Tech Support Guy banner
Status
Not open for further replies.
1 - 9 of 9 Posts

·
Registered
Joined
·
20 Posts
Discussion Starter · #1 ·
You guys helped me with problems on my PC a couple of months ago. I think I got the "bugs" from accessing the office emails via webmail. Now my boss's home PC is messed up. He can't get online. I have the PC with me, but since I can't connect, I'll describe the problem from my PC.

In Windows Me - as soon as the PC boots up, it launches the dial-up connection. If you close the dial-up window, then it pops back up. If you try to connect, the window disappears, but no icons appear in the systray to indicate that a connection has been established. If you try to connect at this point, it won't let you and says that another program is trying to dial. One time I received a message from McAfee that Windows Explorer 5.50 - Alert - Outbound to UDP/IP protocol on port 1145.

I have created a new connection, but it does the same thing. No matter what I do, I can't connect.

I thought I sent this thread, but I can't find it in the forum - pardon me if I'm duplicating!
 

·
Registered
Joined
·
16,274 Posts
Download 'Hijack This to a floppy and run it on the pc then try to get some of the info here for us please
http://www.spychecker.com/program/hijackthis.html
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the " scan " button will change into a " save log " button.
Press that, save the log , load it in Notepad, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
.
 

·
Registered
Joined
·
20 Posts
Discussion Starter · #5 ·
Sorry, I was at work yesterday... here is the log -

Logfile of HijackThis v1.97.7
Scan saved at 10:09:57 AM, on 3/26/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPDCLNT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
A:\HIJACKTHIS.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\CHCKNET.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\EARTHLINK.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www001.upp.so-net.ne:[email protected]/search.htm (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www001.upp.so-net.ne:[email protected]T4LD.BIZ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www001.upp.so-net.ne:[email protected]/search.htm (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www001.upp.so-net.ne:[email protected]/search.htm (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www001.upp.so-net.ne:[email protected]/search.htm (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www001.upp.so-net.ne:[email protected]/search.htm (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 00000005
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www001.upp.so-net.ne:[email protected]/search.htm (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www001.upp.so-net.ne:[email protected]/search.htm (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: (no name) - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: SEARCH (HKLM)
O9 - Extra button: ANTIVIRUS (HKLM)
O9 - Extra button: ENTERTAINMENT (HKLM)
O9 - Extra button: SECURITY (HKLM)
O9 - Extra button: SEARCH (HKLM)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .AVI: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O13 - DefaultPrefix: http://www001.upp.so-net.ne:[email protected]/c/c.pl?url=
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://download.sidestep.com/get/k00719/sb025.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37922.6267476852

Also, he does have McAfee Firewall, and I've received two Rule Violation alerts when trying to get online - both said the Program Name is Internet Explorer, Path = c:\Program Files \ Internet Explorer \ Explorer.exe, Rule Violation = Outbound from UDP/IP protocol on Port 68. The second was Port 1026. I mentioned that the connection window continually pops up, but the password is obviously wrong (it's too long), if I try to change it, it tells me that it's an invalid password (but I'm not online... how do it know???). When I try to connect I get an error message that the username and/or password is invalid on the domain.
 

·
Registered
Joined
·
16,274 Posts
Download CWShredder:
http://www.spywareinfo.com/~merijn/files/CWShredder.exe
Run and hit the ->fix tab to fix all found problems

CWS takes advantage of security holes in windows so you should install all critical as well as hotfixes available from windows update.

Then repost a fresh Hijack this log .

Download 'Hijack This!' http://www.spychecker.com/program/hijackthis.html and save it to a folder on your desktop.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, load it in Notepad, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
 

·
Registered
Joined
·
20 Posts
Discussion Starter · #8 ·
Here's the new log
Logfile of HijackThis v1.97.7
Scan saved at 11:14:53 AM, on 3/26/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPDCLNT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
A:\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 00000005
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: (no name) - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .AVI: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://download.sidestep.com/get/k00719/sb025.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37922.6267476852
 

·
Registered
Joined
·
16,274 Posts
Remove this as well andd you should be good .

O2 - BHO: (no name) - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL
 
1 - 9 of 9 Posts
Status
Not open for further replies.
Top