TechSpot

any problem with this HJT report?

By bryan2k5
Jul 9, 2005
Topic Status:
Not open for further replies.
  1. I was just wondering if there was anything I needed to fix with this?

    I've also recently been getting an error saying that C:\WINDOWS\system32\fservice.exe cannot be found. Any idea on how I can get that file back?

    Thank you.
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    You don't want the Trojan fservice.exe back!

    Boot in Safe Mode.
    Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    fservice.exe
    zee.exe
    ?ttrib.exe

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    ...................................................................................................
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
    O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll (file missing)
    O4 - HKLM\..\Run: [Anti] C:\zee.exe
    O4 - HKCU\..\Run: [Zedyojuq] C:\WINDOWS\system32\?ttrib.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{548465CB-8DD7-4149-A630-3834DCCCF0E2}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS1\Services\Tcpip\..\{548465CB-8DD7-4149-A630-3834DCCCF0E2}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS2\Services\Tcpip\..\{548465CB-8DD7-4149-A630-3834DCCCF0E2}: NameServer = 192.168.1.1
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
    ...................................................................................................
    Now click on the Fix Checked button in HJT.

    When done, from between the dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Get deletefxpfiles here http://www.deletefxpfiles.com/index2.html to get rid
    of ?ttrib.exe if you can't delete it normally.

    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    Boot normal. When all OK, switch System Restore back on.
  3. bryan2k5

    bryan2k5 TS Rookie Topic Starter

    wow, I used to have the problem of not being able to access my windows firewall but now I'm able to and it's working again. I'm not sure how I got rid of that services file though. I purchased spy doctor and ran a scan with that and fixed a bunch of files it found. Then I rebooted and my firewall was still inactive. A day later I checked and my firewall was actually working. :)

    Ok, I'll do what you suggested and see what happens. I understand that I don't want that file back but is there a way to keep that error message from popping up? Or will your method do that for me?

    Thanks again!
  4. bryan2k5

    bryan2k5 TS Rookie Topic Starter

    ok, I did what you suggested but I had some good and bad things that happened.

    I stopped getting that error message that was popping up, which is great. The bad thing is that I couldn't connect to the internet anymore. Nothing worked, I even tried making a new connection but it still didn't help.

    So I restored all the items that I deleted from HJT and I'm back to square 1. Maybe there's something you told me to fix that I shouldn't be? I have no idea.
  5. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Repeat the previous procedure, with the exception of these:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{548465CB-8DD7-4149-A630-3834DCCCF0E2}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS1\Services\Tcpip\..\{548465CB-8DD7-4149-A630-3834DCCCF0E2}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS2\Services\Tcpip\..\{548465CB-8DD7-4149-A630-3834DCCCF0E2}: NameServer = 192.168.1.1

    That should do it.
  6. bryan2k5

    bryan2k5 TS Rookie Topic Starter

    thank you. I'm now not getting that error message and my internet is fine this time.

    Thanks for your help.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.