[dhodge6]

Logfile of HijackThis v1.99.1
Scan saved at 11:38:47 PM, on 4/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
C:\PROGRA~1\MICROI~1\INTERN~1\KPDrv4XP.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
O4 - HKLM\..\Run: [KPDrv4XP] C:\PROGRA~1\MICROI~1\INTERN~1\KPDrv4XP.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcaf...22/ComCtl32.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

[Advertisements]

Welcome to GTG.

Is it just Google that won't load? Does it work in Internet Explorer? I see you are using Firefox so I assume you only tested it on that browser.

Go to c:\windows\system32\drivers\etc and open up the hosts file (no extensions) up in Notepad. There should be a bunch of lines with a # in front of them followed by a single line like:

127.0.0.1 localhost

If you have anything after that, post them here.

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.

[greyknight17]

Welcome to GTG.

Is it just Google that won't load? Does it work in Internet Explorer? I see you are using Firefox so I assume you only tested it on that browser.

Go to c:\windows\system32\drivers\etc and open up the hosts file (no extensions) up in Notepad. There should be a bunch of lines with a # in front of them followed by a single line like:

127.0.0.1 localhost

If you have anything after that, post them here.

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.

[dhodge6]

Thanks for your help. Google does not work on either explorer or firefox. There are times when it works sporadically, but then it just stops.

Went to c:\windows\system32\drivers\etc and opened up the hosts file (no extensions). There was no information after the 127.0.0.1 localhost line.

Here is the report from the activescan.

Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Rick\Cookies\rick@2o7[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Rick\Cookies\[email protected][2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Rick\Cookies\rick@overture[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Rick\Cookies\[email protected][1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Rick\Cookies\rick@questionmarket[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Rick\Cookies\rick@zedo[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\m2511v03.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\m2511v03.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\m2511v03.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\m2511v03.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\m2511v03.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\m2511v03.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\m2511v03.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\m2511v03.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\m2511v03.default\cookies.txt[.go.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\m2511v03.default\cookies.txt[statse.webtrendslive.com/dcsw40ls900000c9zydjgjkrt_1g1v]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\m2511v03.default\cookies.txt[.zedo.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\m2511v03.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\m2511v03.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\m2511v03.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\m2511v03.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\m2511v03.default\cookies.txt[]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\m2511v03.default\cookies.txt[dcsw40ls900000c9zydjgjkrt_1g1v]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\m2511v03.default\cookies.txt[]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Rick\Cookies\rick@2o7[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Rick\Cookies\[email protected][2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Rick\Cookies\rick@overture[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Rick\Cookies\[email protected][1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Rick\Cookies\rick@questionmarket[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Rick\Cookies\rick@zedo[2].txt

[greyknight17]

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

I don't see anything wrong there. Make sure it's not a setting that you or someone else using this computer set by mistake that is blocking you from using Google. Check with McAfee Firewall or your router settings (if you use a router) and make sure Google is not somehow blocked.

[dhodge6]

I followed these steps and did the cleanup but I cannot get google to work continuously. It may work for a couple of searches, then if I try again in a little while and it will stop working and I will get the following message:

The connection has timed out
The server at en-us.start.mozilla.com is taking too long to respond.

I checked the firewall settings and there are no web addresses blocked. I do not know how to check the router settings, but because the problems comes and goes, it leads me to believe that it is some sort of virus or malware.

Would really appreciate help trying to figure out what is going on. Thank you.

[greyknight17]

Please download and install the trial version of Webroot SpySweeper (8.3mg) http://www.webroot.c...4011&vcode=DT02

When SpySweeper starts, please accept any prompts to update definitions.
Configure it as follows:
*From the left pane, click Options
*Select the Sweep Options tab & ensure the following are ticked:
-Sweep Memory
-Sweep Registry
-Sweep Cookies
-Sweep All Users accounts
*Do Not Sweep System Restore Folder
*Enable Direct Disk Sweeping
*Sweep For Rootkits
After that's done, select Sweep from the left pane & click on the Start button

Allow Spysweeper to reboot your machine to remove the infected files.
*After rebooting, launch SpySweeper & select Results from the left pane
*Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply along with a new HijackThis log.

[dhodge6]

I ran Webroot Spysweeper, the log is below. I was able to access google.com, then I restarted the pc and tried it again. This time it did not work. Same problem, google.com timed out.

********
7:20 PM: | Start of Session, Friday, April 14, 2006 |
7:20 PM: Spy Sweeper started
7:20 PM: Sweep initiated using definitions version 658
7:20 PM: Starting Memory Sweep
7:23 PM: Memory Sweep Complete, Elapsed Time: 00:02:44
7:23 PM: Starting Registry Sweep
7:23 PM: Registry Sweep Complete, Elapsed Time:00:00:11
7:23 PM: Starting Cookie Sweep
7:23 PM: Found Spy Cookie: 2o7.net cookie
7:23 PM: rick@2o7[2].txt (ID = 1957)
7:23 PM: Found Spy Cookie: adlegend cookie
7:23 PM: rick@adlegend[1].txt (ID = 2074)
7:23 PM: Found Spy Cookie: pointroll cookie
7:23 PM: [email protected][1].txt (ID = 3148)
7:23 PM: Found Spy Cookie: zedo cookie
7:23 PM: [email protected][1].txt (ID = 3763)
7:23 PM: [email protected][1].txt (ID = 1958)
7:23 PM: [email protected][1].txt (ID = 1958)
7:23 PM: Found Spy Cookie: questionmarket cookie
7:23 PM: rick@questionmarket[2].txt (ID = 3217)
7:23 PM: Found Spy Cookie: tacoda cookie
7:23 PM: rick@tacoda[1].txt (ID = 6444)
7:23 PM: Found Spy Cookie: trb.com cookie
7:23 PM: rick@trb[2].txt (ID = 3587)
7:23 PM: rick@zedo[1].txt (ID = 3762)
7:23 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
7:23 PM: Starting File Sweep
7:36 PM: Found System Monitor: potentially rootkit-masked files
7:36 PM: gen.dll (ID = 0)
7:36 PM: liveupdate.exe (ID = 0)
7:36 PM: cumulative20060322.trf (ID = 0)
7:36 PM: g20060322_0800.trf (ID = 0)
7:36 PM: g20060331_0444.trf (ID = 0)
7:36 PM: settings.ini (ID = 0)
7:36 PM: liveupdate.ini (ID = 0)
7:36 PM: m20060322_0800.trf (ID = 0)
7:36 PM: updatelist.txt (ID = 0)
7:36 PM: updatelist.txt (ID = 0)
7:36 PM: liveupdate.lnk (ID = 0)
7:36 PM: File Sweep Complete, Elapsed Time: 00:13:15
7:36 PM: Full Sweep has completed. Elapsed time 00:16:13
7:36 PM: Traces Found: 21
7:43 PM: Removal process initiated
7:43 PM: Quarantining All Traces: 2o7.net cookie
7:43 PM: Quarantining All Traces: adlegend cookie
7:43 PM: Quarantining All Traces: pointroll cookie
7:43 PM: Quarantining All Traces: questionmarket cookie
7:43 PM: Quarantining All Traces: tacoda cookie
7:43 PM: Quarantining All Traces: trb.com cookie
7:43 PM: Quarantining All Traces: zedo cookie
7:43 PM: Removal process completed. Elapsed time 00:00:03
********
7:20 PM: | Start of Session, Friday, April 14, 2006 |
7:20 PM: Spy Sweeper started
7:20 PM: Sweep initiated using definitions version 658
7:20 PM: Starting Memory Sweep
7:20 PM: Sweep Canceled
7:20 PM: Memory Sweep Complete, Elapsed Time: 00:00:10
7:20 PM: Traces Found: 0
7:20 PM: | End of Session, Friday, April 14, 2006 |
********
7:18 PM: | Start of Session, Friday, April 14, 2006 |
7:18 PM: Spy Sweeper started
7:19 PM: Your spyware definitions have been updated.
7:20 PM: | End of Session, Friday, April 14, 2006 |

[greyknight17]

OK, do you use a router? How do you connect online (dialup or high speed internet like cable/DSL)? I'm thinking it might be one of these interfering here.

How about Safe Mode with Networking support? Does this problem occur there also?

Go to Start->Run and type in cmd and hit OK. Then type in the following:

ping google.com

See if you get back any response times or just request timed out (which is not good). Do the ping everytime you can't connect to Google. See if it times out in the Command Prompt.

[dhodge6]

I use a linksys wireless router on my main computer which connects to the internet through a cable modem. This pc has a d-link wireless connection to the linksys router. Both computers have the google won't load problem.

I pinged google.com and it appears to be working, it does not time-out.

I will try the safe mode w/ networking and revert w/ results.

[dhodge6]

Just tried safe mode w/ networking but google does not work. I also noticed that when I tried to load the geekstogo.com website, there was a delay as the following web addresses appear at the bottom of the screen:

first, it displays "transferring data from www.google-analytics.com", then "connecting to pagead2.googlesyndication.com", then the website correctly loads.

[greyknight17]

Good...it's narrowed down to the router most likely then. It's not this computer itself. Unless you installed some software on both these computers that might be blocking this out. You sure the HOSTS file is clear except for that single 127.0.0.1 localhost line? Did you install any other new anti-spyware programs before this problem began? It usually won't happen out of the blue...

[dhodge6]

Please explain how to check the HOSTS file, I don't know what this is. Besides McAfee and Adaware, I'm not aware of other software loaded. Should I uninstall all of the spyware programs?

[greyknight17]

Go to c:\windows\system32\drivers\etc and open up the hosts file (no extensions) up in Notepad. There should be a bunch of lines with a # in front of them followed by a single line like:

127.0.0.1 localhost

If you have anything after that, post them here.

[dhodge6]

There is no data after the 127.0.0.1 localhost line.

[greyknight17]

Check out this site and see if the information there can help you access Google again.