Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

My Internet Explorer hangs when trying to access s


  • Please log in to reply
57 replies to this topic

#31 rand1038

rand1038

    Take over your PC or someone else will.

  • Authentic Member
  • PipPipPipPipPip
  • 1,100 posts

Posted 05 August 2005 - 08:47 AM

Not to worry Alain, we have just begun the fight :)

Shut down all programs you are using, at the end of this procedure you will need to reboot, also running programs may interfere with the fixes.

First, make sure your ActiveX settings for the Internet zone are right. Being able to run the scan from CD, which is the Local zone, suggests that perhaps ActiveX is being blocked in the Internet zone. I try to stay away from putting sites in the trusted zone but in this case we'll make an exception.First shut down Internet Explorer then go to Control Panel > Internet Options
Click the security tab
Click the "Internet" globe icon.
Click the "Custom Level" button, the Security Setting dialog will open.
Click the "Reset to:" drop down and choose "Medium"
Click the "Reset" button next to the "Reset to:" box. Make sure you do this or the procedure will not work. Do this step even if the box already said medium when the Security Setting dialog opened.
Click "Ok" in the Security Settings dialog.
Click the "Trusted Sites" icon.
Enter *.microsoft.com into the "Add this website..." box then click "Add"
Click "Ok" to close both open dialog boxes.
Next, clean up the registry
Download RegCleaner and install it.
Run RegCleaner and click Tools > Registry Cleanup > Do them All
Once the scan finishes close the dialog box
Click Select > All in the top menu
Click the "Remove Selected" button on the lower right.
When all the entries are gone click the "Exit" button
If any monitoring programs ask about changing a registry value be sure to allow it.

Finally, run System Security Suite with the same setup as before and accept the reboot.

See how things work.
Everyone gets specific instructions, disregard what you don't need.
I don't know your skill level.


"I would rather be bruised by the truth than caressed by lies."

The help you receive here is free.
If you can
please help keep us online by donating.

Posted Image

    Advertisements

Register to Remove


#32 Alain Toogood

Alain Toogood

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 08 August 2005 - 07:23 AM

Right ... back and at it. I had a problem adding the trusted site. I got the following message (trusted sites.jpg)trusted_sites.JPG so I put it in like this (trusted sites2.jpg) trusted_sites_2.JPG which I suspect is not correct. RegCleaner came up with 159 little anomolies, all of which I removed. regcleaner_159_of_159.JPG I ran the System Security Suite but couldn't find the "same setup as before" settings so used the following. SSS.JPG Then rebooted and tried the microsoft website but to no avail.

#33 rand1038

rand1038

    Take over your PC or someone else will.

  • Authentic Member
  • PipPipPipPipPip
  • 1,100 posts

Posted 08 August 2005 - 08:30 PM

System Security Suite remembers its setup so that was all right Alain.

Sorry, I was a bit too hasty in proofreading my post and I failed to mention a step.
First, uncheck "Require server verification..."
Next put the following sites in the trusted zone, clicking Add after each one.
http://*.update.microsoft.com
https://*.update.microsoft.com
http://download.windowsupdate.com

After you get the above in the trusted zone then do the following:
Make a note of the what time it is according to your computers taskbar clock.
Visit windows update.
If the site will not work then open the following file with notepad:
C:\WINDOWS\WindowsUpdate.log

The columns in the file are in the following order:
Date Time PID TID Component Text

We are interested in the first two.
Scroll all the way to the end of WindowsUpdate.log
You should see todays date in the left column. The next column has the time in military (24 hour) format. Scroll up until you are a couple lines before the time when you went to windows update.
Copy everything from that line to the end and paste it as a reply here.
Everyone gets specific instructions, disregard what you don't need.
I don't know your skill level.


"I would rather be bruised by the truth than caressed by lies."

The help you receive here is free.
If you can
please help keep us online by donating.

Posted Image

#34 Alain Toogood

Alain Toogood

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 09 August 2005 - 02:19 AM

I went back to Custom Settings and it was set to Low, the last time I saw it, it was set to Medium. Ghosts in the machine perhaps. I reset it to Medium.

Time 0904

I added the sites OK and tried to access windows update. The page won't load but it does show a 'Trusted sites' icon, bottom left.

Follows are the last few lines of WindowsUpdate.log that look interesting.

2004-08-09 11:00:54 10:00:54 Success IUCTL Downloaded iuident.cab from http://www.windowsupdate.com/v4/ to C:\Program Files\WindowsUpdate\V4
2004-08-09 11:00:55 10:00:55 Success IUCTL Checking to see if new version of Windows Update software available
2004-08-09 11:00:55 10:00:55 Success IUENGINE Starting
2004-08-09 11:00:55 10:00:55 Success IUENGINE Determining machine configuration
2004-08-09 11:01:26 10:01:26 Error IUENGINE Already tried all proxies. Will not retry. (Error 0x80072EF1)
2004-08-09 11:01:26 10:01:26 Error IUENGINE Querying software update catalog from https://v4.windowsup...getmanifest.asp (Error 0x80072EF1)
2004-08-09 11:01:26 10:01:26 Success IUENGINE Shutting down
2004-08-09 11:01:26 10:01:26 Success IUCTL Shutting down

I don't pretend that I understand it but it does seem to back up my inability to access updates!

#35 rand1038

rand1038

    Take over your PC or someone else will.

  • Authentic Member
  • PipPipPipPipPip
  • 1,100 posts

Posted 09 August 2005 - 09:13 AM

Error 0x80072EF1 means ERROR_INTERNET_OPERATION_CANCELLED I don't see evidence of a firewall in your log. Are you running one? Your proxy is freeserve/wannadoo. Have you been able to access windows update since you started using them? Are you using a local caching nameserver or a router? HKLM\System\CCS\Services\Tcpip\..\{81EE2F2D-2DAF-4A07-9617-F013DA8BEA7D}: NameServer = 192.168.0.1

Edited by rand1038, 09 August 2005 - 09:14 AM.

Everyone gets specific instructions, disregard what you don't need.
I don't know your skill level.


"I would rather be bruised by the truth than caressed by lies."

The help you receive here is free.
If you can
please help keep us online by donating.

Posted Image

#36 Alain Toogood

Alain Toogood

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 09 August 2005 - 12:29 PM

Aparently this (laptop) machine doesn't have a firewall (according to my son!) but the PC to which it is wirelessly linked has Norton Personal Firewall and it's that PC which has the broadband connection. I use Virgin.net for email and internet access but when trying to set up another very old laptop for my sister to access the internet (the process failed) I used a Wannadoo setup CD to check on this machine that it was working (as it wasn't on the old laptop). After we gave up I deleted (nearly) everything Wannadoo but still have an infuriatiing little Wanadoo logo top right of the Internet Explorer screen. It used to say Internet Explorer coursesy of Wannadoo but I managed to delete the line that caused that in the registry (gulp). Anyway, I couldn't access Windows update before the Wannadoo farce. RE: Are you using a local caching nameserver or a router? HKLM\System\CCS\Services\Tcpip\..\{81EE2F2D-2DAF-4A07-9617-F013DA8BEA7D}: NameServer = 192.168.0.1 Sorry. I don't understand this. The problem machine (a laptop) is connected to my PC via a 3Com Wireless DSL Gateway (as are my kids machines and they can get Microsoft updates). The PC is connected to Virgin.net via a broadband connection. I have sneaky feeling that this isn't what you need to know...

#37 rand1038

rand1038

    Take over your PC or someone else will.

  • Authentic Member
  • PipPipPipPipPip
  • 1,100 posts

Posted 09 August 2005 - 01:35 PM

According to the log Alain, you are having a network related problem connecting to windows update.

Fix the following by running HijackThis with all browsers shut down. Put a check mark in the cerresponding box and click "Fix Checked"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R3 - Default URLSearchHook is missing

Lets make sure your LAN connection is set up the same as a compuer that can update do the following.
  • Run a scan with HijackThis on one of the computers which has a wireless connection to the same router as the one the laptop connects to (I assume you have only one router so this point is probably moot). Save the log from the scan.
  • Check that log and make sure this line is present:O17 - HKLM\System\CCS\Services\Tcpip\..\{81EE2F2D-2DAF-4A07-9617-F013DA8BEA7D}: NameServer = 192.168.0.1
If any of the 017 lines from the working computer are different then post them here please.
Everyone gets specific instructions, disregard what you don't need.
I don't know your skill level.


"I would rather be bruised by the truth than caressed by lies."

The help you receive here is free.
If you can
please help keep us online by donating.

Posted Image

#38 Alain Toogood

Alain Toogood

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 10 August 2005 - 11:51 AM

The deeper we delve the more we find...

After interogating my daughter I find that she CANNOT access Windows Updates at home but CAN when away at university so it's something home based and network related.

To make matters more complicated my son CAN access windows update so he's got a setting tha we want... somewhere.

I followed all your earlier instructions and ran HijackThis on both machines.
You asked me to check the 017 line. It was similar to what you expected, but not the same.

s_Hijackthis_line_17.JPG

Urghh, I've just read the bit where you asked me to post the 017 lines so I didn't need the above as they seem to be in the logs. I have bolded them.

When she tries to get windows updates, instead of just hanging, she gets this:

s_look_for_updates.JPG



Clare's (CAN'T access updates) log =

Logfile of HijackThis v1.99.1
Scan saved at 10:36:27, on 10/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPC32.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe
C:\Documents and Settings\Clare\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program Files\Starware\bin\Starware.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZRxdm072YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/...2/OCI/setup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095933631250
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensave.../sinstaller.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F0C1971-9C02-4585-A4E5-64336CFECE5B}: NameServer = 192.168.0.1
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE


Mike's (CAN access updates) log =

Logfile of HijackThis v1.99.1
Scan saved at 18:00:42, on 10/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
F:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.srqukmyjf...jjzTuVeK0H.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://loginnet.pas...uth.srf?lc=1033
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {E14DCE67-8FB7-4721-8149-179BAA4D792C} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IE Runtimes] winis.exe
O4 - HKLM\..\RunServices: [IE Runtimes] winis.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B4B4B88-8084-40A1-AACA-FF64C153F4E5}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{3B4B4B88-8084-40A1-AACA-FF64C153F4E5}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{3B4B4B88-8084-40A1-AACA-FF64C153F4E5}: NameServer = 192.168.0.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{3B4B4B88-8084-40A1-AACA-FF64C153F4E5}: NameServer = 192.168.0.1

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

To recap; the 017 from my laptop (the original errant machine) is:
O17 - HKLM\System\CCS\Services\Tcpip\..\{81EE2F2D-2DAF-4A07-9617-F013DA8BEA7D}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFE346BD-EB6D-4FBB-BCEB-03A80B997E66}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF378717-BC32-4870-985A-D42C2948544E}: NameServer = 192.168.0.1

Edited by Alain Toogood, 10 August 2005 - 11:54 AM.


#39 rand1038

rand1038

    Take over your PC or someone else will.

  • Authentic Member
  • PipPipPipPipPip
  • 1,100 posts

Posted 10 August 2005 - 03:26 PM

First, I would recommend running Trojan Hunter on all the systems. Your log had no signs of infections but TH was able to find some hidden apps. Your daughters log appears clean. Mike's shows signs of past and possibly present infections. Trojans have the capabiltiy to steal passwords and personel information, including bank information if you have used an infected computer to do online transactions. I would recommend changing all your passwords for online accounts, mail, etc. Once you get that done then do an online virus scan with each at Trend micro.

On Mike's computer
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.srqukmyjf...jjzTuVeK0H.html
srqukmyjfcqrdoylj.com does not come up as a legitimate site.

O2 - BHO: (no name) - {E14DCE67-8FB7-4721-8149-179BAA4D792C} - (no file)
Remnant of ciacruel trojan

O4 - HKLM\..\Run: [IE Runtimes] winis.exe
O4 - HKLM\..\RunServices: [IE Runtimes] winis.exe
This is W32/Rbot-ADZ. It may or may not be active. On the linked page notice how it spreads (network shares) and the side effects, which are pretty nasty.

O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
There is that radmin entry again. This one can be cleaned ticked for fixing. Uninstall the program if it is still on the machine then reinstall it if you want to use it.

Once you are all cleaned up then post back and we'll continue with the windows update problem.

Is the computer that directly accesses the internet the only one that can use windows updates (Mike's)?
Everyone gets specific instructions, disregard what you don't need.
I don't know your skill level.


"I would rather be bruised by the truth than caressed by lies."

The help you receive here is free.
If you can
please help keep us online by donating.

Posted Image

#40 Alain Toogood

Alain Toogood

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 11 August 2005 - 02:14 PM

The whole family is on the case now. Mike's machine had 4 trojans, two relating to the Remote Access program, now removed. Clare's laptop and my laptop and were clear as was the PC. Our setup is that the PC is connected to the broadbank phone line and the wireless box. The laptop (mine) and Mike and Clare's machines all link in wirelessly. Mike and the PC can access Windows updates Clare & my laptop can't. Over to you, if you have the patience of Jobe :)

    Advertisements

Register to Remove


#41 rand1038

rand1038

    Take over your PC or someone else will.

  • Authentic Member
  • PipPipPipPipPip
  • 1,100 posts

Posted 11 August 2005 - 08:19 PM

I would like to see exactly what setup you are using.
Go to start > Run and type CMD in the box, click ok.
In the command window that opens type the following commands, after each line press your enter key. Type them exactly as they appear.
First close all other programs except for IE, if IE is not open then launch it and wait until it fully displays your home page before you do the following.
You can paste to the command line, just right click in the command window.

The commands to type:
cd desktop
ipconfig /all > PostThis.txt
ipconfig /flushdns

In your browser's address bar type: http://www.update.microsoft.com
Wait until windows update attempts to load.

Back at the command prompt type.
ipconfig /displaydns >> PostThis.txt
notice there are two ">" this time.

Close the command prompt.

On your desktop you will find a file called PostThis.txt. Open it and find a line that looks like the following:
Physical Address. . . . . . . . . : 00-00-00-00-00-00
The zeros will be numbers/letters.
Delete that line.
Save the document.
Use the attach feature to attach the file to a reply here.

Before you post the reply type the following into the address bar of internet explorer:
207.46.244.253
Have your daughter try the same thing.
Does that get you to the windows update site ok?

Edited by rand1038, 12 August 2005 - 06:01 AM.

Everyone gets specific instructions, disregard what you don't need.
I don't know your skill level.


"I would rather be bruised by the truth than caressed by lies."

The help you receive here is free.
If you can
please help keep us online by donating.

Posted Image

#42 Alain Toogood

Alain Toogood

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 12 August 2005 - 02:45 AM

Thanks for persevering...

My laptop file is attached:

Attached File  PostThis.txt   1.42KB   305 downloads

The command line starting [b] didn't work so I just left off the [b]

I entered 207.46.244.253, the line changed to http://207.46.244.25...v6/default.aspx and then hangs there.

Same with Clare's

Clare's PostThis.txt attached but there was no Physical Address line to delete (there was in mine).

Attached File  s_PostThis.txt   1.28KB   314 downloads

#43 rand1038

rand1038

    Take over your PC or someone else will.

  • Authentic Member
  • PipPipPipPipPip
  • 1,100 posts

Posted 12 August 2005 - 08:44 AM

Sorry about the errant [ b], that is a tag which makes the text bold but I forgot to put a closing tag on a previous use. Good job figuring it out. :thumbup:

Alain, lets work on only your computer for now until we get it fixed. We don't want to introduce too many variables in case we have to roll back changes made.

Go to Start > Run and type NCPA.CPL into the box and click ok.
"Network Connections" window will open.
Right click your connection and choose "Properties".
Under the "General" tab in the "This connection uses the following items:" box hilight "Internet Protocol (TCP/IP)". Make sure you Do Not clear the checkmark in the box. The checkmark needs to stay there or you will lose all network connectivity and have to set it up from scratch.
With the "Internet Protocol..." highlighted click the "Properties" button.
In the properties dialog that comes up, near the bottom you will see "Use the following DNS server addresses:"
Enter the following in the corresponding boxes:
Preferred DNS Server : 194.168.4.100
Alternate DNS Server: 194.168.8.100

Close all the boxes with Ok and reboot your computer.

Those are the DNS servers for virgin.net. They handle name resolution. When you type an address in the browser they resolve it to an ip address that the internet relays "understand".


How do things work now?
Everyone gets specific instructions, disregard what you don't need.
I don't know your skill level.


"I would rather be bruised by the truth than caressed by lies."

The help you receive here is free.
If you can
please help keep us online by donating.

Posted Image

#44 Alain Toogood

Alain Toogood

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 12 August 2005 - 12:12 PM

I did as you advised but no change getting access to Windows updates I'm afraid. When I changed the DNS server numbers I got the following message. Microsoft_tcp_ip_conflict_message.JPG I took the "No" option.

#45 rand1038

rand1038

    Take over your PC or someone else will.

  • Authentic Member
  • PipPipPipPipPip
  • 1,100 posts

Posted 12 August 2005 - 02:18 PM

I took the "No" option.

View Post

That was the correct answer to that question Alain.

Have you run Trojan Hunter on the gateway machine (the one connected to the internet)?

I would like to see a HijackThis log from the gateway machine. Also, what is the IP Address of each of the machines? You can find that by going to start > run and type cmd in the box then type ipconfig at the cimmand prompt and hit enter.

Is windows update the only site that anyone is having problems with now?

On your computer Alain:
Is the windows update error still 404 page cannot be found?
I would like to see a Spybot S&D log.
  • Start Spybot S&D and click Help > About. If you do not have Spybot - Search and Destroy 1.4 then dowload it here and install it.
  • Click mode > Advanced mode, if that isn't selected yet.
  • Click Tools > View Report.
  • On the View Report screen uncheck (deselect)
    • Include results of last check in report
    • Include uninstall list in report
    • Include process list in report
    • Include list of services in report
  • Click the green/white arrow "View Report" button.
  • Click the disc icon labeled "Export" and save as a txt file to your desktop
  • Attach the report with your reply to the above questions.

Everyone gets specific instructions, disregard what you don't need.
I don't know your skill level.


"I would rather be bruised by the truth than caressed by lies."

The help you receive here is free.
If you can
please help keep us online by donating.

Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users