Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

CANNOT RUN ANY ANTIVIRUS [RESOLVED]


  • This topic is locked This topic is locked

#1
cowboys

cowboys

    Member

  • Member
  • PipPip
  • 14 posts
Dear Sirs,
i have a big problem ! Someone starting do not work on my portable HP with XP and Norton Antivirus running.
After an regular email with some dwg attachement, my blu bar in the bottom of the video disappear togheter green Start button and also "windows" key doesn't work.
I reboot the pc and soon after the password an error occur with this message:
"TFSWCTRL.EXE application not correct running" (this is the translation from Italian language)
So i try web scanning with Trend Housecall with novirus result then Panda Activescan with 2 virus no disinfected, I try Windows Update but the download is ok but i cannot install because an error occur, I download Adaware, SpyBot and EWIDO but after regular download i try to install but everyone of that give me the same answer :
"Impossibile to run, application configuration non correct"
Another strange thing isd that it's impossible to start Task Manager
I try to install and run HJCT and everything it's ok but i cannot take the log becaus Notepad doesn't work and it's impossible to copy the log in other way.
So i start writing to you from another computer.
What i can do ?

Please help me !

Carlo Riccardi
from Italy

p.s. another little thing .... idont'n see any icon in the directory atoher that Desktop
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Let's give this a try:

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

@echo off
cd\
echo REGEDIT4>Temp.reg
echo.>>Temp.reg
echo [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnceEx]>>Temp.reg
echo "Flags"=dword:00000008>>Temp.reg
echo [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnceEx\000]>>Temp.reg
echo "runonce"="\"\\!HJT.bat\"">>Temp.reg
echo.@echo off>!HJT.BAT
Echo.echo Hijackthis will open before the windows desktop>>!HJT.BAT
echo.echo Scan and Fix only what your forum adviser suggested>>!HJT.BAT
echo pause>>!HJT.BAT
echo.start hijackthis.exe>>!HJT.BAT
echo.echo ONLY when finished with hijackthis close it and,..>>!HJT.BAT
echo pause>>!HJT.BAT
echo.del Temp.reg>>!HJT.BAT
echo.CLS>>!HJT.BAT
echo.exit>>!HJT.BAT
regedit.exe /s Temp.reg
echo Please restart your PC now
Echo Just before the desktop loads Hijackthis will open,
echo Scan and Fix only what your forum adviser suggested
pause
CLS
exit


Save the file as "HijackThis.bat". Make sure to save it with the quotes and in the same folder as your HijackThis.exe program. Double click on it to run it. Restart when asked to do so. Then try saving the log after it loads and runs the scan...see if it can save in Notepad now.
  • 0

#3
cowboys

cowboys

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Nice to meet you :tazz:
Sorry not tel you the name of topic but sometimes i'm so stupid......

It's save the log but on portable computer i cannot open .... so i copy by the intranet inmy desktop computer i and write from y desktop computer.
This is the log after running on my portable .........



Logfile of HijackThis v1.99.1
Scan saved at 19.37.23, on 11/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Programmi\Saitek\Software\Profiler.exe
C:\Programmi\Saitek\Software\SaiSmart.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
C:\Programmi\Microsoft Office\Office\1040\msoffice.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\rottolini\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rallylink.it/home_it.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Programmi\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Profiler] C:\Programmi\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Programmi\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://66.29.7.159/t...free_access.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131567933200
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FD5E283-802C-4241-92E5-655FBA600FC0}: NameServer = 151.99.125.2,151.99.250.2
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Did the instruction I give you work?

Did you delete those two infected files found by Panda?

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Right click and copy the below lines. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\Program Files\MsConfigs\MsConfigs.exe
C:\Program Files\MsConfigs\
C:\WINDOWS\system32\p2pnetwork.exe
C:\WINDOWS\system32\CMD.COM
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\tracert.com


If you get a PendingOperations message, just close it and restart your computer manually.

Make sure to close all open windows. Check and fix the following in HijackThis:

R3 - Default URLSearchHook is missing
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://66.29.7.159/t...free_access.cab


Restart and post a new HijackThis log.
  • 0

#5
cowboys

cowboys

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I did the instructions you say but I prepare the .bat in my desktop then by intranet network I copy to my portable and execute the HijackThis.bat from Desktop (same folder where i have Hjck; restart, run the scan that save automatically the log in the desktop but if I try to launch Notepad.exe it doesn't start and give me a message to reinstall the program, so i copy the log, moving it to "shared documents", from portable to my desktop and send to you.

Now, because notepad doesn't work on portable, I copy your email to a Word files (Word work perfectly on portable) so i can copy the command lines but when I use File->Paste from Clipboard to Killbox nothing is pasted to Killbox so I stop to execute anything and I write to you.

And now what I can do ?

I rerun Panda and this is the log.

-----------------------------------------------------------------
Incident Status Location

Adware:adware/ist.istbar No disinfected Windows Registry
--------------------------------------------------------------

Regards
Carlo
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, in KillBox you see that folder image right? Click on that and look for all those files I listed for you one by one and hit the RED circled X button each time (do this one file at a time).
  • 0

#7
cowboys

cowboys

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Logfile of HijackThis v1.99.1
Scan saved at 18.05.59, on 12/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Programmi\Saitek\Software\Profiler.exe
C:\Programmi\Saitek\Software\SaiSmart.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
C:\Programmi\Microsoft Office\Office\1040\msoffice.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\Documents and Settings\rottolini\Desktop\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rallylink.it/home_it.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Programmi\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Profiler] C:\Programmi\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Programmi\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131567933200
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FD5E283-802C-4241-92E5-655FBA600FC0}: NameServer = 151.99.125.2,151.99.250.2
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe


Bye
Carlo
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#9
cowboys

cowboys

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Yes there is some problems.
I don't see the bottom bar of Windows (the one with "start" etc.etc.)
and when i go in a folder I don't see any icon ......

Do you can do something ?

Carlo
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Go with the Windows Repair to see if it will fix it up:

http://www.michaelst...rinstall.htm#RI
  • 0

#11
cowboys

cowboys

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
EVERYTHINGS OK !

GREAT JOB DEAR ! :tazz:
  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP