DSL to Cable internet switch not working

I'm going to try tonight to help a friend with his internet connection problem. He recently switched from DSL service to Cable internet and since switching he is not able to connect to any web sites. The DSL connection was working just fine. He called the cable company and they have replaced the modem and a technician spent 4 hours trying to get it working but ended up saying that the problem is with his PC. He is running WinXP (wasn't sure if it was home or pro). I suspect the problem to be a setting of some kind that needs tweaking but I haven't seen the PC yet so I don't know. It might also be a spyware/virus problem but seems unlikely since the DSL connection was working fine

I thought I would try here to see if anyone has any suggestions on what to look at/try before I go and take a whack at it.

 

BillB--Just tossing out ideas. It is hard to believe the cable tech would not have tried most all this.
Does your friend own the modem or is it rented? Did the tech try another modem?
You should examine the connection of the modem to the PC. If it is USB, is the USB port on the PC working OK with some other USB device (such as a flash drive). If yes, perhaps the connection should be Ethernet instead of USB. (That takes a different cable or adapter, and of course an Ethernet input port on the PC or you would have to take off the tower's case to make the connection.)
If any other PC is available for testing, do the modem and cable service work with it?
Look at Device Manager to see what it has to say about the Network Adapters (right click|Properties/working properly? etc.). Ditto Control Panel|Network Connection.
What do the modem's status lights show? Do they show that the modem is connected to power? Do they show it is connected to the internet? (If no to the latter, then the problem is not with the PC.)
Disable the firewall?
I am sure you know about pinging for existence of a connection. And I am assuming your friend cannot get email as well as not access the internet.

There are settings that "optimize" cable performance. I suppose it is possible the existing settings are so off that they would not permit connection to the internet. In fact, you might even try this first, since most cable techs will not tell you about this or even try it.
http://www.dslreports.com/tweaks
http://www.broadbandreports.com/faq/tweaks
If you cannot fix things (and the tech has already failed), your friend should immediately cancel the cable account and not pay for service not received. Is there any competing broadband service?

Thought of two other things.
1) Perhaps the Winsock is corrupt. The fix depends on version of Windows, which you have not told us.
For WinXP
http://www.snapfiles.com/get/winsockxpfix.html
or from here with link to tutorial
http://www.bleepingcomputer.com/files/lspfix.php

2) If not WinXP post back for another Winsock fix, but also check the possiblity that the modem needs an updated driver
http://www.modem-drivers.com/

 

Welshjim,

Thanks for the reply. The OS is WinXP, I'm just not sure of what flavor yet. The cable tech did switch out the modem but that didn't help. The connection to the PC is ethernet, which is good. I'm going to check the TCP/IP properties and the network adapter, supposedly the cable tech already did that, but I'll do it anyway. I thought about the Winsock thing and have already downloaded a fix tool if needed. He said he can't get out to anything so I'm assuming that means email doesn't work either.

I have cable internet with the same provider, so I'm familiar with the setup and can hopefully figure out what the problem is and get it going. Thanks for the tips, you've got me thinking about more things to look at/try that I hadn't previously.

If I don't get it going tonight I'll at least have more information to post back with later.

 

I think this needs to be moved to the spyware removal forum now.

I have the PC with me to clean up, I'm surprised that it even runs. I recognized at least 6 or 7 spyware apps in the add/remove list alone. They have no spyware or anti-virus protection on the machine and it appears to be loaded with spyware at the least. I installed Spybot and scanned with it, it found 317 items. When I tried to fix them, the progress bar gets about 25% across the screen and the program just disappears. I tried in Safe Mode and the same thing happens. I'm adding the HJT log to this to get a start on cleaning it up. Any help would be appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 4:58:42 PM, on 10/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\stgfbpk.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Przukh\Cezp.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\WINDOWS\System32\drwp1res.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\dmsfd.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\tmp\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://search123.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slotch.com/?&account_id=123377
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://search123.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://search123.biz/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://onlinehelp.verizon.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: surebar Helper - {D3F01312-8A3D-4D41-A4FA-FB61D295CB6B} - C:\WINDOWS\System32\surebar.dll
O3 - Toolbar: Search Bar - {270B845C-712C-4773-BEE0-AE2D2001CD0F} - C:\WINDOWS\System32\surebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [¢â€°¸u0–4C
}ïÃzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\stgfbpk.exe
O4 - HKLM\..\Run: [¢â€°¸u0ÔÃß]*ú "ü‰üžigÃC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\stgfbpk.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Kfbsqe] C:\Program Files\Przukh\Cezp.exe
O4 - HKLM\..\Run: [¢â€°¸u0Ô@ÔÃß]*ú "ü‰¸u0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\stgfbpk.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe "
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [tFET3FQ] drwp1res.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [cox3RPc3X] dmsfd.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/bridge-c356.cab
O16 - DPF: {B8AB2281-447F-482B-86E9-1F0ED5973637} - http://www.isurfplus.com/sure.cab
O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

 

I started plowing into this mess with instructions for cleaning. After about 30 minutes of writing instructions or giving links, I decided to suggest to you what I would do if this thing were mine - save the owners data files and format/reinstall from a clean system. Otherwise I'm not really sure there is any way you can get all of the spyware/malware/trojans/etc. gone from the system.

If you decide to try for a cleaning, here is what I put together before I quit. My suggestion would be to disconnect the affected PC from the internet and any local network, visit the 'removal instruction' sites listed and print their instructions, do what cleaning is suggested, then run another HJT log to post for further instructions.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

all of these need to be checked for removal. If your friend really wants to use a blank home page, create a page in Word or similar and save it as HTML with a name of Blank.htm and use that for the home page
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://search123.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slotch.com/?&account_id=123377
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://search123.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://search123.biz/

if Verizon is providing his service, this one can stay
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://onlinehelp.verizon.net/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

removal tool for adware.websearch is Here
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
these 4 should go away when you run Symantec's removal tool so leave them until after that is done

removal tool for this critter is Here
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll


removal instructions for adware.sidefind is Here
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll

removal instructions for adware.surebar is Here
O2 - BHO: surebar Helper - {D3F01312-8A3D-4D41-A4FA-FB61D295CB6B} - C:\WINDOWS\System32\surebar.dll
O3 - Toolbar: Search Bar - {270B845C-712C-4773-BEE0-AE2D2001CD0F} - C:\WINDOWS\System32\surebar.dll

removal instructions for adware.istsvc is Here
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [¢â€°¸u0–4C
}ïÃzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\stgfbpk.exe
O4 - HKLM\..\Run: [¢â€°¸u0ÔÃß]*ú "ü‰üžigÃC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\stgfbpk.exe

this stuff will for sure need to go if the above removal processes hasn't already gotten rid of it. Make sure you check for any .exe files listed and if the removal didn't get rid of them, get rid of them.
O4 - HKLM\..\Run: [Kfbsqe] C:\Program Files\Przukh\Cezp.exe
O4 - HKLM\..\Run: [¢â€°¸u0Ô@ÔÃß]*ú "ü‰¸u0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\stgfbpk.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe "
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

not really spyware but unneeded system sludge
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [tFET3FQ] drwp1res.exe
O4 - HKCU\..\Run: [cox3RPc3X] dmsfd.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C...bridge-c356.cab
O16 - DPF: {B8AB2281-447F-482B-86E9-1F0ED5973637} - http://www.isurfplus.com/sure.cab
O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

 

Hi Newt,

Unfortunately, the wipe and reinstall isn't an option right now, so I'm stuck with trying to get it clean. I'll follow what you've posted and get a new HJT log posted as soon as I'm done. I did get Adaware to install and run, it only found 1190 critical items to remove. It did get them all thank goodness. AVG is running right now, it's up to 5 viruses found so far. Wow, I don't know how they have lasted this long with this machine. Thanks very much for the help, I'll post back with the new log soon.

 

Wow, what a chore. Some of the removal tools ran for hours, it took most of the day yesterday to get through everything. I did get Adaware, Spybot and AVG to run successfully as well, all of them cleaned up several items. It is definitely running a lot better. When I brought it home the available memory sitting at the desktop after startup was 14meg (the machine has 256 meg), it now has about 110 meg available.

Here's the new HJT log, hopefully this thing is on the road to recovery.

Logfile of HijackThis v1.99.1
Scan saved at 9:09:30 AM, on 10/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\tmp\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

That does look lots better.

if the user has Microsoft Picture It, this is fine since it checks for application updates. If not, it is just sludge and should be removed via HJT scan and checking the item
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

legit but absolutely not needed at every startup and just slow the system a little with no benefit to the user.
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

Interesting and maybe legit or maybe not.
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
The file is normally needed to run windows automatic updates. However, from reading I think it should run then quit and I have no idea why you are seeing two instances. I can find version number detail for XP SP2 but not for SP1 so I can't give you specifics but I would check file properties and make sure it is at least a Microsoft file. There appear to be a few baddies using that name. Not normally going to be able to run from \system32 but this PC was pretty badly damaged so I would not take chances. Probably best to turn off automatic updates, reboot, and see if you still see the process running. If so, that would raise a red flag.

I'd also suggest running a virus scan from an online scanner (see quicklinks) rather than asssuming the onboard isn't damaged.

Get Rootkit Revealer and do a scan. It should show if there are some clever critters that are hiding from our checking efforts.

Get SP2 on the PC. Soonest.

 

Hi Newt,

It definitely does look a lot better, runs a lot better also.

I'll check on the Microsoft Picture It, I don't remember seeing it in the program list but I'll verify.

I'll probably delete the quicktime and real player entries also, to me they are unnecessary overhead.

I was wondering about the wuauclt.exe entries, I thought it was kind of strange to see two of them. I'll check out the properties and follow the suggestion to turn off auto update and see if the entries still show up.

I'll try the Rootkit Revealer and see if it comes up with anything, I'm also going to run something that Oshwyn5 recommended to me in another cleanup called A-Squared for removing trojans, spyware, etc. It found stuff the others didn't before.

I told the owner last night that I am going to put SP2 on it before returning it to at least give them the windows firewall protection. I also recommended installing ZoneAlarm and at least using the free version if nothing else.

I plan to go online with it while I have it (mainly to make sure it doesn't have any problems getting on the net) to update Spybot and such and to use an online virus scanner as well.

I'll post back when I've checked this stuff out and with the results of the Rootkit scan and the ASquared scan.

Thanks for all your help on this, I appreciate it and I'm sure the owner does too.

 

Hi Newt,

They do have Microsoft Picture It, so I left the WkUFind.exe entry alone. I did remove the realsched and qttask entries. I left the wuauclt.exe entries, I checked the file properties and it looks like a legit MS file. I don't know why there are two entries, they have Auto update set to 'download and let me decide what to apply'.

Rootkit did identify one thing that I can't seem to get rid of. There is a file in c:\documents and settings\owner\favorites called MyRealPics with a size of 0K. I tried Killbox, but unless I'm doing it incorrectly it still won't go away. Any idea how to get rid of this one?

I'm going to put the machine online this evening via my network and make sure Spybot, Adaware, AVG, Spyblaster and such are uptodate, then rerun scans. I'm also going to do an online scan with it.

Let me know if you need another HJT log.

 

There may be contents that MoveOnBoot won't remove but I haven't found any yet.

A last HJT log after you are all cleaned up and have been surfing a while would be interesting but it sounds like you are pretty well on top of the problem.

Any chance the user will keep the protection current? LOL, never mind. Silly question.

 

I found a hit doing a search in another spyware forum that recommended deleting the file from a command prompt and it worked for the person that tried it. I'll give that a try and if it doesn't work I'll try the moveonboot.

I put the machine online and updated all the spyware/anti-virus stuff and ran new scans. AVG found a couple more files but that was all. I am running the etrust online scan right now. (side note, I tried to do the RAV online scan but it is no longer available.)

When the online scan is complete, I'll post another HJT log before applying the SP2 update.

You asked if there's any chance they will keep the protection current, it's been my experience that you can lead a horse to water, but...... somehow I keep seeing the same PC's about every 6 mos or so because they are running slow or can't get on the net. The first question is always "are you keeping the spyware and antivirus software up to date and running scans on a regular basis?" And of course, the answer is usually, well, not exactly. Usually when I get the machine the definitions are months old. To me, 15 or 20 mins. each week to do updates and run scans is a lot better than being without my PC for days while it is getting cleaned up from a mess like this.

 

Thanks for noticing the RAV issue. We'll remove that entry.

MoveOnBoot is a handy tool and I keep a copy on all my PCs.

I notice the PC in question here belongs to a friend but from experience, I have started telling friends that I'll happily clean once for them but after that, I will charge.

 

I've been told by several people that I should charge for the cleanups also. I have just not felt right doing so since I get so much help from this forum when doing the cleanups. I've been considering it a lot lately though, since I seem to keep seeing the same ones over and over.

I'm sorry to see the RAV scanner go, I liked using it.

 

Newt,

Here's the latest HJT log. The online etrust scan found 28 infected files, all in the temporary internet file folder, which I deleted. Hopefully this thing is ready for prime time again once I apply SP2.

Logfile of HijackThis v1.99.1
Scan saved at 7:46:46 PM, on 10/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\macromed\flash\GetFlash.exe
C:\tmp\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

Newt,

I was able to get rid of that pesky 0K file by deleting it from the command prompt. I have SP2 applied and have it back online on my network and all seems fine so far. Is it safe to say it's ready to go home?

 

Sounds like it is. I would have taken bets that system was beyond help but I think you done good.

 

Thanks to you, I couldn't have done without your help. I was worried when I read your first post that it was beyond hope, but I figured I should give it a try anyway. Thanks again for the help, I really appreciate it.