any problem with this HJT report?
- Thread starter bryan2k5
- Start date
- Status
RealBlackStuff
Posts: 6,450 +3
You don't want the Trojan fservice.exe back!
Boot in Safe Mode.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
fservice.exe
zee.exe
?ttrib.exe
Next, run a HJT scan and place a tick-mark in the little square before (if still there):
...................................................................................................
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll (file missing)
O4 - HKLM\..\Run: [Anti] C:\zee.exe
O4 - HKCU\..\Run: [Zedyojuq] C:\WINDOWS\system32\?ttrib.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{548465CB-8DD7-4149-A630-3834DCCCF0E2}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{548465CB-8DD7-4149-A630-3834DCCCF0E2}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{548465CB-8DD7-4149-A630-3834DCCCF0E2}: NameServer = 192.168.1.1
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
...................................................................................................
Now click on the Fix Checked button in HJT.
When done, from between the dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Get deletefxpfiles here http://www.deletefxpfiles.com/index2.html to get rid
of ?ttrib.exe if you can't delete it normally.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
Boot normal. When all OK, switch System Restore back on.
Boot in Safe Mode.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
fservice.exe
zee.exe
?ttrib.exe
Next, run a HJT scan and place a tick-mark in the little square before (if still there):
...................................................................................................
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll (file missing)
O4 - HKLM\..\Run: [Anti] C:\zee.exe
O4 - HKCU\..\Run: [Zedyojuq] C:\WINDOWS\system32\?ttrib.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{548465CB-8DD7-4149-A630-3834DCCCF0E2}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{548465CB-8DD7-4149-A630-3834DCCCF0E2}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{548465CB-8DD7-4149-A630-3834DCCCF0E2}: NameServer = 192.168.1.1
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
...................................................................................................
Now click on the Fix Checked button in HJT.
When done, from between the dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Get deletefxpfiles here http://www.deletefxpfiles.com/index2.html to get rid
of ?ttrib.exe if you can't delete it normally.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
Boot normal. When all OK, switch System Restore back on.
wow, I used to have the problem of not being able to access my windows firewall but now I'm able to and it's working again. I'm not sure how I got rid of that services file though. I purchased spy doctor and ran a scan with that and fixed a bunch of files it found. Then I rebooted and my firewall was still inactive. A day later I checked and my firewall was actually working. 
Ok, I'll do what you suggested and see what happens. I understand that I don't want that file back but is there a way to keep that error message from popping up? Or will your method do that for me?
Thanks again!
Ok, I'll do what you suggested and see what happens. I understand that I don't want that file back but is there a way to keep that error message from popping up? Or will your method do that for me?
Thanks again!
ok, I did what you suggested but I had some good and bad things that happened.
I stopped getting that error message that was popping up, which is great. The bad thing is that I couldn't connect to the internet anymore. Nothing worked, I even tried making a new connection but it still didn't help.
So I restored all the items that I deleted from HJT and I'm back to square 1. Maybe there's something you told me to fix that I shouldn't be? I have no idea.
I stopped getting that error message that was popping up, which is great. The bad thing is that I couldn't connect to the internet anymore. Nothing worked, I even tried making a new connection but it still didn't help.
So I restored all the items that I deleted from HJT and I'm back to square 1. Maybe there's something you told me to fix that I shouldn't be? I have no idea.
RealBlackStuff
Posts: 6,450 +3
Repeat the previous procedure, with the exception of these:
O17 - HKLM\System\CCS\Services\Tcpip\..\{548465CB-8DD7-4149-A630-3834DCCCF0E2}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{548465CB-8DD7-4149-A630-3834DCCCF0E2}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{548465CB-8DD7-4149-A630-3834DCCCF0E2}: NameServer = 192.168.1.1
That should do it.
O17 - HKLM\System\CCS\Services\Tcpip\..\{548465CB-8DD7-4149-A630-3834DCCCF0E2}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{548465CB-8DD7-4149-A630-3834DCCCF0E2}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{548465CB-8DD7-4149-A630-3834DCCCF0E2}: NameServer = 192.168.1.1
That should do it.
- Status
Similar threads
Latest posts
-
Apple may have halted production of its maligned FineWoven accessories- Bobbydpue replied
-
Sound comes 1 sec delayed in the beginnig- hdeveci replied
-
These credit cards feature OLEDs that light up upon payment- techstrike replied
