Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HiJack Log here: did multi scans/cleans [CLOSED]


  • This topic is locked This topic is locked

#1
Niaren

Niaren

    Member

  • Member
  • PipPip
  • 20 posts
Well, I started out on the McAfee Virus Removal Forum. I had already done various Safe Mode scans, and online scans with them and they kept saying I was clean, but I knew my machine was NOT running correctly, so I posted there for opinions and help. I'm working from my main machine on a home network, and I honestly think the infection started on my other (ancient) machine. Let a neighbor's kid do some homework, and she turned off the protection in order to download a bunch of stuff without asking me first, then proceeded to cruise the net and eventhough I discovered what she'd been doing....it was too late, and unfortunately, my main computer was hooked in as well. I noticed a big difference immediately, so did all the usual scans, then the safe mode and online scans and a boot scan on my main machine (slave turned off). All the scans came up as clean, but I knew better. So I downloaded AdAware, and it found and cleaned a few things, then downloaded and ran Trojan Remover, and it found and cleaned some things, then downloaded Spybot S&D and it found some more things that have been cleaned as well. I also downloaded CWShredder. Now it found and removed the CW:About Blank.....and eventhough I did each with the system restore turned off......then rebooted to complete the clean.....turned on system restore and scanned again......it still finds it each and every time (6 scans in all). I gave up after that, and went ahead and turned on the hidden filed and did the HijackThis scan.

Oh....I also went to a2.....did their online scan and removal as well as going to grc and tested the integrity of my system. a2 found and removed a few things too and grc gave me 100% on the integrity check....except for a site my system considered friendly.....then it gave a probe back for unsolicited data, but once the browser closed and tested again integrity was back to 100%.

After I complete this computer, I will shut this one down, turn on the other and repeat all this on my slave (I did download and run AdAware on it and removed over 200 crap cookies and such along with about 43 other entries that had no business being present, so I'm sure everything started on the slave). So, I'll be back with another log eventually for that computer. My entire work week has been spent cleaning this sucker (main computer), so I hope someone here will take pity on me and help me sort out the remnants I KNOW are still present, as my system still isn't up to snuff. Oh.....I got super zapped on my java upgrade. All the old java info somehow got deleted, and I had to do a system restore to a prior state before the java upgrade.....so of course, my MSI Live Update can't even find it's homepage now. I don't see the MSJVM on this system now either, but honestly don't even know if it was ever present to start with. I had also run the sfc /scannow when my machine originally came up as "clean".

I use OpenOffice and that's where I found the first trojan attached to the launcher. I was connected to my slave to bring over some files I needed. I also found a Westwood entry and I know that's on the slave and not this computer. Also the Trojan Remover found these, but I just left it as is since I had no clue what it was: D:\Install\GMSIPCI.SYS with reg entry: HKEY_Local_Machine\SYSTEM\CurrentControlSet\Services\GMSIPCI

Also, I haven't gotten an answer from Spybot S&D as yet, but when I checked the advanced settings, I noticed that these programs were autochecked to be ignored (I did not do this. I was just looking around)
LSP.New.net, MySearch, New.net, SideStep

When I first turned on this machine this morning, Spybot S&D also warned me that a registry entry on McAfee Update was being changed. I spent a couple hours getting an answer from McAfee to see if the change should be allowed, ie Which is the correct registry entry for the McAfee Software? They told me to allow the change, though I told Spybot to remember it.

I just rebooted and left the startup exactly as it is (I normally shut down much of this depending on what I need to do). My hardware monitor PCAlert4 did not start normally, and I was getting hangs and errors when MSI Live Update tried to start so I disabled the MSI start at boot up. Still, PCAlert4 did not start properly. So I left the error box alone and ran the HijackThis scan.

Thanks Sooooooo Much in advance! HijackThis log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 10:34:55 AM, on 5/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\WINDOWS\svchost.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\fxssvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.co...earch_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\PROGRA~1\mcafee.com\mps\POPUPK~1.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [Open systems] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://my.uo.com/fonts/tdserver.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...e/opo0328a.html
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcaf...22/ComCtl32.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/...pandaonline.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw...nt/iftwclix.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptoda...pdatePortal.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs8b.instants...erxsigned41.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral....s/pmupdate2.exe
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {9D8D7672-93FF-417E-9024-C16AD141C50C} (Haunted Control) - http://www.worldwinn...ted/haunted.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcaf...0,2/mcmysec.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://media.grab.co...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/...fault/shapo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...489/mcfscan.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

Thanks so much for your help!
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.co...earch_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
O4 - HKLM\..\Run: [Open systems] C:\WINDOWS\svchost.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://my.uo.com/fonts/tdserver.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...e/opo0328a.html


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\svchost.exe - make sure you delete the one in this WINDOWS folder only and no where else.

Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.

Also give me this log:

Let's use a program to scan for any trojans that may exist. Download TDS-3 http://tds.diamondcs...p?page=download. Learn how to use it at http://tds.diamondcs...?page=easytouse. Make sure to update it after you installed it. You can get the manual updates at http://tds.diamondcs...php?page=update. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to 'System Testing' on the menu and choose 'Full System Scan'. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here.
  • 0

#3
Niaren

Niaren

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Ok, here we go. I followed your instructions and the following the the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:04:09 PM, on 5/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\WINDOWS\SOUNDMAN.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\fxssvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\PROGRA~1\mcafee.com\mps\POPUPK~1.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} -
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcaf...22/ComCtl32.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/...pandaonline.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw...nt/iftwclix.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptoda...pdatePortal.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs8b.instants...erxsigned41.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral....s/pmupdate2.exe
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {9D8D7672-93FF-417E-9024-C16AD141C50C} (Haunted Control) - http://www.worldwinn...ted/haunted.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcaf...0,2/mcmysec.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://media.grab.co...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/...fault/shapo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...489/mcfscan.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe


And the following is the TDS3 log w/1 alert.....wouldn't let me copy/paste the Alert, but I typed it in exactly as it appeared......I didn't clean this or anything as I'm going to wait to hear from you.....also the TDS-3 program crashed the minute I pulled up the forum, so I'll have to rescan to get the alert back. The log you requested is as follows:

14:57:53 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
14:57:53 [Init] Started 26-05-05 14:57:53 Eastern Standard Time (UTC: 5), Internet Time @831.86
14:57:53 [Init] Loading TDS-3 Systems ...
14:57:53 [Init] Token successfully adjusted.
14:57:53 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
14:57:53 [Init] • Plugins : OK. Loaded 13
14:57:53 [Init] • Exec Protection : Not Installed
14:57:53 [Init] WARNING: Your Radius.TD3 database needs to be updated!
14:57:53 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
14:57:53 [Init] Licensed users can use the Update facility from the TDS menu
14:57:53 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
14:57:59 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
14:57:59 [Init] • Systems Initialised [56270 references - 29398 primaries/14599 traces/12273

variants/other]
14:57:59 [Init] Radius Systems loaded. <Databases updated 26-05-2005>
14:57:59 [Init] TDS-3 Ready. <Aleta westfall@192.168.1.100, 127.0.0.1 - United States>
14:57:59 [Tip Of The Day] DiamondCS have released many utilities and applications to the global Internet

community as FREEWARE! You can download these programs from http://www.diamondcs.com.au
14:57:59 [TDS] Good afternoon Aleta westfall.
14:58:03 [Mutex Memory Scan] Started...
14:58:04 [Mutex Memory Scan] Finished (no trojan mutexes found).
14:58:04 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on

registering.
14:58:58 [CRC32] Started - verifying 29 files ...
14:59:02 [CRC32] Test finished.
15:00:28 [Memory Scan] Memory scan started, please wait a moment ...
15:00:28 [Memory Scan] Memory scan complete.
15:00:28 [Mutex Memory Scan] Started...
15:00:30 [Mutex Memory Scan] Finished (no trojan mutexes found).
15:00:30 [Trace Scan] Started...
15:00:34 [Trace Scan] Finished.
15:00:34 [ServiceScan] Scanning for services and drivers ...
15:00:37 [ServiceScan] Scanned 293 services and drivers.
15:00:37 [File Scan] Scanning in A:\ ...
15:00:39 [File Scan] Scanned 0 files: 0 alarms in 1.078125 seconds (Avg 1. files/sec)
15:00:39 [File Scan] Scanning in C:\ ...
15:46:14 [File Scan] Scanned 95668 files: 1 alarms in 2735.047 seconds (Avg 35.98 files/sec)
15:46:14 [File Scan] Scanning in D:\ ...
15:46:14 [File Scan] Scanned 0 files: 1 alarms in 0 seconds (Avg -1.#IND files/sec)
15:46:14 [File Scan] Scanning in E:\ ...
15:46:14 [File Scan] Scanned 0 files: 1 alarms in 0 seconds (Avg -1.#IND files/sec)
15:46:14 [Scan] Finished.


Can't copy/paste the alarm it's as follows:

Alarm: Positive identification <Adv>
Name: Possible ICQ-notifying trojan
File: c:\program files\icqlite\icqliteuninstall.exe
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Check and fix these two in HijackThis:

O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} -
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -


No need for a new log.

Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#5
Niaren

Niaren

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi. Things are basically running ok, but the last 2 entries in O16 are still present, they show various normal activex installations. 2 of them show as Damaged all the others as Installed.

I'm still getting some odd IE window changes in size, or changes in the appearance of icons eg CWS icon changed on my desktop at bootup this morning to the white and blue application square rather than the program icon that was there when I shutdown last night.

TDS3 comes up clean, Spybot comes up clean, CWS comes up clean, however Trojan Remover 6.4.0 Alerts on this for active Malware scan:

This program is called by an NT/XP Services Registry key
D:\Install\GMSIPCI.SYS
An executable file with this name *has not* been located in the path.
The program is loaded by the following Registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GMSIPCI

Again, I left this in place as I've no idea what it is.

The rest of the full system scan is clean. AdAware is clean (found 6 new tracking cookies that I removed), and all my services are up to date. Oh, I did these scans in regular and safe mode and in the Administrator and my own setups.

Oh and on the CWS log it says that I have no JRE setup? I know my java got zapped in an upgrade and I had to go back to an earlier restore point, and the system renamed some folders. I did have to reinstall MSI Live Update to get it working again. Will I need to reinstall both the javas (original is ver 1.3.1_03 in JavaSoft folder 4.35MB vs the renamed folder JavaSoft same ver only shows 975 KB) and another folder Java which shows 57.6MB for jre1.5.0_02. The earlier ver shows in the add/remove programs but the java plugin for 1.3.1_03 in the control panel doesn't give me the java panel, and the new ver doesn't show anywhere except in Programs in its folder.

I know I never said this, but on this computer I have 2 users set up, Administrator (which I never use) and myself which is my default startup as I never logoff. I also completely removed the icqlite toolbar (I think), as it kept causing IE crashes. They stopped with its removal. Basically, things seem to be running smoothly, but I'm still having some really odd stuff going on on an irregular basis. I also shredded the file icqliteuninstall.exe, as it proved to be an ICQ5 security vulnerability being exploited by hackers, and the file removal closed the security hole. Icq is aware of this vulnerability now, and the file removal is the only fix for now until they can address the problem internally.

Also, my firewall has been getting all sorts of unusual traffic alerts from this website:
2005/05/30 11:09:05 65.205.8.58:80 (uuvaadvip3.doubleclick.net) 192.(blank on purpose):1214 KaZaa peer-to-peer file sharing

this also went to D.Ports 1240, 1241, 1247, 1248 and has also shown Event Information as: SNI R&D Network on 1222, also D.Port 1213
The KaZaa only showed up once, and most are just the TCP port in the Event Info, but the same website is listed on each alert. Originating IP is always the same.

Also got this on numerous times in the blocked alerts:
2005/05/30 11:10:05 216.74.132.16:80 192.(blank on purpose):1234 Ultors Trojan / Infoseek Search Agent
IP also jumped from 1234 to 1242 to 1253

Then I got this one:
2005/05/30 11:11:01 216.73.87.188:80 (eqvamdvip1.doubleclick.net) 192(blank on purpose):1251 Port 1251 (TCP)

Not sure if any of this will help you help me, but something funky is going on in my system still.

Thanks!

Shish....let me add this. I was just curious as I know CWS found the "About Blank" when I did the very first scan and I had a hard time removing it, so I did a search for PPC Advertor in my system. I was just watching the scroll zip by and noticed the computer was searching hidden files, but all my settings are set to hide and the seach box was unchecked for hidden files in the advanced settings. Is this normal?

Edited by Niaren, 03 June 2005 - 11:09 AM.

  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, for those O16 entries, if you know what they are for and they are damaged, right click on them to Update or Repair them.

For Java, this is not the same as the java applets you downloaded. The applets are just the small scripts that run on your machine. The actual Java installation will be the program that execute the code in these scripts. I say go to Add/Remove and uninstall all Java versions you have there. Then head back to the Java site and download version 1.4.2 instead of the newest version. 1.4.2 seems to be the most stable.

Regarding those ports on the firewall, do you use the P2P program Kazaa? If you do, that may be the reason for the activity you are seeing. The IP address you blanked out should be ok to post here since it's only your internal IP (usually something like 192.168.0.1 or something similar). No harm there, but glad you took the precaution :tazz:

Did you change those settings to what they are now? I'm not sure what the defaults are myself, but I think it's on hiding system files and folders by default. Does CWShredder still find anything now?
  • 0

#7
Niaren

Niaren

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
All scans in normal and safe mode come up clean now (Spybot, AdAware did catch 6 new critical entries with the newest version which I removed, TDS3, CWS, and even went online and did the Trend VS (jic) are all clean) I haven't upgraded Spybot to the new ver as yet, but the dats were updated. Now with icq, I do allow website and file transfer with a handful of people I trust, but even they get stopped and have to wait for my permission. That may be the P2P alert as a friend sent a webpage that was waiting for my authorization when I started up. Also I have a home network. I'm on my old klunker right now cleaning it as this is where the infections started and man oh man what a mess! :help:

I only have one computer on at a time right now, as I don't want them swapping illnesses. Once I have this one done, I'll fire up the main system again. Trojan Remover zapped 10 different trojans over here, AdAware zapped over 300 things the first time through, and after I upgraded to the new ver here it zapped another 17, Spybot got over 30 more red entries plus a ton of tracks I'm unsure about removing right now. After all of that, I downloaded TDS3, but it won't update for me no matter what I do, it keeps saying I need to update it. :tazz: I do have a net firewall, plus individual firewalls, etc on each computer, so I'm going to try one more time to update with full access allowed for TDS3 and see if it'll update that way, otherwise, I'm going to uninstall it and download it again in case the mess on this computer fudged the download. So, now I'm wondering if all the alerts are coming from garbage that was on this machine as I had it completely blocked from the main system as they share the internet connection and I didn't want any passive crud coming through (jic). My connection on the slave kept going dead and I'd find the "Work Offline" checked again, hehe...all the scans and cleans finally fixed that, soooooo.....I'm going to reserve judgement for now till my old clunker is clean, since I obviously had something going on over here that was messing with the connection(s). I know when I ran cleanup it took out over 35mb of crap! This one runs Win 98, and there's so much crap still on this sucker as I can even see entries inside the Startup of Spybot that should have been removed already. Lots of bad file connections, misdirected shortcuts and still showing a ton of tracks that won't go away *sigh*.

Lol.....you want the HJT for this one???? HAHAHA.....I'm still working on my first practice log, and this sucker on this computer is driving me nuts. I'm actually going to try to get TDS3 running and updated and see if it comes up with anything, but so far now all the safe mode scans are coming up clean. I may end up having to call my ISP to see how to remove Netscape from this computer w/out it zapping the internet connection. Somehow it's linked in there and I can't seem to get it to shift over to IE completely so I can uninstall Netscape *sigh, grumbles, sigh*.

I've been looking through files and folders over here and it's truly a mess. I'm finding odd downloads and such in the wierdest places. Honestly, I'd flatten this one and load from scratch, but all my artwork and animations are stored here and naturally the burner is on my main system. ;) I'm on a time limit now as the scanner will be required (ancient printer.....XP doesn't even recognize it!) and I have jobs coming up this week that I'll need this computer for....as the print, scan, fax is all over here. I can access my business email from here, but I'm also paranoid about sending an infected file to one of my clients (not good).

Anyway, I'm going to get this one clean and see if the odd quirks stop on my main system first. Hehe, I'm a tad paranoid about my private IPs on a public forum, that's why I left it blank. Inside GeekU I'd be ok, but.....better safe than sorry. As I am now, for not paying closer attention to my neighbor's kid using my klunker for homework. She had problems downloading and surfing where she wanted to go, so turned off all my protection and gadded about instead of interrupting me to ask for help....now I'm paying the price of my inattention.

I'll post back a HJT log for this sucker in a separate thread once I've gotten to that point. I can already see a few things that need to be removed, but at this point I'm not sure if HJT will do the job and I'll probably end up having to disable somethings internally, then uninstall. Most of the uninstall list got zapped somehow too as very few things appear on the uninstall list now. :help:

Thanks for the suggestion for the java though. I'll do that when I get back to the main system and see how it goes. I'm not exceptionally savy on many things, so I'll uninstall, download the 1.4* java ver and hope I don't mess up the installation, hehe. Back to cleaning the klunker!

Tah, Niaren
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Don't worry about private IPs. They don't do anything since the user don't know your real IP address. No harm either way. Just wanted to let you know :tazz:

Could you move the cd burner to the old 98 computer? If you can, you should probably do that and backup the data. Go for a format. Might be the quickest way if you can't determine the problem at hand.

Regarding Netscape, I don't see how it can be hooked to your internet unless you have Netscape as your ISP? Even then, I would think you can use IE. Does it require some proxy settings? If it does, just set the same settings for IE.
  • 0

#9
Niaren

Niaren

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
You're such a sweetie! :tazz:

I'm not sure how it works. I have Verizon Online, but it's still the original software on this system. I think they asked me to update it once and sent me a special link, but it was right at the change over from Bell Atlantic so I have some wierd transitional setup. I know I'd set up IE to be the default browser and that it should check that it was as they told me to (ages ago....as in a few years), then I was supposed to have been able to uninstall Netscape. Well, when I did, it zapped my internet connection, so I called the techs and they sat on the phone with me for well over an hour trying to get it right, but we ended up with me reinstalling Netscape and putting the account info back in there and voila! I was connected again. I know my account is so old that it's grandfathered for the added features at no additional cost, but it has something to do with how the account itself is set up. I think verizon has changed their overall setup now in this area, so I'm going to call the techs in the morning and see if they've figured out how to redo it all so it doesn't have to go through Netscape.

Thanks for the IP info though, if my system is visible at all, then it has a group mask IP assignment....then my net mask, then my personal IP.....but I also have my pet hackers that mess with me when they get bored I think, hehe. I was finally able to actually find one of them. *giggles* He got sloppy so I actually completed a trace, looked him up and sent him an email.....told him I was having a bad day and to please leave me alone today.....less than 2 mins later he stopped and I got a nice smiley email back( :help: :tazz: :help: ;) ) Too funny.

Oh, TDS3 on my other system (ummm this one) never did update.....I uninstalled it and tried again, but it only updated to 05-05-2005.....anyway, I ran the scan and it came up clean, but had some odd entries in it too, so I copied it. I'm going to post to the general malware forum and wait my turn, but I've gone through the HJT log and made notes on what I THINK should be fixed. I didn't even comment on all the odd home pages (yet).....but even the default IE has netscape tacked on at the end. Even though I've not posted my first practice log yet, I figured it wouldn't kill me to take a stab at this one since I already know what's running on this machine. I looked up every single entry too...no cheating. ;)

:help: Gonna put your call in the post title.....even if you aren't the one to assist, you'll see what I'm talking about with the home pages, if you have the time to take a gander at it. It'll be tomorrow morning late probably, as I'm actually going to see if the verizon online techs have a way to work around this grandfather mess now. My actual home page is msn.com, but even the default shows up like this in the log....msn never shows up at all:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.../winsearch.html

There are like 6 R1 entries similar this and one RO...one I know can go as it's yahoo and I uninstalled the suite my neighbor's kid downloaded and installed over here(only one that doesn't have netscape tacked onto it), but my actual home page never shows up at all and I never get redirected. Maybe the verizon guys will help me fix this stuff and then I'll run a new log and it'll be poofed. :help:

Thanks.....you've been GREAT! I actually decided to learn here, help out and such, because I'd posted soooo many places and was 3 days into trying to fix my system, when you breezed by and had me up and running again in next to no time.

Kudos...Pats on Back, etc, etc...ad nauseaum :tazz:

;) Tah, Niaren

PS....burner is hardwired not free standing....thinking about trying to zip everything and use 3.5's to transfer as I can scan each disk before unzipping, burning, deleting (cringes)....also went through the disks for this machine and I'm stuck....no separate windows cd....so if I have to reformat the hd, then I'll have to go out and buy the OS *sigh*....I do have XP, but I think this processor is just too slow for it....I'll double check, but I'm pretty sure XP won't run on this sucker. Just trying to think ahead in case things just aren't fixable.

Edited by Niaren, 05 June 2005 - 09:54 PM.

  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Something must have changed then. I have Verizon also and if worse comes to worse, I just reinstall their DSL software and it should be up and running again.

Is this wireless or wired internet? Either way, I think you might have to play around with some settings in the router if you run into problems. Yeah, I guess the best bet is to call Verizon up. If you're lucky, wait time will be about 5 minutes. If not, prepare to wait half an hour or so like I did for my friend. I actually never had any major problems with them.

Did you post a new log somewhere? I don't see it.

Burner? Couldn't you disconnect the cables and take it out? Or are you new to this? It's a very simple thing to do. If you don't want to do it, then use the zip drive I guess. That's bad. You should always have the Windows CD since if a system crashes and you need to reinstall, you will run into problems. Try getting it on eBay or Amazon. XP will not work on two computers. It's only for one PC.

No problem. Just wish I can help you resolve this problem. Doesn't sound like malware anymore does it? LOL.
  • 0

#11
Niaren

Niaren

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Yes, I posted the other log just today. Had about a million things to juggle yesterday and by the time I got to posting it was nearly midnight again. So I was going to post today after I checked my main system for jobs....got one on Wed, and the next doesn't start till the 22nd, so I'm safe enough, but then things exploded at home again and I was getting yanked around again. :tazz: I'm coming up clean now with only a few fixes it looks like. Yeah....I agree on the disk as I only have the recovery one, but it puts back the OS as well.....just no straight cd. I've got the key for windows on this thing, but no disk for just windows.....As far as my burner goes....hehe...my main system is still sealed. My techs, that built it, told me if I broke the seal again, they'd turn me over their knees and all take turns whomping me! ;) No, I've installed enough drives to at least "mostly" know what I'm doing, but then again this computer is so old, I'm not sure it'd run on this one anyway. I did medium helicopter repair and avionics.....and have been teaching myself computers since before windows existed, but I've no formal training for computer per se.

Oh, on the post your name is in the 2nd line. Lol....I got straight through to a tech at verizon online. They were able to walk me through a new setup from inside my computer, and I was finally able to uninstall Netscape.

Oh....on XP....I have XP Pro, but use XP Home on the main system....don't ask...techs loaded it....told me not to use pro as I didn't use any of the extra features.....so.....but I did double check and this one can't handle the OS. 98SE is the highest I can go on this one. No zip drive either dear....laborous copy zip file...transfer.....delete....copy another......World Without End!!!! So I'm hoping to get this one at least clean and squared away enough to just dump all the files in my share folder and burn them. And stop making faces at me! :tazz:

Now I have just some odd stuff that I'm unsure of. Mostly the appearance of Rundll32.exe showing up on the running processes ALL the time. I never added Rundll32.exe As an Application to my program list for my firewall, but it was on there and after I blocked it...it still trys to get access to the internet and I know I'm exposed somewhere.....I followed one of the security links for an instant check and it gave me back my personal IP on this machine and told me I was exposed ;) , so I'm wondering if I have something that is now resident on the system. Seems like it would have been caught, but I'm not sure really. And no.....I don't know how to do a bootscan, and I'm not even sure if I have an updated disk for over here to boot from.....probably a boot disk, but not one with the VS on it....well, I might have one, but I know the dats aren't up to date. Haven't redone them in so long hard to say if the info hasn't degraded.

Yeah, yeah I know....I'm kicking myself for not keeping up with this one. I only allowed it access to the internet to let my neighbor's kid do her homework here. Took me an hour to update all the security before I'd let her on! Gads.....why did I bother, as she must have turned it all off shortly thereafter *sigh*. Anyway, I probably need to wipe my VS and firewall and get something new as the programs themselves are pretty far behind as well (McAfee VS is ver 7 along with the firewall). They were the boxed editions and McAfee charges extra for their subscription now for more than one computer....hehe....it still lets me update the scan engine and dats as they see me as my service acct on the other computer.

I disabled some programs for startup that I don't use much as I'm not over here, but that only helped some....I'm sure at least one of them....maybe 2 or 3 of the 4 are corrupted. I'm wondering about the integrity of the VS and Firewall now too. Thanks though for all your suggestions and assistance. I need this one clean and then I'll disable the internet connection and just allow the network one again (oh, I'm hardwired btw on the network) once I'm fairly sure I won't pass any infections back to my main system. Still, once I get all my important work off this one I still think I'll buy the OS and wipe it and reload from there. Like I said, I can do the pain in the backside swaps till things are straight. Normally, I just use this one as storage, but have it set up to use the internet in an emergency, so I really do need to get it up to date and safe again. The log looked fairly clean though. Take a look if you have the time......I messed up my startup though.....put a note in there too. (Another 'You did what?' situations) Just had too many demands on me all at once, and wasn't paying attention. Hard lessons, eh? At least I know I won't repeat them!

Thanks again,
Niaren
  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Niaren, just finished your other log there ;)

What was messed up in the startup? Post in the other topic about this problem in more detail as I was kind of lost as to what was messed up.

So I guess we are taking it one computer at a time now :tazz:

For the anvirus and firewall, I recommend using AVG and ZoneAlarm. Both are free for personal use.

If you want to test your security, go to the GRC Site and scroll down (or search for) ShieldsUp. Click on that link and click on Proceed to run the various tests. Mine are all stealth and perfectly hidden. ;)
  • 0

#13
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP