
|
|
Response Number 32
|
Name: jabuck
Date: March 26, 2006 at 16:03:12 Pacific
|
Reply: Do you have a proxy set up on the computer. R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 322144:3422
Report Offensive Follow Up For Removal
|
|
Response Number 35
|
Name: pepo1979
Date: March 26, 2006 at 16:26:25 Pacific
|
Reply: jabuck, i-m downloading it, but, i dont know if i could run it, remember that all programas shutdown... but let me see. i cant remember the procedure!! i-ve done a lot of things!!!! Thanks for your support.
Report Offensive Follow Up For Removal
|
|
Response Number 37
|
Name: jabuck
Date: March 26, 2006 at 16:49:21 Pacific
|
Reply: Navigate to c:\windows\system32 on the infected computer and look for "rundll32.exe". If it is missing download it from this link to the infected computer http://www.spywareinfo.com/~merijn/winfiles.html and put a copy in the recycle bin(it's protected) and put a copy in c:\windows\system32. See if the programs will run. If so install pctools av.
Report Offensive Follow Up For Removal
|
|
Response Number 38
|
Name: pepo1979
Date: March 26, 2006 at 16:58:54 Pacific
|
Reply: No, if you read the specifications of the virus found, it says that dont allow to any program with some words like "microsoft, virus, malware" etc to run....
Thanks for your support.
Report Offensive Follow Up For Removal
|
Post Locked
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
Go to Security and Virus Forum Home
Results for: Programms closes inmediatly
2 NO CLOSE Viruses Summary: Well today I did an online scan with Housecall and it said I had 2 viruses called NO CLOSE A and E and they are in my C:\Documents and Settings\Administrator files. I don't know how to get to these so... www.computing.net/answers/security/2-no-close-viruses/10002.html
Am I being hacked? Summary: For the past two days my mouse has been moving and clicking on its own. I haven't been moving it, yet the pointer moves and programmes close. The first time the Windows Task Manager popped up, but I t... www.computing.net/answers/security/am-i-being-hacked/15764.html
W32.apolre Summary: hi carrol, if the worm is aplore and not apolre, here's some info for you: This worm combines a VBS mass-mailing routine and includes an IRC bot which may allow an attacker to gain remote access to th... www.computing.net/answers/security/w32apolre/2848.html
|
|
|
