Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet, all hosed up...


  • Please log in to reply
11 replies to this topic

#1 dana

dana

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 09 September 2004 - 01:48 PM

If anybody out there can make it through this posting and give me some advice, I'd sure appreciate it!
Started last month with spyware infection. Was working with the Hijack this log in and getting some help from this site. Had a rogue Symantec firewall (given to me by Uncle Sam - that should have tipped me off...) installed that wouldn't let me get to https:// sites, I got frustrated and reloaded my windows XP. Ever since, the computer has really been funky.
Internet is the biggest problem. I have verizon DSL. The speed is slower than molasses in winter. I think the US Postal Service is faster (bear with me, I'm venting...) Verizon has been out here, checked the lines (they say they're OK), changed my phone jack, but the speed still sucks! I can only get to the Internet after I start the computer. Explorer will come up, and eventually I'll get yahoo. If I have a spare hour or so, I might try to get to another web site. If I exit the browser, I have to restart the computer to get back on-line. When I do the ping command (learned it from the Verizon support - they seem to like it but it hasn't done JACK for my problem!), I get a reply from yahoo.com, but I can try the browser right after that and I get the server unavailable message. Have to restart to get back to the Internet. If I go to control panel and look at the status of the network connection, it shows that my system is sending out tons of info but receiving very little.
I downloaded copies of Spy Sweeper and AVG from work (impossible to do on my home system - I'd die of old age first...) Ran spy sweeper and cleaned off some spyware that it found. AVG cleaned a bunch of viruses. It can't get rid of some Trojan Back Door that is stuck on the linux.exe file in the Windows/system32 directory. I get a message about how Windows can't move that file. So how do I get rid of that thing?
Tried to do the Panda on-line scan last night. Couldn't even download the program to start the scan with my pitiful speed. Then the Internet connection just dies when I'm an hour into the supposedly few minute download.
Also, when I start up, I get these two pop ups that want me to download some Mole Box program. I checked the molestudio web site, and this Mole Box stuff looks like something I don't want or need. How can get rid of those annoying boxes upon start up? Which I do quite often to get the slowest DSL service on the planet...
Should I start over again with the restoration disks? Didn't seem to help me much before? Anybody out there have any ideas? My wife is ready kick my A** over this FUBAR move I've pulled? Somebody, please, do the right thing and save this guy's life!! Plus, I figure if you can make it all the way through this message, you're pretty dedicated. It helped me vent and get rid of some frustrations...

BC AdBot (Login to Remove)

 


#2 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:08:52 PM

Posted 09 September 2004 - 04:22 PM

I tend to post long ones too, dana so I made it through OK.

Create a folder on your hardrive to save HijackThis.exe in. A folder like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

Download Hijack This Here

Save this file into the folder you made previously. Double-click to run the program named hijackthis.exe. When the program opens, click on the Config button, then click on the Misc Tools button, and click on the Check for update online button. (Here is where you may need to step outside or go grocery shopping) When it completes checking/applying updates press the back button.

Now click on the Scan button. When it is finished, click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit, then click on Select all. Now click on Edit and then Click on Copy.

Create a reply to this post here and right click in message area and select paste to paste the log into the post. (generally we ask that these logs be posted in the Security-->HijackThis Logs & Analysis forum, but just right-click it /paste as either a "reply" to this thread or a "new post" in HJT Logs)

Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.

To see a tutorial with screenshots on using HijackThis you can click on the link below:

How to use HijackThis!

I can't think of a better way than to look at another log. (maybe you still have the HJT folder from last visit?) :thumbsup:
patiently patrolling, plenty of persisant pests n' problems ...

#3 dana

dana
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 10 September 2004 - 03:40 AM

Never had a chance to get ot the grocery store. It wouldn't connect at all for the HJT update. So I just took what I could dowload at work and ran it here at home. Here is the log:

Logfile of HijackThis v1.98.2
Scan saved at 9:38:06 PM, on 9/9/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\WINDOWS\System32\msnmsg.exe
C:\WINDOWS\System32\Linux.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ekotgz.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [$WindowsRegKey%update] IEXPLORE.EXE
O4 - HKLM\..\Run: [msn] msnmsg.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] Linux.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Windows Compliant] ekotgz.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [$WindowsRegKey%update] IEXPLORE.EXE
O4 - HKLM\..\RunServices: [msn] msnmsg.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] Linux.exe
O4 - HKLM\..\RunServices: [Windows Compliant] ekotgz.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [$WindowsRegKey%update] IEXPLORE.EXE
O4 - HKCU\..\Run: [Microsoft Update Machine] Linux.exe
O4 - HKCU\..\Run: [msn] msnmsg.exe
O4 - HKCU\..\Run: [Windows Compliant] ekotgz.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\RunServices: [msn] msnmsg.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

I'm actually up on the Internet on Firefox right now. Slow, but at least I'm surfin'!!

#4 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:08:52 PM

Posted 10 September 2004 - 04:14 AM

Your resourcefulness is to be commended, dana, I was afraid you'd have some trouble though, as things can often go...

I downloaded copies of Spy Sweeper and AVG from work (impossible to do on my home system - I'd die of old age first...)

Somebody, please, do the right thing and save this guy's life!!

It was that line that got me motivated. I'm in training at advising how to fix these problems. I pop my head out of the trainee lounge on occasion to come up for air. It actually can take a fair chunk of time chasin' down all the little details that ultimately lead to the step-by-steps that any particular combination of things require.

I get these two pop ups that want me to download some Mole Box program.

They probably remind you, about now, of how life might be if you spend much more time in the dawghouse yourself. No wonder your question boils down to: So how do I get rid of that thing? Considering the downloading difficulties you experience, this isn't what you want to hear, but it needs to be said.

Your log shows that you are seriously behind on windows updates. It is essential that you update your windows before we continue to help you as the infections could reoccur. Go to http://www.windowsupdate.com and if it asks to install software, let it. Then click on the Scan link and let it do its thing. When its done you will see on your left a section called critical updates. Click on that section and install everything that you can. When it prompts you to reboot, do so. Then repeat this process again until there are no more critical updates listed. Then post a new log.

If it is impossible to get the updates, I'll see what can be done at this end, working with the log you've posted. I know it wasn't easy getting it here. :thumbsup: It's 2:45am my time. I'll start fresh in the morning. Edit: I can see in the log there is no SP1, nor any of the others between it and the SP2.
Click here
to read about what is involved. In all honesty, you may be better off loading the service packs from CDs.
http://www.microsoft.com/downloads/details...&displaylang=enSP2


SP1

Edited by phawgg, 10 September 2004 - 05:08 AM.

patiently patrolling, plenty of persisant pests n' problems ...

#5 dana

dana
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 10 September 2004 - 04:54 AM

phawgg:
You're the one who should be commended. At 2:00 AM, I've been a pumpkin for quite some time....
Anyway, I was able to get the panda on-line virus scan to work (I guess all the planets lined up for a brief period). It was able to find three viruses (didn't give me the names and I was so excited just to get it dowloaded that I never thought to investigate). I have been able to connect on both Explorer and Firefox a few times tonight! Those pop up windows for mole box are gone. Speed still seems a little slow for what I think DSL should be, but, hey, this is progress. One strange thing now is that when I restart, two Explorer windows automatically open. Maybe this is payback for all those times when I didn't get anything??

I ran another HJT log and have it posted below. If you're motivated to look at one, this might be the better choice. Thanks for the help!

Logfile of HijackThis v1.98.2
Scan saved at 11:38:59 PM, on 9/9/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\WINDOWS\System32\msnmsg.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [$WindowsRegKey%update] IEXPLORE.EXE
O4 - HKLM\..\Run: [msn] msnmsg.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] Linux.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Windows Compliant] ekotgz.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [$WindowsRegKey%update] IEXPLORE.EXE
O4 - HKLM\..\RunServices: [msn] msnmsg.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] Linux.exe
O4 - HKLM\..\RunServices: [Windows Compliant] ekotgz.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [$WindowsRegKey%update] IEXPLORE.EXE
O4 - HKCU\..\Run: [Microsoft Update Machine] Linux.exe
O4 - HKCU\..\Run: [msn] msnmsg.exe
O4 - HKCU\..\Run: [Windows Compliant] ekotgz.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\RunServices: [msn] msnmsg.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

#6 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:08:52 PM

Posted 10 September 2004 - 05:13 AM

I was working on the problem as you posted your reply. Had to edit it to include the update information. Please double-check the posts in case you missed the info I put in, probably after you read it Good news, now that I've read it... the internet connection via IE is important for updates, although you can download the SP1 to disk byway of Firefox. The SP1a should work, and by doing it and following up with SP2, you wouldn't need to due the other 24 in between.

Here is the SP2 CD info!! the links in my previous post are hard to use. The SP2 is directly to the right of the other, and there are two SP1a links...it IS late :thumbsup:

Edited by phawgg, 10 September 2004 - 05:26 AM.

patiently patrolling, plenty of persisant pests n' problems ...

#7 dana

dana
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 10 September 2004 - 12:59 PM

Ordered the SP2 CD last week. After seeing that the download would be 93 MB, I realized I'd be driving an RV and living in Florida before I could get it through my connection. I'll take care of the SP1a update via CD later today. Of course, my version of later (I'm on aloha time!) is not as late as yours...
I'll post a new HJT log after the update. Thanks!

#8 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:08:52 PM

Posted 10 September 2004 - 05:26 PM

Super. We'll get it back up to snuff. Once SP1 or SP1a is in place, chances are good the other critical updates can be done sequentially, as Windows Update site accesses your machine through a dedicated port of it's own. Theoretically, problems with other sites will not affect you as you update.
patiently patrolling, plenty of persisant pests n' problems ...

#9 dana

dana
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 11 September 2004 - 04:31 AM

Looks like the SP1 updated OK. Downloaded SP1a, but the computer tells me it was SP1. Keep me guessing, the story of my computer life...

Automatic update popped up upon restart, tried to download SP2. I'll wait for the CD.

Funny thing, upon restart, two Explorer windows open up. Not a bad thing I guess, but I didn't tell the computer to do it, so I feel like it's in charge, not me. And that would be different, uh, how??

Here's the new HJT log. Thanks Again!

Logfile of HijackThis v1.98.2
Scan saved at 11:20:17 PM, on 9/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\WINDOWS\System32\msnmsg.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [$WindowsRegKey%update] IEXPLORE.EXE
O4 - HKLM\..\Run: [msn] msnmsg.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] Linux.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Windows Compliant] ekotgz.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [$WindowsRegKey%update] IEXPLORE.EXE
O4 - HKLM\..\RunServices: [msn] msnmsg.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] Linux.exe
O4 - HKLM\..\RunServices: [Windows Compliant] ekotgz.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [$WindowsRegKey%update] IEXPLORE.EXE
O4 - HKCU\..\Run: [Microsoft Update Machine] Linux.exe
O4 - HKCU\..\Run: [msn] msnmsg.exe
O4 - HKCU\..\Run: [Windows Compliant] ekotgz.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\RunServices: [msn] msnmsg.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

#10 carlb

carlb

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 22 September 2004 - 05:49 AM

dana,

I came across your post trying to fix a similar problem. I think the offending item is
O4 - HKCU\..\Run: [Windows Compliant] ekotgz.exe.

On my machine, it was a different exe name, but with the same random character feel to it. My anti-virus and Spybot weren't picking it up at all. However, it was opening up a very large number of network connections - looks like some sort of malware.

I used regedit and searched for every entry with (in your case) ekotgz.exe and deleted it, killed the process and then deleted [Windows]\System32\ekotgz.exe.

I hope this helps if you still have problems.

#11 dana

dana
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 23 September 2004 - 10:03 PM

I'm a rookie when it comes to the regedit stuff. Let me make sure that I've got this straight before I try anything.

When I go to regedit, I should search for all entries that contain ekotgz.exe. I should then delete all those entries, assuming that there might be more than one. By "killed the process", do you mean get back out of regedit, or is deleting those entries "killing the process?" Then I should search the system32 folder for the file ekotgz.exe and delete it. Do I have to do this in safe mode?

Thanks for the help so far, carlb! If you can get me on the straight and narrow with regedit, I'd appreciate it.

#12 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:08:52 PM

Posted 23 September 2004 - 10:28 PM

Dana, glad you're back. Please post a new log in the security-->Hijack This Logs & Analysis. Start a new topic, and an HJT Member will square you away. I'm still training and I want you get the full benefit of the help available. It's really much easier if the question/log is in the right forum. :flowers: This is Internet-->General Interest forum.
Your particular thread is listed below. Copy & paste it as the comments you post with your HJT Log. You could also say: "I tried to get help, but I need more info... my thread is:"

http://www.bleepingcomputer.com/forums/t/2523/internet-all-hosed-up/

BTW, carlb, you're probably right. You should apply those skills here as a HJT Trainee. :thumbsup:

Edited by phawgg, 23 September 2004 - 10:47 PM.

patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users