Author Topic: CANY ANY1 HELP? (Read 12151 times)

guestolo · « **Reply #40 on:** January 31, 2005, 06:00:32 PM »

You did install Windows CleanUp! right?
It's not called System cleanup

irish-paddy · « **Reply #41 on:** January 31, 2005, 06:20:49 PM »

oh sorry, yeah, yeah windows cleanup. the one u told me 2install.

guestolo · « **Reply #42 on:** January 31, 2005, 06:45:40 PM »

Make sure that you have that tool Windows CleanUp! installed that I linked you too a couple of times

Save this too a Notepad file on the desktop again

Disconnect from the Internet!!!!!!!

Copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox.
Put a mark next to "Delete on Reboot"
For any .dll file, additionally put a mark next to "Unregister .dll before deleting"
Click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No"

C:\WINDOWS\_MSRSTRT.EXE

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\a176af[1].js

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\ldrx32c[1].exe

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\84.13.4[1].gif

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\84.13.6[1].gif

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\loader2[1].ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\AdStatServX.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.10\AdStatServX.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.11\AdStatServX.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.12\AdStatServX.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.13\AdStatServX.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.14\AdStatServX.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.2\AdStatServX.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.3\AdStatServX.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.4\AdStatServX.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.5\AdStatServX.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.6\AdStatServX.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.7\AdStatServX.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.8\AdStatServX.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.9\AdStatServX.dll

When you've pasted the last full path of file to delete, Answer YES
And allow the system to Reboot
Please Reboot into SAFE MODE at this time

Let me know if you can find any of these subfolders
Remember, you may have to Unhide Protected files and folders
from my instructions before
C:\WINDOWS\Downloaded Program Files\CONFLICT.9 <--folder
and the other CONFLICT. sub folders

Also look for those other files and delete them if they exist in your Temporary directory
EG
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\84.13.4[1].gif <--file
You should be able to also delete the subfolder
OT2JQP0H

Stay in safe mode and run Windows CleanUp! by Steve Gould again

Restart back to Normal mode

You should be able to Re-install OUTPOST
TRIAL or FREE version

When, and if you get that error messeage again
windows explorer has encountered a problem

Is that the whole error message

Go to
start -> control panel -> Administrative tools -> Events Viewer
on the Applications option, find any errors that occured after the last time this happened. If you expand event viewer wide enough, you will see an event column. Post any event numbers for the errors. If you double click the error, it will tell you what the error is and little info on that error.

Post back with a fresh Hijackthis log afterwards

Can you also navigate to this key in your registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage]
Don't delete it!
Instead Highlight ModuleUsage
and then right click on it and EXPORT it
Name it and save it

Well your in the registry can you highlight this key
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls
On the right hand side you will see a long list
Let me know if you see any of these entries that look like this
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\AdStatServX.dll

Exit out of the Registry editor

Navigate to where you save that EXPORT key
Right click on the entry you exported from the Registry and choose EDIT
Copy and paste the contents back here, thanks

Guest · « **Reply #43 on:** January 31, 2005, 08:12:30 PM »

j

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

irish-paddy · « **Reply #44 on:** January 31, 2005, 08:35:22 PM »

did everything

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/ph34r.gif\' class=\'bbc_emoticon\' alt=\':ph34r:\' />

C:\WINDOWS\Downloaded Program Files\CONFLICT.9 NOT FOUND

C:\WINDOWS\Downloaded Program Files\CONFLICT.9 NOT FOUND

BUT IN HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls I DID FIND ALOT OF THESE KINDA FILES
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\AdStatServX.dll

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/aucfg.ini]
".Owner"="{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"
"{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.10/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.11/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.12/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.13/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.14/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.2/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.3/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.4/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.5/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.6/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.7/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.8/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.9/AdStatServX.dll]
".Owner"="{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"
"{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ravllio.vxd]
".Owner"="{A3009861-330C-4E10-822B-39D16EC8829D}"
"{A3009861-330C-4E10-822B-39D16EC8829D}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ravonline.dll]
".Owner"="{A3009861-330C-4E10-822B-39D16EC8829D}"
"{A3009861-330C-4E10-822B-39D16EC8829D}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ravscan.dll]
".Owner"="{A3009861-330C-4E10-822B-39D16EC8829D}"
"{A3009861-330C-4E10-822B-39D16EC8829D}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ravupdt.dll]
".Owner"="{A3009861-330C-4E10-822B-39D16EC8829D}"
"{A3009861-330C-4E10-822B-39D16EC8829D}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ravupdt.ini]
".Owner"="{A3009861-330C-4E10-822B-39D16EC8829D}"
"{A3009861-330C-4E10-822B-39D16EC8829D}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/xscan53.ocx]
".Owner"="{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"
"{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/loadhttp.dll]
".Owner"="{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"
"{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/patchw32.dll]
".Owner"="{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"
"{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/runtsckl.exe]
".Owner"="{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"
"{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/mfc42.dll]
".Owner"="Unknown Owner"
"{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/msvcrt.dll]
".Owner"="Unknown Owner"
"{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/tmupdate.ini]
".Owner"="{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"
"{74D05D43-3236-11D4-BDCD-00C04F9A3B61}"=""

guestolo · « **Reply #45 on:** January 31, 2005, 09:11:44 PM »

I'll trust that your a little more comfortable in the registry now

But can you first make a Restore point
START>>All programs>>Accessories>>System Tools>>System Restore
Create a New restore point
Name it and Create

After that is done
Back in the Registry Editor

Navigate to this key
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage]

Expand (+) ModuleUsage
Still on the left hand side look for and left click to Highlight and right click and delete the entries that look like this
C:/WINDOWS/Downloaded Program Files/CONFLICT.1/AdStatServX.dll]

and the one without Conflict in it
C:/WINDOWS/Downloaded Program Files/AdStatServX.dll]

Also navigate to this key
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls
Left click to Highlight shareddlls
On the right hand side again left click once to Highlight and then right click and delete any entries that look like this
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\AdStatServX.dll
and this one without "Conflict"
C:/WINDOWS/Downloaded Program Files/AdStatServX.dll]

After that is done
RESTART your computer, if you can't delete any of those registry entries try in safe mode

Back in Windows
Can you open up that Registry tool you download earlier
Open up RegSrch.vbs
Copy and paste this in the dialog box:
AdStatServX.dll

Hit OK and post back the results

Could you also
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the Whole contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
Change the save as type to All Files
Name the file as Export.bat
Save this file on the desktop

Quote

regedit /e HKCURun.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
regedit /e HKLMRun.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
copy HKLMRun.txt + HKCURun.txt = Output.txt
del /q HKLMRun.txt
del /q HKCURun.txt
notepad Output.txt
del /q Output.txt

Double click on Export.bat
It will produce a log>>Output.txt
Can you copy and paste the Whole contents of the Output.txt back here too, thanks

and one more hijackthis log

Sorry to put you thru a lot, but you had many problems on your computer
Your first log indicated this....
I believe we almost got it all however, just some final cleanup

irish-paddy · « **Reply #46 on:** February 01, 2005, 05:50:15 AM »

Yeah, feel alot better in registry.

still getting this msg

Messenger
Hidden process requests an outbound network connection

Process: C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
Launced by: C:\WINDOWS\SYSTEM32\SVCHOST.EXE

Outpost Firewall Pro should:

0 Allow network activity for this process according to application rules
0 Block network access for this process instance

! ..........................process can be controlled by another process and transmit private information.

just got this msg also

| Attack Detection Report x

attack was detected

attack type My address
IP Address localhost:loopback

other programs such as
"Syslog Daemon" and "diinfo"
is requesting an outbound network connection.
details c:\Program Files\TrojanHunter 4.1
----thsec.dll

i have just been blocking these. is this a bad thing that they're req outbound net. connection

1.deleted everything in the regestry.

2.No instances of "AdStatServX.dll" found in RegSrch.vbs

3.export.bat
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"DiTask.exe"="\"C:\\Program Files\\Eicon\\Diva\\DiTask.exe\""
"Divamon.exe"="\"C:\\Program Files\\Eicon\\Diva\\Divamon.exe\""
"Eicon TechnologyLAN_DAEMON"="\"C:\\Program Files\\Eicon\\Diva\\watch.exe\""
"CGServer"="\"C:\\Program Files\\Eicon\\Diva\\cgserver.exe\""
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.1\\THGuard.exe\""
"Outpost Firewall"="C:\\PROGRA~1\\Agnitum\\OUTPOS~1\\outpost.exe /waitservice"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

4.Hijackthis log
Logfile of HijackThis v1.99.0
Scan saved at 10:45:16, on 01/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.net/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Outpost Firewall Service - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

5. It should be me apologising for putting you thru all this. so sorry and thanks.

p.s. i have to go away here for a couple of days so i wont be on the internet or the computer till thursday. just post me back my next set of instructions and when i get back on thur ill get round to doing them.
cheers

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />

guestolo · « **Reply #47 on:** February 02, 2005, 04:59:50 PM »

That's looking good

"Syslog Daemon" and "diinfo"

All seem to be related too

Quote

Name: [Eicon NetworksLAN_DAEMON or Eicon TechnologyL]Status: U
File: watch.exe

Associated with an http://www.eicon.com/worldwide/default.htm Eicon Networks ISDN or ADSL modem. Watch protocols your connection with numbers and duration. You need callvu.exe (from Start Menu) to see your connection statistics. You can manually start watch.exe before you go online. Needs diinfo.exe (started by DiTask) to work correctly which can be started manually
http://castlecops.com/startuplist-1093.html

Should be safe

Process: C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
You have Messenger running on startup
If you don't prefer to run on startup
Right click the MSN Messenger icon by the clock
Enter the options and disable on startup
I prefer to disable this on startup

There is also another Messenger service you should definitely disable if not done already
Next: Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name---- Messenger

Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled
from Automatic
Do the same for Alerter
Both are not needed services

Can you try something for me please
Do another scan with Hijackthis and put a check next to these entries:

O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Enter your Control panel>>>Open NETWORK CONNECTIONS. Then right click on your default connection there and choose properties.

Then click on NETWORKING tab. Then click on INTERNET PROTOCOL. IN the window that comes up
Take note how you are set now
Then click on the obtain DNS SERVER ADDRESS automatically radio button, if not set this way already

Then click ok to close those windows.

RESTART your computer

Hold onto the backup made by hijackthis
If you have troubles, you can restore that backup with Hijackthis
and set your Internet Protocol like it was

If everything seems well with your network connection

Let's try one final scan with TDS-3
IMPORTANT>>>Right click the link below, select "save target as" or save link as
http://www.diamondcs.com.au/tds/radius.td3
Save it to the directory where you installed TDS-3
The default location should be
C:\Program Files\TDS3
Allow it to overwrite the previous radius.td3

Launch TDS-3.You can run this in safe mode.... In the top bar of tds window click system testing> full systemscan.
Let it completely finish scanning---Even if it appears to freeze at times
Detections will appear in the lower pane of tds window after the scan is finished ( it'll take a while ) Right click the list> select save as txt.>> save this to a convienent location

After saving the scandump go ahead and right click the list of alarms again, this time select delete...only delete those with POSITIVE IDENTIFICATION

RESTART the computer

Post back another fresh hijackthis log and the scandump.txt and let me know how everythings running

irish-paddy · « **Reply #48 on:** February 03, 2005, 05:38:23 PM »

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' /> Hi guestolo. sorry it took so long to reply.

Does that mean that these things requesting outbound net conn. r safe?

done everything,
Done a full system scan saved link http://www.diamondcs.com.au/tds/radius.td3 to the directory and allowed it to overwrite. TDS-3 didnt come back with any results at all. take it this is a good thing.

heres my log.

Logfile of HijackThis v1.99.0
Scan saved at 22:29:56, on 03/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.net/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Outpost Firewall Service - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

guestolo · « **Reply #49 on:** February 03, 2005, 06:37:35 PM »

Everything looks good Irish Paddy
User preference if you want to allow those Outbound traffic
The ones related too your DSL Modem you may want to allow
I suppose when and if you use MSN Messenger you will have to allow it access
If you don't need it running on startup, do as I said and disable it

When your times up with TrojanHunter be sure to disable TrojanGuard by the clock ahead of time and then uninstall it

Make sure you install Spyware Blaster and IE-Spyad

If everything's running better I would disable System Restore one last time and restart your computer and then re-enable it

irish-paddy · « **Reply #50 on:** February 03, 2005, 07:50:46 PM »

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' /> cant believe everythings fixed!!!!!!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' /> brilliant!

Here remember the file "C:\78a710ce9dfe875110\sp2" that wouldnt let me access? take it thats no harm then.

Thanks 4 all ur help guestolo uve been absolutely great!!!!! If theres anything i can ever do for u just let me no. ill send u over sum irish spuds or sumfin

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' />

guestolo · « **Reply #51 on:** February 03, 2005, 08:18:42 PM »

I forgot all about that file
What happens when you scan it at this Online Malware scan
Not sure if this will work, It sounds like part of the sdbot virus

Can you go to this site please
Give the link time to load
http://virusscan.jotti.dhs.org/
Use the Browse button at the top of that links page and navigate to this file
sp2.exe <--I'm assuming it has the .exe extension
Right click on it and Select it
Use the Submit button on the site
Wait for the scan results and post them back here

Also what version of Windows to you have PRO or HOME
If your unsure go to
START>>RUN>>type in winver
Hit OK

irish-paddy · « **Reply #52 on:** February 04, 2005, 08:17:32 AM »

no it doesnt say sp2.exe its just a folder inside c:\78a710ce9dfe875110.

i was selecting it and trying to upload it but it was just saying access is denied.

im using the windows home version xp.

i also scanned the folders with tds-3 and it found nothing

irish-paddy · « **Reply #53 on:** February 04, 2005, 09:37:33 AM »

i was also trying to delete it but it wouldnt delete.

im going to download winmx now, will this folder sp2 wont do any real harm will it? if u tell me how i can just delete it

irish-paddy · « **Reply #54 on:** February 06, 2005, 03:23:17 PM »

is it ok to leave this file there or will it have to be deleted?

guestolo · « **Reply #55 on:** February 06, 2005, 03:29:35 PM »

I'm not sure what it's related too

No extension
Are you sure that your showing extensions for known file types?
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.

* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

You can try and take full control of it
Remember you will have to start in safe mode to see the Security tab
http://support.microsoft.com/default.aspx?...;308421&sd=tech

irish-paddy · « **Reply #56 on:** February 06, 2005, 06:56:31 PM »

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' /> done what u said, there was a folder inside sp2 called update and a file in that folder called 'update.exe'

done the online scanner thing and it said the file was fine.

also do u know how i can change my settings so my comp will allow me to access my Email Removed, after i type in my password it doesnt let me into my inbox or anything.

cheers
paddy

guestolo · « **Reply #57 on:** February 07, 2005, 01:20:24 AM »

You can leave that folder and file alone
You can also go back and hide hidden files and folders

Hotmail
Try this
In Internet Explorer, on the Tools menu, click Internet Options, and select the Content tab
Under Certificates, click Clear SSL State
Click OK when you receive the message that the SSL cache was successfully cleared
Under Personal information, click AutoComplete
Under Clear AutoComplete history, click Clear Forms. Click OK when you are prompted to confirm the operation.

Verify that Internet Explorer is configured to use SSL 2.0 and SSL 3.0:
In Internet Explorer, on the Tools menu, click Internet Options, and select the Advanced tab
In the Settings box, under the Security header, click to select the Use SSL 2.0 and Use SSL 3.0 check boxes (if they are not already selected), and then click OK
Or click the RESTORE DEFAULTS at the bottom of the Advanced box

Verify that the Date and Time Settings on Your Computer Are Correct:

Go to START>>RUN
type in
regsvr32 softpub.dll
Hit OK
Do this with all browser windows closed

Restart your computer

Visit windows updates and get ALL latest Critical updates
Don't install the recommended unless needed
Don't install Service pack 2 at this time
Restart your computer when prompted

Some more info
http://www.duxcw.com/faq/win/xp/secure.htm

Guest · « **Reply #58 on:** February 07, 2005, 02:39:55 PM »

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' /> cheers guestolo u fixed yet another problem.

thankx

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' />

guestolo · « **Reply #59 on:** February 07, 2005, 03:04:36 PM »

Good work irish
What was the fix to your Hotmail problem?

Just for future reference
And may be of some help to others

News:

Author Topic: CANY ANY1 HELP? (Read 12151 times)

Guest

Guest