Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT - Marie-Pauline


  • This topic is locked This topic is locked
23 replies to this topic

#1 marie-pauline

marie-pauline

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 05 April 2005 - 12:55 PM

Can anyone help me? My computer seems to be invaded by lop and I cannot seem to get rid of it. It makes everything unstable and I often can not get online. I use xp and ie and sometimes I can get online with one account but not another. I have run spybot and Adaware but cannot seem to get rid of it. I am very much a beginner at all of this and would be grateful for idiot proof instructions.

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,733 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:01 AM

Posted 05 April 2005 - 01:26 PM

Hello marie-pauline and welcome to BleepingComputer.

Take a look at the info here, then post a HijackThis log.
Derfram
~~~~~~

#3 marie-pauline

marie-pauline
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 05 April 2005 - 02:59 PM

Following your suggestion I am pasting in a log. I think that something called lop is causing me lots of problems. I use xp and ie. Sometimes it seems to stop me accessing the web. I have a tool bar I cannot get rid of. I am constantly running spybot and adaware but cant seem to solve the problem. It is causing my computer to behave really erratically - although sometimes I can get on the web on one account but not on another.
Logfile of HijackThis v1.99.1
Scan saved at 20:49:12, on 05/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\Program Files\TDK Systems\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Home Cinema\PowerCinema\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Palm\Hotsync.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www..google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = al>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: McAfee Privacy Service - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O2 - BHO: (no name) - {F3A7B081-C78B-EC2B-0B5F-C8CA1220D683} - C:\PROGRA~1\SKIPCR~1\Setup ford.exe (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O5 "LPT1:" /M "Stylus C64"
O4 - HKLM\..\Run: [DELUXECC] C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [funk spam hole bolt] C:\Documents and Settings\All Users\Application Data\AXIS TRUST FUNK SPAM\Name window.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [McRegWiz] C:\Program Files\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Ante comp dead stupid] C:\Documents and Settings\All Users\Application Data\copy software ante comp\Helpkind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Privacy Bar - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...84/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21126056f8d67b...ip/RdxIE601.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,21/mcgdmgr.cab
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - http://direct.data-line.us/gbn286.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\TDK Systems\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: McAfee Privacy Service (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - c:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

#4 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,733 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:01 AM

Posted 05 April 2005 - 04:33 PM

Yes, you do have LOP.

You have a couple anti-malware programs running - and that is good - but they may interfere with the fix. We need to temperarily disable them:

Open Microsoft AntiSpyware.
- Click on Tools, Settings.
- In the left pane, click on Real-time Protection.
- Under Startup Options uncheck: Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
- Under Real-time spyware threat protection uncheck: Enable real-time spyware threat protection (recommended).
- After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
- Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
Re-enable MSAS after I give you the all clear.


You have Spybot's Teatimer running in the background. Teatimer does a good job of notifying you when any suspicious changes are made to the registry. We are going to make some changes, so to keep Teatimer from popping up we need to disable it for now. To do so, right click the running icon of spybot's Teatimer located in the systray and choose exit.

Teatimer will restart at the next boot.



Open Notepad, (Start button, click on Run, type in Notepad, and click OK) copy & pastes the following block of text into Notepad.

dir c:\windows\tasks /a > sched.txt
echo ------- >> sched.txt
attrib c:\windows\tasks\*.* >> sched.txt
notepad sched.txt
del sched.txt

Select 'Save as type:' as All Files,
Save the file to the desktop as sched.bat. Close Notepad.



Configure Windows to enable viewing of Hidden and System files.

Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = al>

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {F3A7B081-C78B-EC2B-0B5F-C8CA1220D683} - C:\PROGRA~1\SKIPCR~1\Setup ford.exe (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [funk spam hole bolt] C:\Documents and Settings\All Users\Application Data\AXIS TRUST FUNK SPAM\Name window.exe
O4 - HKLM\..\Run: [Ante comp dead stupid] C:\Documents and Settings\All Users\Application Data\copy software ante comp\Helpkind.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21126056f8d67b...ip/RdxIE601.cab
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - http://direct.data-line.us/gbn286.exe

With ALL OTHER WINDOWS CLOSED, click on Fix Checked. Close HijackThis.


Open Windows Explorer (Windows key+e), navigate to and delete the following files and folders if found:

C:\Documents and Settings\All Users\Application Data\AXIS TRUST FUNK SPAM\ <--Delete entire folder
C:\Documents and Settings\All Users\Application Data\copy software ante comp\ <--Delete entire folder
C:\Program Files\SKIPCR~1\ <--Folder that starts with "SKIPCR...", delete entire folder


Now double click on sched.bat that you previousl saved to the desktop and a notepad file should open. Copy the contents of that file to your next post along with a fresh HJT log.
Derfram
~~~~~~

#5 marie-pauline

marie-pauline
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 07 April 2005 - 01:36 AM

Hi ddrreeff,

Love the picture! Thanks for your help. I have tried to follow the instructions but hit a few things that I did not know what to do with!
What does - Configure Windows to http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/ mean? Does it mean open the web page? Could not work it out - sorry!

After I had closed Hijack This I could not find any c:\Documents and Settings\All Users\Appliccation Data files.

Think I managed everything else so here is the log.
Logfile of HijackThis v1.99.1
Scan saved at 07:11:17, on 07/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\Program Files\TDK Systems\Bluetooth Software\bin\btwdins.exe
c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Home Cinema\PowerCinema\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Palm\Hotsync.exe
C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www..google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: McAfee Privacy Service - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O5 "LPT1:" /M "Stylus C64"
O4 - HKLM\..\Run: [DELUXECC] C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [McRegWiz] C:\Program Files\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Privacy Bar - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,21/mcgdmgr.cab
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\TDK Systems\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: McAfee Privacy Service (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - c:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Volume in drive C is BOOT
Volume Serial Number is 0C0E-601B

Directory of c:\windows\tasks

07/04/2005 07:13 <DIR> .
07/04/2005 07:13 <DIR> ..
07/04/2005 07:00 276 8552C971917565F9.job
07/04/2005 07:00 280 A22C07FD9063801D.job
07/04/2005 07:00 280 A55DEC88908E9D70.job
07/04/2005 07:00 268 A63E930191C13D05.job
07/04/2005 07:00 268 A8078196931838FE.job
07/04/2005 07:00 232 A861E6B991BE620D.job
07/04/2005 07:00 268 ABA7297A9184DECE.job
07/04/2005 07:00 268 AC1C7874903BEF20.job
07/04/2005 07:00 280 AD5D811F91263AA3.job
07/04/2005 07:00 276 AD7DD296918A4776.job
07/04/2005 07:00 232 AE58B9CF933F3957.job
07/04/2005 07:00 272 AECA9C1491E90FD4.job
07/04/2005 07:00 276 B506812090FD27E8.job
07/04/2005 07:00 268 B63BBFB1919828B1.job
07/04/2005 07:00 276 B8023797923DA10F.job
07/04/2005 07:00 280 BB3B34E0929CB2E0.job
07/04/2005 07:00 280 BE74115990A7B389.job
29/08/2002 13:00 65 desktop.ini
01/04/2005 21:06 398 McAfee Privacy Service Anti-Spyware Scan.job
07/04/2005 07:29 482 McAfee.com Update Check (KITCHENPC-Children).job
07/04/2005 07:31 478 McAfee.com Update Check (KITCHENPC-Donald).job
07/04/2005 07:33 482 McAfee.com Update Check (KITCHENPC-Isabella).job
07/04/2005 07:30 476 McAfee.com Update Check (KITCHENPC-Jamie).job
07/04/2005 07:32 480 McAfee.com Update Check (KITCHENPC-Leonora).job
07/04/2005 07:33 470 McAfee.com Update Check (KITCHENPC-MP).job
07/04/2005 07:32 478 McAfee.com Update Check (KITCHENPC-Sophie).job
07/04/2005 07:15 6 SA.DAT
27 File(s) 8,395 bytes
2 Dir(s) 76,691,234,816 bytes free
-------
A H C:\windows\tasks\8552C971917565F9.job
A H C:\windows\tasks\A22C07FD9063801D.job
A H C:\windows\tasks\A55DEC88908E9D70.job
A H C:\windows\tasks\A63E930191C13D05.job
A H C:\windows\tasks\A8078196931838FE.job
A H C:\windows\tasks\A861E6B991BE620D.job
A H C:\windows\tasks\ABA7297A9184DECE.job
A H C:\windows\tasks\AC1C7874903BEF20.job
A H C:\windows\tasks\AD5D811F91263AA3.job
A H C:\windows\tasks\AD7DD296918A4776.job
A H C:\windows\tasks\AE58B9CF933F3957.job
A H C:\windows\tasks\AECA9C1491E90FD4.job
A H C:\windows\tasks\B506812090FD27E8.job
A H C:\windows\tasks\B63BBFB1919828B1.job
A H C:\windows\tasks\B8023797923DA10F.job
A H C:\windows\tasks\BB3B34E0929CB2E0.job
A H C:\windows\tasks\BE74115990A7B389.job
HR C:\windows\tasks\desktop.ini
A C:\windows\tasks\McAfee Privacy Service Anti-Spyware Scan.job
A C:\windows\tasks\McAfee.com Update Check (KITCHENPC-Children).job
A C:\windows\tasks\McAfee.com Update Check (KITCHENPC-Donald).job
A C:\windows\tasks\McAfee.com Update Check (KITCHENPC-Isabella).job
A C:\windows\tasks\McAfee.com Update Check (KITCHENPC-Jamie).job
A C:\windows\tasks\McAfee.com Update Check (KITCHENPC-Leonora).job
A C:\windows\tasks\McAfee.com Update Check (KITCHENPC-MP).job
A C:\windows\tasks\McAfee.com Update Check (KITCHENPC-Sophie).job
A H C:\windows\tasks\SA.DAT



Hope this makes some sense to you!

Thank you again for your help

#6 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,733 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:01 AM

Posted 07 April 2005 - 10:55 AM

What does - Configure Windows to http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/ mean?

Strange, what you should have seen is "Configure Windows to enable viewing of Hidden and System files." with 'enable viewing of Hidden and System Files' as a hot link to the quoted website. Is OK though - you did well.

After I had closed Hijack This I could not find any c:\Documents and Settings\All Users\Appliccation Data files.

We'll take care of that later.


In your original post, you refer to having a toolbar you don't want. I see both a Google toolbar and a Freeserve toolbar. Neither of these is considered malware, but is it one of these you wish to get rid of? If so, let me know.


Open Notepad, copy & paste the following into Notepad:

attrib -h C:\windows\tasks\8552C971917565F9.job
attrib -h C:\windows\tasks\A22C07FD9063801D.job
attrib -h C:\windows\tasks\A55DEC88908E9D70.job
attrib -h C:\windows\tasks\A63E930191C13D05.job
attrib -h C:\windows\tasks\A8078196931838FE.job
attrib -h C:\windows\tasks\A861E6B991BE620D.job
attrib -h C:\windows\tasks\ABA7297A9184DECE.job
attrib -h C:\windows\tasks\AC1C7874903BEF20.job
attrib -h C:\windows\tasks\AD5D811F91263AA3.job
attrib -h C:\windows\tasks\AD7DD296918A4776.job
attrib -h C:\windows\tasks\AE58B9CF933F3957.job
attrib -h C:\windows\tasks\AECA9C1491E90FD4.job
attrib -h C:\windows\tasks\B506812090FD27E8.job
attrib -h C:\windows\tasks\B63BBFB1919828B1.job
attrib -h C:\windows\tasks\B8023797923DA10F.job
attrib -h C:\windows\tasks\BB3B34E0929CB2E0.job
attrib -h C:\windows\tasks\BE74115990A7B389.job
del C:\windows\tasks\8552C971917565F9.job
del C:\windows\tasks\A22C07FD9063801D.job
del C:\windows\tasks\A55DEC88908E9D70.job
del C:\windows\tasks\A63E930191C13D05.job
del C:\windows\tasks\A8078196931838FE.job
del C:\windows\tasks\A861E6B991BE620D.job
del C:\windows\tasks\ABA7297A9184DECE.job
del C:\windows\tasks\AC1C7874903BEF20.job
del C:\windows\tasks\AD5D811F91263AA3.job
del C:\windows\tasks\AD7DD296918A4776.job
del C:\windows\tasks\AE58B9CF933F3957.job
del C:\windows\tasks\AECA9C1491E90FD4.job
del C:\windows\tasks\B506812090FD27E8.job
del C:\windows\tasks\B63BBFB1919828B1.job
del C:\windows\tasks\B8023797923DA10F.job
del C:\windows\tasks\BB3B34E0929CB2E0.job
del C:\windows\tasks\BE74115990A7B389.job
rd /s /q "C:\Documents and Settings\All Users\Application Data\AXIS TRUST FUNK SPAM"
rd /s /q "C:\Documents and Settings\All Users\Application Data\copy software ante comp"
dir c:\windows\tasks /a > sched.txt
attrib c:\windows\tasks\*.* >> sched.txt
notepad sched.txt
del sched.txt


As before, save it to your desktop as Remjob.bat. Close Notepad.

Run Remjob.bat by double clicking on it.
Post the resulting text file in your next post along with one more HJT log.
Derfram
~~~~~~

#7 marie-pauline

marie-pauline
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 08 April 2005 - 09:42 AM

Hi there,

I have been so excited because I have had one whole day with no problems, even that annoying toolbar which seems to have been a lop or search 2000 toolbar had disappeared!, However today I cannot get on the web at all with my account and I am in despair. I am using the guest account on the same computer now but....

If I copy and paste to the desktop in the guest account can I then transfer it to my account desktop, so that I can then follow your instructions, or can I run it from the guest account?

Could this horrible lop be on the other accounts on this computer, if so do I have to go through the process with all users accounts?

Sorry for the delay in getting back to you but I have 4 children on holiday who are demanding my attention and a husband who doesnt like me being on the computer instead of getting his dinner!

Thank you so much for your help
MP

#8 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,733 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:01 AM

Posted 08 April 2005 - 10:56 AM

However today I cannot get on the web at all with my account

What type of an internet connection do you have? Dialup, cable modem, DSL? Can you be more specific as to what isn't working on your account?

If I copy and paste to the desktop in the guest account can I then transfer it to my account desktop, so that I can then follow your instructions, or can I run it from the guest account?

I don't have a lot of experience on an XP system with multiple accounts. I believe each account will have a seperate desktop. However, there is at least one folder that is defined as 'Shared' and should be accessable from all accounts.

I'm on a Windows2000 machine here at work so I can't check, but I believe if you open 'My Computer' that the 'Shared' folder is there.

Could this horrible lop be on the other accounts on this computer, if so do I have to go through the process with all users accounts?

Yes, could be on other accounts. An HJT log from each account would be a good idea to be sure all are clear. But I think getting your account back working should be the first priority.


One thing we can try..

From an account that has internet access, Download LSPFix and unzip into the 'shared' folder.

- Reboot and log into your account
- Go to the shared folder and run LSPFix
- Just click on 'Finish'.

Reboot again into your account and see if you can now access the net.
Derfram
~~~~~~

#9 marie-pauline

marie-pauline
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 09 April 2005 - 08:50 AM

Hi,

I have a broadband connection which is shared with my husband's work computer (which I am using right now), the kids computer and mine. The problem only seems to be on mine - thank goodness.

Since last night I am not able to get on line on any account on my computer. When I open IE all I get is - sorry this page is not available right now (or words to that effect)

Maybe it will come back at some point and then I can try the things that you suggested.


I am sorry to be stupid about this but what exactly did you mean by "configure windows to http......"? I am afraid I did not understand your reply.

Thanks again for all your help
Marie-Pauline

#10 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,733 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:01 AM

Posted 09 April 2005 - 01:14 PM

I am sorry to be stupid about this but what exactly did you mean by "configure windows to http......"? I am afraid I did not understand your reply.

Don't need to worry about this now, but rephrasing the line:

Configure Windows to enable viewing of Hidden and System files. Instructions as to how to do this can be found at http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/



I need to try to determine the state of your internet connection, and where it might be 'broken'. As you have done so well previously....

On the machine you are currently on:

Open Notepad, (Start button, click on Run, type in Notepad, and click OK) copy & pastes the following block of text into Notepad.

ipconfig.exe /all >ipconfig.txt
notepad ipconfig.txt

Click on 'File', then 'Save as'
Select 'Save as type:' as All Files,
Save the file to the desktop as getipconfig.bat. Close Notepad.

Copy getipconfig.bat to a floppy and then copy it onto the desktop of your machine.

From your machine, double click on getipconfig.bat. A notepad file should open. Go ahead and close notepad.
You should now have on the desktop of your machine a file named ipconfig.txt. Using a floppy, bring that file back to your husbands machine, open it, and post the contents in your next reply.

If one of the machines does not have a floppy drive and you cannot do the above:

On your machine, click on Start, Run, and type in cmd then OK. A command window should open. Type in the command window ipconfig /all and hit enter.

I need the info starting at Dhcp Enabled. . . . . . . . . . . and below. Copy these the old fashioned way (pen and paper) and post them in your next reply.
Derfram
~~~~~~

#11 marie-pauline

marie-pauline
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 15 April 2005 - 12:16 PM

Hi there,

Sorry for the delay - kids and husband demanding attention again

I think I did this right! I hope this helps. Still cant get on the web at all with my computer on any account. I know that the broadband connection works as the other 2 computers in the house both work fine.

Do hope you can figure something out.
Have a good weekend
MP




Windows IP Configuration



Host Name . . . . . . . . . . . . : KITCHENPC

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection 4:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Bluetooth LAN Access Server Driver #3

Physical Address. . . . . . . . . : 00-80-98-64-5A-C1



Ethernet adapter Local Area Connection 3:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Bluetooth LAN Access Server Driver #2

Physical Address. . . . . . . . . : 00-80-98-64-5A-C1



Ethernet adapter Bluetooth Network:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Bluetooth LAN Access Server Driver

Physical Address. . . . . . . . . : 00-80-98-64-5A-C1



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : VIA VT6105 Rhine III Fast Ethernet Adapter

Physical Address. . . . . . . . . : 00-0C-76-C1-77-AD

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Autoconfiguration IP Address. . . : 169.254.31.122

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . :



Ethernet adapter Wireless Network Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : PRISM 802.11g Wireless Adapter

Physical Address. . . . . . . . . : 00-60-B3-90-14-F2

#12 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,733 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:01 AM

Posted 15 April 2005 - 04:45 PM

I'm surprised by the lack of a Default Gateway, but I'm not that much of a networking guru. I've asked other experts for additional advise in regard to that.

In the mean time, Download WinSockFix from http://www.softpedia.com/get/Tweak/Network...inSockFix.shtml. Move it to a floppy disk and take it over to your machine. Then move it to your desktop.

Run WinSockFix and click on "Fix". After it does it's thing, your machine should reboot.

Let me know if that worked to get you back online.
Derfram
~~~~~~

#13 marie-pauline

marie-pauline
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 18 April 2005 - 09:02 AM

How fantastic! I am back on line. Thank you so much. What was strange was that when I first ran winsockfix on my account although something happened as my virus checker updated itself I still could not use IE. However my McAfee Internet security kept popping up telling me that things were happening such as
Generic host for Win 32 services (path c:\WINDOWS\system32\svchost.exe) was trying to send to 192.168.1.1. using port 53 (DNS)
or
Application layer Gateway sevice (c:\WINDOWS\system32\alg.exe) was trying to listen at port 1028.

As I was suspicious of these I blocked them. What are they by the way?

I then ran winsockfix on the guest account and wonder of wonders everything works on all accounts including picking up my emails in Outlook.

Does this mean I'm cured? If so can I just ask how can I prevent this happening again?

Thank you so much for your help
Marie-Pauline

#14 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,733 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:01 AM

Posted 18 April 2005 - 10:19 AM

Great!

Generic host for Win 32 services (path c:\WINDOWS\system32\svchost.exe) was trying to send to 192.168.1.1. using port 53 (DNS)
or
Application layer Gateway sevice (c:\WINDOWS\system32\alg.exe) was trying to listen at port 1028.

As I was suspicious of these I blocked them. What are they by the way?

These are internal Windows processes and should be OK.

I would like to see a final HJT log from your account to be sure all is still clean. If any of the other accounts are behaving strangely, an HJT log from those too.
Derfram
~~~~~~

#15 marie-pauline

marie-pauline
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 20 April 2005 - 09:44 AM

Hi there,

Still OK, although at first yesterday I could not get on line anywhere again. I ran winsockfix on the guest account and hey presto on line with every account. Everything seems OK today.

Here is the Hijack this log from my account.

I will paste ones from the other accounts separately as I have to log off each account and I dont know how to do so otherwise. Sorry if this is a pain.

Logfile of HijackThis v1.99.1
Scan saved at 15:37:37, on 20/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\Program Files\TDK Systems\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Home Cinema\PowerCinema\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Palm\Hotsync.exe
C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www..google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: McAfee Privacy Service - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O2 - BHO: (no name) - {F3A7B081-C78B-EC2B-0B5F-C8CA1220D683} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O5 "LPT1:" /M "Stylus C64"
O4 - HKLM\..\Run: [DELUXECC] C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [McRegWiz] C:\Program Files\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Privacy Bar - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...84/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,21/mcgdmgr.cab
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} -
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\TDK Systems\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: McAfee Privacy Service (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - c:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users