share problem after worm removal

Hello,

I just recovered from a virus called: WORM_RBOT.AXF
for a description see:
http://www.trendmicro.com/vinfo/vir...OT.AXF&VSect=Sn
I chose to remove the worm manually and followed the instructions at the bottom of the trendmicro page. I also installed the two MS fixes for the vulnerability. And I seem to be worm free.
I'm running XP home on a network with four computers but since the worm removal I have not been able to access the infected computer on my home network from any of the other machines. I get a request for a password even though the drives are sharable via: mycomputer\drive F\properties\sharing tab (indicates they are sharable). I unshared the drives and reshared them but still get the password request. In the computer management dialog they are also indicated as being sharable, but there is an additional item included in the list along with my drives called IPC$, which is also sharable. Actually there is no way I know how to make a drive sharable in XP home with a password requirement. Anyway, I never assigned one, so perhaps the worm did. Anyone have any ideas on how I can get back to accessing my machine again on the network. Hijackthis log is below... The last item looks suspicious but I did a search for the .dll file and it does not exist on my machine...

I have no problem accessing my machine locally. It is only from the remote computers on my network that I am asked for this unknown password.

Please excuse me that I have also posted this message on the XP board. I was a bit confused as to where to post since I have successfully removed the worm. It is only this gnarly afteraffect that I wish to clear up.

Thanks up front.

joste

Logfile of HijackThis v1.98.2
Scan saved at 5:03:33 PM, on 2/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Microsoft Hardware\Mouse\point32.exe
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\PROGRA~1\PESTPA~1\PPControl.exe
F:\PROGRA~1\PESTPA~1\PPMemCheck.exe
F:\PROGRA~1\PESTPA~1\CookiePatrol.exe
G:\apps\ZoneAlarm\zlclient.exe
F:\Program Files\SurfSecret\Popup Eliminator\Popup Eliminator.exe
G:\apps\popupcalendar\PopupCalendar.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
G:\apps\disk-keeper\DkService.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\System32\taskmgr.exe
G:\web\opera\opera.exe
G:\apps\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = F:\WINDOWS\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bandonbythesea.com/forum
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=192.168.0.1:85
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = https://*;<local>
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\windows\googletoolbar1.dll
O3 - Toolbar: Popup Eliminator - {F50CE767-AE72-45EB-AECD-E8786C240373} - F:\Program Files\SurfSecret\Popup Eliminator\PEToolBar510.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\Msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [00DSKSVR00] "G:\apps\Desktop Guard\desksaver.exe" saskda
O4 - HKLM\..\Run: [PestPatrol Control Center] F:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] F:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] F:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] "G:\apps\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [PopupEliminator] F:\Program Files\SurfSecret\Popup Eliminator\Popup Eliminator.exe /min
O4 - HKCU\..\Run: [PopupCalendar] "G:\apps\popupcalendar\PopupCalendar.exe "
O4 - Global Startup: addrives.bat
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Quicken Startup.lnk = G:\Program Files\quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://f:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &WordWeb... - res://F:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward Links - res://f:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - G:\web\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - G:\web\FlashGet\jc_link.htm
O8 - Extra context menu item: Open Selected URL - G:\apps\google\openselectedurl.htm
O8 - Extra context menu item: Search &Google - G:\apps\google\google.htm
O8 - Extra context menu item: Similar Pages - res://f:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Sothink SWF Catcher - G:\web\swf\InternetExplorer.htm
O8 - Extra context menu item: Translate into English - res://f:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\web\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\web\FlashGet\flashget.exe
O9 - Extra button: SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - G:\web\swf\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - G:\web\swf\InternetExplorer.htm
O9 - Extra button: My IP Suite - {FB5F1910-F110-11d2-BB9E-80C04F795683} - G:\apps\My IP Suite\MyIPSuite.exe
O9 - Extra 'Tools' menuitem: My IP Suite - {FB5F1910-F110-11d2-BB9E-80C04F795683} - G:\apps\My IP Suite\MyIPSuite.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/gam...nts/y/at1_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{582D5793-59D1-44F5-B416-1179015D25BB}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{582D5793-59D1-44F5-B416-1179015D25BB}: NameServer = 192.168.0.1,198.77.116.8
O20 - AppInit_DLLs: 5626k1uujx5i7.dll

 

Download and install Reglite. Open and copy/paste the following string in the address window then click go.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

In the left pane, click the Windows folder (highlighted purple), then click edit on the toolbar. Select rename and type Notwindows, then hit enter. Double click the AppInit_DLLs entry in the right pane and clear the 5626k1uujx5i7.dll entry from the value line, then click OK. Rename the Notwindows folder back to its original name "Windows ". Double click the AppInit_DLLs entry again to make sure the value is blank.

Reboot into safe mode and do a search for the dll (should be in C:\Windows\System32) and delete if found. Empty the recycle bin and reboot.

Post a new HJT log.

 

OK, all done as per your suggestions, however the problem persists...
btw the .dll file was not on my computer

heres the logfile:


Logfile of HijackThis v1.98.2
Scan saved at 2:09:25 PM, on 2/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Microsoft Hardware\Mouse\point32.exe
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\PROGRA~1\PESTPA~1\PPControl.exe
F:\PROGRA~1\PESTPA~1\PPMemCheck.exe
F:\PROGRA~1\PESTPA~1\CookiePatrol.exe
G:\apps\ZoneAlarm\zlclient.exe
F:\Program Files\SurfSecret\Popup Eliminator\Popup Eliminator.exe
G:\apps\popupcalendar\PopupCalendar.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
G:\apps\disk-keeper\DkService.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
G:\web\opera\opera.exe
G:\apps\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = F:\WINDOWS\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bandonbythesea.com/forum
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:85
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://*;<local>
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\windows\googletoolbar1.dll
O3 - Toolbar: Popup Eliminator - {F50CE767-AE72-45EB-AECD-E8786C240373} - F:\Program Files\SurfSecret\Popup Eliminator\PEToolBar510.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\Msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [00DSKSVR00] "G:\apps\Desktop Guard\desksaver.exe" saskda
O4 - HKLM\..\Run: [PestPatrol Control Center] F:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] F:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] F:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] "G:\apps\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [PopupEliminator] F:\Program Files\SurfSecret\Popup Eliminator\Popup Eliminator.exe /min
O4 - HKCU\..\Run: [PopupCalendar] "G:\apps\popupcalendar\PopupCalendar.exe "
O4 - Global Startup: addrives.bat
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Quicken Startup.lnk = G:\Program Files\quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://f:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &WordWeb... - res://F:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward Links - res://f:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - G:\web\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - G:\web\FlashGet\jc_link.htm
O8 - Extra context menu item: Open Selected URL - G:\apps\google\openselectedurl.htm
O8 - Extra context menu item: Search &Google - G:\apps\google\google.htm
O8 - Extra context menu item: Similar Pages - res://f:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Sothink SWF Catcher - G:\web\swf\InternetExplorer.htm
O8 - Extra context menu item: Translate into English - res://f:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\web\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\web\FlashGet\flashget.exe
O9 - Extra button: SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - G:\web\swf\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - G:\web\swf\InternetExplorer.htm
O9 - Extra button: My IP Suite - {FB5F1910-F110-11d2-BB9E-80C04F795683} - G:\apps\My IP Suite\MyIPSuite.exe
O9 - Extra 'Tools' menuitem: My IP Suite - {FB5F1910-F110-11d2-BB9E-80C04F795683} - G:\apps\My IP Suite\MyIPSuite.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at1_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{582D5793-59D1-44F5-B416-1179015D25BB}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{582D5793-59D1-44F5-B416-1179015D25BB}: NameServer = 192.168.0.1,198.77.116.8

 

Did you set these proxy settings?

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=192.168.0.1:85
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = https://*;<local>

Try fixing them. You can always put them back from the backups if other problems are created. Try running the Network Setup Wizard again, making sure to use the same workgroup, and enable file sharing.

 

yeah I made the proxy settings, and I tried resetting up the network a few times too all to no avail, meanwhile I am getting the suspicion that the problem may be caused by the two MS hotfixes I installed after I got rid of the worm. They created a restore point before installation so I may try a system restore and see if that helps, any how thanks for all your help and I'll let you know how the restore works...
if ya have any other ideas let me know

joste

 

A few thoughts.......

Would you download the latest version of HijackThis (1.99) and post a new log.

Is the Windows Firewall running on this comp (or any of the others)? When you ran the Network Setup Wizard, did you tell it to configure the firewall for file sharing?

 

the firewall is disabled on the machine in question. I am running Zone Alarm Pro, which disabled or enabled produces the password requester.

Do you have any idea what IPC$ is.
When I am asked for the password it is for the resource: \\FishTale\IPC$
FishTale is the name of my computer.
I have done a search for IPC$ and came up with nothing.

Do you think it may be the MS updates.
I haven't done a restore yet, (I would like to avoid it if possible).

Hijack 1.99 log below...


Logfile of HijackThis v1.99.0
Scan saved at 9:56:21 PM, on 2/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Microsoft Hardware\Mouse\point32.exe
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
G:\apps\ZoneAlarm\zlclient.exe
F:\Program Files\SurfSecret\Popup Eliminator\Popup Eliminator.exe
G:\apps\popupcalendar\PopupCalendar.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
G:\apps\disk-keeper\DkService.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\PROGRA~1\PESTPA~1\ppmemcheck.exe
F:\PROGRA~1\PESTPA~1\cookiepatrol.exe
F:\PROGRA~1\PESTPA~1\ppcontrol.exe
F:\WINDOWS\System32\svchost.exe
G:\web\opera\opera.exe
G:\apps\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = F:\WINDOWS\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bandonbythesea.com/forum
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:83
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https; ftp; »Windowsupdate.microsoft.com; »V4.Windowsupdate.microsoft.com; »https://v4.Windowsupdate.microsoft.com; »Download.Windowsupdate.com
;<local>
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\windows\googletoolbar1.dll
O3 - Toolbar: Popup Eliminator - {F50CE767-AE72-45EB-AECD-E8786C240373} - F:\Program Files\SurfSecret\Popup Eliminator\PEToolBar510.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\Msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [00DSKSVR00] "G:\apps\Desktop Guard\desksaver.exe" saskda
O4 - HKLM\..\Run: [PestPatrol Control Center] F:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] F:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] F:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] "G:\apps\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [PopupEliminator] F:\Program Files\SurfSecret\Popup Eliminator\Popup Eliminator.exe /min
O4 - HKCU\..\Run: [PopupCalendar] "G:\apps\popupcalendar\PopupCalendar.exe "
O4 - Global Startup: addrives.bat
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Quicken Startup.lnk = G:\Program Files\quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://f:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &WordWeb... - res://F:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward Links - res://f:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - G:\web\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - G:\web\FlashGet\jc_link.htm
O8 - Extra context menu item: Open Selected URL - G:\apps\google\openselectedurl.htm
O8 - Extra context menu item: Search &Google - G:\apps\google\google.htm
O8 - Extra context menu item: Similar Pages - res://f:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Sothink SWF Catcher - G:\web\swf\InternetExplorer.htm
O8 - Extra context menu item: Translate into English - res://f:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINDOWS\web\related.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\web\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\web\FlashGet\flashget.exe
O9 - Extra button: SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - G:\web\swf\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - G:\web\swf\InternetExplorer.htm
O9 - Extra button: My IP Suite - {FB5F1910-F110-11d2-BB9E-80C04F795683} - G:\apps\My IP Suite\MyIPSuite.exe
O9 - Extra 'Tools' menuitem: My IP Suite - {FB5F1910-F110-11d2-BB9E-80C04F795683} - G:\apps\My IP Suite\MyIPSuite.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at1_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{582D5793-59D1-44F5-B416-1179015D25BB}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{582D5793-59D1-44F5-B416-1179015D25BB}: NameServer = 192.168.0.1,198.77.116.8
O23 - Service: 12Ghosts TrayProtect - Unknown - G:\apps\supergee\12srvc.exe (file missing)
O23 - Service: Adobe LM Service - Unknown - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - G:\apps\disk-keeper\DkService.exe
O23 - Service: Macromedia Licensing Service - Unknown - F:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ScsiAccess - Unknown - G:\graphics\compupic-pro\ScsiAccess.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - F:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WinFax PRO - Symantec Corporation - F:\WINDOWS\System32\WFXSVC.EXE

 

See the following MSKB Article about Zone Alarm. I had to put my network IP range into ZA's trusted zone for network access.

http://support.microsoft.com/default.aspx?scid=kb;en-us;302951

As for a good description of the IPC$ share, I don't have one. Sorry But it is a default and necessary share.

Click Start, click Run, type cmd, and then press ENTER.
At the command prompt, type net share, and then press ENTER.
Look for the IPC$ administrative share in the list of shares.

If not present, type net share IPC$ and hit enter. Should get a 'successful' message and the share should be present in Computer Management.

If you haven't already done so, check all the computers on your network for infections, be it virus or malware.

If you're still unable to resolve the problem, lets have a look at some registry values. Export the keys
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
Control>Lsa
and
HKEY_LOCAL_MACHINE>Software>Microsoft>
Ole
to text, zip them up and email them to me here. Put WindowsBBS LSA in the subject line.

Keyword MSKB searches;

IPC$

Admin$

Unable to Connect to Network Share

You must supply a password to make this connection:

'Access is denied' When Accessing Shares

 

http://support.microsoft.com/default.aspx?scid=kb;en-us;841399&sd=ee

The above seems to fit my description...
MS solution is to install service pack2
I have been reluctant to do this because of conflicts reported on
dslreports.com with direcway satellite software.
I'm still thinking it was one of the two MS hotfixes I installed. The security log reprts the first failure just after I installed them. So its either live with it, restore or update, unless you find something in the registry...

 

The registry exports looked fine. Check the properties of Kerberos.dll

12-May-2004 16:57 5.1.2600.1528 287,232 Kerberos.dll

If your version is 5.1.2600.1528 or higher, you probably won't resolve this with SP2, although you would plug alot of security holes. I understand your reluctance to update, but have the issues created with direcway been resolved?

http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/prbd_std_ibke.asp

 

you wrote:Check the properties of Kerberos.dll
12-May-2004 16:57 5.1.2600.1528 287,232 Kerberos.dll...
***********
OK, my version of kerberos.dll is 5.1.2600.1106 (xpsp1.020828-1920)
So I guess from what you write that SP 2 updates this file and that should cure my problem.
Is there any way to update just the file? Will that solve the problem?