[josielea]

Here's my daughters hjt log...different comp. Looks like she may need some major help on her comp as well.....

Logfile of HijackThis v1.99.1
Scan saved at 12:38:44 PM, on 4/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\defragfat32pi.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Ares\Ares.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.JOSIE\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL
O2 - BHO: NavHelper Class - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Program Files\NavExcel\NavHelper\v2.0.4c\NHelper.dll
O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\system32\defragfat32pi.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\RunServices: [Microsoft Windows Securety] wurguar.exe
O4 - HKLM\..\RunOnce: [cueof.exe] C:\WINDOWS\System32\cueof.exe /k
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [cueof.exe] C:\WINDOWS\System32\cueof.exe /k
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZCXXXXXXXXUS
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...5.19/ttinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[Advertisements]

Ok, now I can't find what you posted back to me on this site. Maybe I just need help to navigate...LOL. Please repeat your suggestions. Thanks

[sylamore]

Ok, now I can't find what you posted back to me on this site. Maybe I just need help to navigate...LOL. Please repeat your suggestions. Thanks

[gerryf]

s'funny, I could have sworn I responded to this earlier.

First, you're right. Your daughters computer has two worms. You ought to take that one over to the malware forum.

Now, did it help us with your computer....let's see...

First, who set these computers up to use the internet, and were they set up as different times?

On your daughter's computer

start > run, type
ipconfig /all
report back the numbers you see next to DNS servers

[sylamore]

Ok...we typed in what you said on daughter's comp and a box popped up that said "Windows could not find ipconfig/all. Make sure you are typing it in correctly then try to run it again" or something close to that. I also just ran housecall on her comp and it identified the SDBOT worm for sure. Both comp's were set up at the same time by the man who owns our local computer store. Oh, daughter runs Windows XP...does that make a difference on how to pull up what you need? I forgot to tell you that.

[sylamore]

I also took 456 items off of daughter's comp today with Spybot.

[gerryf]

never answer more than 100 forum requests in one day...get sloppy

start > run, type
CMD
enter

then type ipconfig /all

sorry

going to sleep now, shoud have done it hours ago...

[sylamore]

Morning.....Hope you slept well. Now then, numbers next to DNS Servers are: 192.168.1.1 and these are the same numbers next to DHCP Server and Default Gateway. At the top it says IP Routing and WINS Proxy are NOT ENABLED. Thanks

[gerryf]

dns--192.168.1.1
that is your computer (98) or your daughters computer (xp)?

[sylamore]

Hi gerryf...that one was my daughters (XP) my dns is set at 216.98.167.1 and 216.98.167.2 (98).

[gerryf]

that's not right, though...your daughter's computer should not be working with a dns of 192.168.0.1....

on your daughters computer, download the following file (just a simple batch script).

unzip it and run it, and it will create a file called info.txt on your desktop.

Open it and post the contents back

Attached Files

•  ipconfig.zip   358bytes   372 downloads

[sylamore]

gerryf...since my daughter is busy with her comp right now, I'll have to do this sometime tomorrow. Please post here when you are up and ready to tackle this again, ok? Thanks for your help so far and I look forward to us solving all tese problems together....

[gerryf]

This is what I think is going on....I think that your win98 computer has the wrong dns servers hard coded in...but I want to see what your daughter's reads.

If you have dns servers hardcoded AND you are getting ip info from dhcp too, your computer might cycle through each entry. Or your daughters computer might be getting a better, closer dns server than the old one you have in your machine....

I just don't want to delete your's and leave unconnected until I see your daughter's.

That is what I think may be happening.

[sylamore]

Well that all sounds reasonable enough to me (since I am a novice) and I am in agreement with you that I don't want to be unconnected....not at all. I will get what you asked for in the morning and post it back to this thread. Thanks

[sylamore]

Here's the post you asked for from my daughter's comp.



Windows IP Configuration



Host Name . . . . . . . . . . . . : Josie

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Network Bridge (Network Bridge):



Connection-specific DNS Suffix . : company.com

Description . . . . . . . . . . . : MAC Bridge Miniport

Physical Address. . . . . . . . . : 02-01-01-76-EF-AD

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.7

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

Lease Obtained. . . . . . . . . . : Saturday, April 23, 2005 8:31:49 AM

Lease Expires . . . . . . . . . . : Saturday, April 23, 2005 9:31:49 AM

Hope this will give the info you need.....Thanks

[sylamore]

Hi gerryf..I'm sure you have nothing else to do LOL but here's the info you asked for from my daughter's comp.....Hope you are having a nice evening