Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

strangely enough i have a problem...


  • This topic is locked This topic is locked
3 replies to this topic

#1 rosevibe

rosevibe

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Location:manchester
  • Local time:04:47 PM

Posted 06 September 2004 - 04:33 PM

Hi all,
I was originally using IE 6.0 but as i was having so many problems with it (on the rare occasion a page would load instead of going straight to the 'this page is not available' default screen, it took forever - anything from 40seconds to 2 minutes, unless it just 'timed out')
After i'd done the whole fruitless adaware, avg and housecall sweeps and got nothing, i begged assistance from my housemate, who suggested getting a new browser.
So i download mozilla (it's actually damn fine!) for the first 10 minutes or so i'm cooking on gas, SPEEEEDY connection - pages open almost before i click go, felt GREAT.
then it happened again. *sigh*

When using IE 6, If i tried navigating using the favourites it just brought up the 'this page is currently unavailable' even if i typed the address to navigate to straight into the address bar, it would bring up the default msn search telling me to check the address and try again - whilst offering me 'alternatives' which were EXACTLY the same as i had typed in in the first place.

When using mozilla i just get a little pop up box telling me to check the address. On one occasion i was actually ON a google search page when it came up with "www.google.com not recognised, please check the address and try again"

I've been on the blackviper site and configured xp as per instructions, i've changed browser, shut off all non essential bits n bobs, uninstalled software i havent used in aeons, done a defrag, uninstalled all antivirus stuff, re-installed new antivirus stuff, redone the ad-aware and downloaded spybot and scanned - all to no avail. The only thing it's brought up is a 'DSO exploit' 5 times, i've since changed a registry entry (sweating the whole time, my first reg effort) and its now only coming up 4 times but i cant get rid of it. do you think this could be whats causing all my problems?

I'm also having problems with the wireless network - my housemate isnt so i can only put it down to whatever this is.
PLEASE can someone check this hjt log and try to help - preferably in laymans terms as I need PRE-cise, idiot proof directions to follow.
Many many thanks in advance - if only for reading this
Vics XXxx

Logfile of HijackThis v1.98.2
Scan saved at 21:52:57, on 06/09/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1BDD55B8-3985-4E59-B906-5E0AD56D6710} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O4 - Global Startup: Bluetooth Connection Manager.lnk = C:\Program Files\3Com\Bluetooth\BTCM.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Erotic - {2648BB17-1868-48d3-9A85-7C77F13A2288} - http://www.erotic.co.uk?ref=9999 (file missing)
O9 - Extra 'Tools' menuitem: Erotic... - {2648BB17-1868-48d3-9A85-7C77F13A2288} - http://www.erotic.co.uk?ref=9999 (file missing)
O9 - Extra button: IQ Test - {D9FA68E1-AEE2-48d8-B03D-C37DC602554E} - http://www.personaltest.co.uk (file missing)
O9 - Extra 'Tools' menuitem: IQ Test... - {D9FA68E1-AEE2-48d8-B03D-C37DC602554E} - http://www.personaltest.co.uk (file missing)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {1230CB21-C88D-11CF-B347-000000000000} - http://www.eingang69.de/EroticAccess/Cabs/1843009.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...9b3758abfcae556
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

BC AdBot (Login to Remove)

 


#2 texruss

texruss

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 06 September 2004 - 08:44 PM

Your Windows and IE version numbers...not updated for IE or Windows:

Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)


Proper version numbers:

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

or...the latest XP SP2 and IE SP2

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


To start Updates online: Open IE 6, pull down Tools on top menu bar and select Windows Update. Click on the scan for updates link and then download and install ALL critical security updates.

You can also download the entire SP2 update (big file at 266 MB):

http://russelltexas.com/tutorials/xpsp2.htm

Your log doesn't look too bad...some Gator stuff (GMT), WinAd and WebRebates. Uninstall GMT in Control Panel/Add Remove Programs.

Run Hijackthis, scan and check the box left of these numbered line items:

O2 - BHO: (no name) - {1BDD55B8-3985-4E59-B906-5E0AD56D6710} - (no file)
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Comments: optional removal...resource hog
O9 - Extra button: Erotic - {2648BB17-1868-48d3-9A85-7C77F13A2288} - http://www. erotic.co.uk?ref=9999 (file missing)
O9 - Extra 'Tools' menuitem: Erotic... - {2648BB17-1868-48d3-9A85-7C77F13A2288} - http://www. erotic.co.uk?ref=9999 (file missing)
O9 - Extra button: IQ Test - {D9FA68E1-AEE2-48d8-B03D-C37DC602554E} - http://www. personaltest.co.uk (file missing)
O9 - Extra 'Tools' menuitem: IQ Test... - {D9FA68E1-AEE2-48d8-B03D-C37DC602554E} - http://www. personaltest.co.uk (file missing)

O16 - DPF: {1230CB21-C88D-11CF-B347-000000000000} - http:// www. eingang69.de/ EroticAccess/Cabs/1843009.cab
Comments: EroticAccess
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http:// public.windupdates. com/get_file.php...9b3758abfcae556
Comments: Blazefind Windupdates Adware

With no other windows open click on fix checked button in Hijackthis.

Exit Hijackthis.

Reboot to SAFE MODE

Show HIDDEN FILES and folders

These necessary options are explained in FAQ's 8 and 9
on this page:

http://www.russelltexas.com/malware/faqhijackthis.htm

Open Windows Explorer: type the word explorer at Start/Run box and click OK:
(Note...if the Run button is absent, right button click on the Start button and left button click on the word explore).

Navigate down the folder structure in left hand window and then in the right window delete the following folders: (if present...some may be gone...but look very carefully and make sure you have enabled hidden files option):

Folders:

C:\Program Files\Winad Client
C:\Program Files\Common Files\GMT
C:\Program Files\Web_Rebates


Exit Explorer and empty the Recycle Bin.

Reboot in normal mode Windows and run Disk Cleanup: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.

If you have any problems with Disk Cleanup completing...XP users can fix it here:

http://www2.whidbey.net/djdenham/DeleteOldFiles.htm

I also like this freeware temp files cleaner here:

http://cleanup.stevengould.org/

Next...download and run these two programs (Spybot S&D and Adaware) at the link below. Use Spybot first.

Most of the Internet baddies can be killed by a one-two punch with Spybot and Adaware assuming these three factors are achieved:

1. Latest version
2. Configured correctly for running options
3. New definitions from update feature


Please download the latest Adaware which is called SE edition and Spybot 1.3. Graphic tutorials at:

http://russelltexas.com/malware/spybot13/spybot13.htm

http://russelltexas.com/malware/adawarese/adawarese.htm

Follow the directions for proper use of those excellent products.

Next, reboot a final time and browse a bit, exit IE 6 and post a new Hijackthis log in this thread. Please do this even if you feel it is clean as this is beneficial for our classroom trainees and future researchers. Your help is appreciated.

HTH,

Texruss
Classroom Teacher Tom Coyote Forum
http://russelltexas.com
Poster agrees to my disclaimer before taking my advice:
http://russelltexas.com/malware/disclaimer.htm

#3 rosevibe

rosevibe
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Location:manchester
  • Local time:04:47 PM

Posted 07 September 2004 - 07:28 AM

Many thankee's for the response you chucklelamblovehoneybabysweetheartdarlin' you!
I've been trying to figure out where those buttons on my toolbar came from as they didnt appear to do anything. glad to say they've now gone.

However, sadly i cannot install the service pack, downloaded with no problems but when installing it brought up this error message:

"windows xp service pack 2 cannot install
the product key used to install microsoft windows may not be valid. For more nformation about why you have recieved this error message, and steps you can take to resolve this issue, visit www.howtotell.com"

now i'd LOVE to visit the site mentioned on there but as it wont open in either browser... *sigh*
it also appears that my xp disk has gone awol, i cannot find it ANYWHERE!

I did everything else you mentioned on here including update my version of adaware but i'm still getting the DSO exploit showing up on spybot - i'm assuming thats because my os is not up to date.

I've kind of resigned myself to having to go buy another version of windows and learn how to do a format and re-install.

...unless you have any other suggestions for me? *looks up in a hopeful pleading kind off manner* (think puss in boots in shrek2 at his cutest... i can do that *grin*)

anyway, as requested... here's my new hjt log:

Logfile of HijackThis v1.98.2
Scan saved at 13:14:03, on 07/09/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Mozilla Firefox\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O4 - Global Startup: Bluetooth Connection Manager.lnk = C:\Program Files\3Com\Bluetooth\BTCM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:47 PM

Posted 14 September 2004 - 11:07 PM

Sorry for such a late response. THe DSO exploit is a bug in spybot and can be safely ignored. As for getting the updates working, there probably will not be a way until you get your version of windows properly licensed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users