1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

virus/security problems

Discussion in 'Legacy Windows' started by shenanigins, 2003/06/16.

Thread Status:
Not open for further replies.
  1. 2003/06/20
    shenanigins

    shenanigins Inactive Thread Starter

    Joined:
    2002/08/02
    Messages:
    104
    Likes Received:
    0
    Do you need this from the 2k computer or the 98?
     
  2. 2003/06/20
    shenanigins

    shenanigins Inactive Thread Starter

    Joined:
    2002/08/02
    Messages:
    104
    Likes Received:
    0
    ipconfig from 98:

    Windows 98 IP Configuration



    Host Name . . . . . . . . . : Diana.sbcglobal.net

    DNS Servers . . . . . . . . : 151.164.17.201

    151.164.11.201

    Node Type . . . . . . . . . : Broadcast

    NetBIOS Scope ID. . . . . . :

    IP Routing Enabled. . . . . : No

    WINS Proxy Enabled. . . . . : No

    NetBIOS Resolution Uses DNS : Yes



    0 Ethernet adapter :



    Description . . . . . . . . : PPP Adapter.

    Physical Address. . . . . . : 44-45-53-54-00-00

    DHCP Enabled. . . . . . . . : Yes

    IP Address. . . . . . . . . : 0.0.0.0

    Subnet Mask . . . . . . . . : 0.0.0.0

    Default Gateway . . . . . . :

    DHCP Server . . . . . . . . : 255.255.255.255

    Primary WINS Server . . . . :

    Secondary WINS Server . . . :

    Lease Obtained. . . . . . . :

    Lease Expires . . . . . . . :



    1 Ethernet adapter :



    Description . . . . . . . . : ELNK3 Ethernet Adapter

    Physical Address. . . . . . : 00-A0-24-7D-E5-3D

    DHCP Enabled. . . . . . . . : Yes

    IP Address. . . . . . . . . : 192.168.1.100

    Subnet Mask . . . . . . . . : 255.255.255.0

    Default Gateway . . . . . . : 192.168.1.1

    DHCP Server . . . . . . . . : 192.168.1.1

    Primary WINS Server . . . . :

    Secondary WINS Server . . . :

    Lease Obtained. . . . . . . : 06 19 03 3:20:27 PM

    Lease Expires . . . . . . . : 06 20 03 3:20:27 PM
     

  3. to hide this advert.

  4. 2003/06/20
    shenanigins

    shenanigins Inactive Thread Starter

    Joined:
    2002/08/02
    Messages:
    104
    Likes Received:
    0
    startup list from 2k:

    StartupList report, 6/20/2003, 3:32:55 PM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\Administrator\Desktop\dowloaded disk utilities\HijackThis.EXE
    Detected: Windows 2000 SP3 (WinNT 5.00.2195)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\Proxy.exe
    C:\WINNT\system32\MSTask.exe
    C:\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SymTray.exe
    C:\WINNT\SOUNDMAN.EXE
    C:\Winamp\Winampa.exe
    C:\NORTON~1\NORTON~1\navapw32.exe
    C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\ScreenMates\FULL_FEL.EXE
    C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
    C:\Program Files\SBC\Connection Manager\CManager.exe
    C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\system32\mmc.exe
    C:\Documents and Settings\Administrator\Desktop\dowloaded disk utilities\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
    Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
    Felix.lnk = C:\ScreenMates\FULL_FEL.EXE

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Synchronization Manager = mobsync.exe /logon
    SoundMan = SOUNDMAN.EXE
    WinampAgent = "C:\Winamp\Winampa.exe "
    NAV Agent = C:\NORTON~1\NORTON~1\navapw32.exe
    SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
    IPInSightMonitor 01 = "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe "
    BJCFD = C:\Program Files\BroadJump\Client Foundation\CFD.exe
    tgcmdprovidersbc = "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Felix = C:\Program Files\ScreenMates\FULL_FEL.EXE

    --------------------------------------------------

    Shell & screensaver key from C:\WINNT\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINNT\System32\ssflwbox.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    Yahoo! Companion BHO - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll - {13F537F0-AF09-11d6-9029-0002B31F9E59}
    NAV Helper - C:\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    BACKUP 2.job
    backup.job
    Norton AntiVirus - Scan my computer.job
    Symantec NetDetect.job
    Weekly Backup.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [MiniBugTransporterX Class]
    InProcServer32 = C:\WINNT\DOWNLO~1\MINIBU~1.DLL
    CODEBASE = http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?rand=200341118

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINNT\Downloaded Program Files\avsniff.dll
    CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

    [eshare communications NetAgent Customer ActiveX Control version 2]
    InProcServer32 = C:\WINNT\Downloaded Program Files\custappx2.dll
    CODEBASE = http://www.cabeagent.com/netagent/objects/custappx2.CAB

    [Symantec RuFSI Utility Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

    [HouseCall Control]
    InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab

    [AvxScanOnline Control]
    InProcServer32 = C:\WINNT\DOWNLO~1\BITDEF~1.OCX
    CODEBASE = http://www.bitdefender.com/scan/Msie/bitdefender.cab

    [Update Class]
    InProcServer32 = C:\WINNT\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37508.65375

    [YahooYMailTo Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\ymmapi.dll
    CODEBASE = http://download.yahoo.com/dl/installs/ymail/ymmapi.dll

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\system32\Macromed\flash\flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [{D6E66235-7AA6-44ED-A06C-6F2033B1D993}]
    CODEBASE = http://distribution.trafficsyndicate.com/msiein.cab

    [{D9EC0A76-03BF-11D4-A509-0090270F86E3}]
    CODEBASE = http://bannerfarm.ace.advertising.com/bannerfarm/42833/VbouncerOuter1123030505.exe

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
    WebCheck: C:\WINNT\System32\webcheck.dll
    SysTray: stobject.dll

    --------------------------------------------------
    End of report, 7,515 bytes
    Report generated in 0.078 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  5. 2003/06/20
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    This looks correct.

    Do this

    ping 192.168.1.1
    if ok sees router

    then ping yahoo.com
    if ok you have www access

    If either fail get back to me or....

    So!

    First you will have to make a connection.

    Control panel Internet options-connections-setup

    setup manually-connect by LAN

    Mike
     
  6. 2003/06/20
    shenanigins

    shenanigins Inactive Thread Starter

    Joined:
    2002/08/02
    Messages:
    104
    Likes Received:
    0
    Ping results look okay, I think?



    Pinging 192.168.1.1 with 32 bytes of data:



    Reply from 192.168.1.1: bytes=32 time<10ms TTL=150

    Reply from 192.168.1.1: bytes=32 time<10ms TTL=150

    Reply from 192.168.1.1: bytes=32 time<10ms TTL=150

    Reply from 192.168.1.1: bytes=32 time<10ms TTL=150



    Ping statistics for 192.168.1.1:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

    Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms




    Pinging yahoo.com [66.218.71.198] with 32 bytes of data:



    Reply from 66.218.71.198: bytes=32 time=71ms TTL=238

    Reply from 66.218.71.198: bytes=32 time=71ms TTL=238

    Reply from 66.218.71.198: bytes=32 time=69ms TTL=238

    Reply from 66.218.71.198: bytes=32 time=69ms TTL=238



    Ping statistics for 66.218.71.198:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

    Approximate round trip times in milli-seconds:

    Minimum = 69ms, Maximum = 71ms, Average = 70ms



    Went through the internet setup steps... still no connection available, though.
     
  7. 2003/06/20
    shenanigins

    shenanigins Inactive Thread Starter

    Joined:
    2002/08/02
    Messages:
    104
    Likes Received:
    0
    scrap that last comment regarding connection status.... I had a momentary "flash" of intelligence *smile* and went back to check the proxy settings. When the "professional" they hired a year ago came in to set up the network stuff, he tried to get the dsl to be shared between the admin and slave1 computers, but had no luck. There was leftover proxy information in the lan setup info. I deleted that... and viola, we have www access from slave 1

    *sigh* I feel like I've been running a marathon the last few days. What's my next hurdle?
     
  8. 2003/06/20
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    OK Shannon

    While helping you I have been at my office doing work talking on phone etc. This is why my responses were somtimes long in coming. It is 5pm here and I am tired.

    I am going out to eat then home.

    Maybe I will feel like getting back on this tonight. But if not I will send info tomorrow.

    I can tell you this as both pings suceeded that you are getting out on the www so change nothing else on the network setup.

    The problem now is a browser issue, Internet explorer. Try all this on the other and it may work. If so we can come back here.

    if you know how, repair internet explorer.

    in the mean time

    you did a great job, got a little ahead once but fantastic job

    have a good weekend. I will be in touch.

    mike
     
  9. 2003/06/20
    shenanigins

    shenanigins Inactive Thread Starter

    Joined:
    2002/08/02
    Messages:
    104
    Likes Received:
    0
    Wow! You mean you have a REAL job, too?!? ;)

    I honestly appreciate all the help you have offered... you have been a true God-send over the last several days. I wouldn't blame you if you never wanted to see me post here again! *smile*

    I got internet connections running to both 98 computers. I've called it quits for today, as well... I think my husband will leave me if I don't spend some time with him tonight, anyway.

    I know I'm not finished setting everything up, but I feel much better now that the dsl is working and the network is communicating. I'll be doing a big ol' happy dance when this is all finished!

    Have a nice night... and I'll catch you later!

    Shannon
     
  10. 2003/06/21
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,068
    Likes Received:
    396
    shenanigins

    where should these guys send the bill...
     
  11. 2003/06/21
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Husband!!!!!!

    You are a GIRL!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    Lol!

    You mean I lost all these chances to flirt!! Dang!

    Well it is probably better; you are married. Sigh!

    Besides the "other" dirty old men on this BBS would have swarmed.

    I, who have, because of a unisex name, have referred to her as a him and him as a her and had to apologize a few times before. I did not do too badly in this case. So I will correct that now. When I said "You da manâ€. I now say "You go Girlâ€!

    And I mean this; you did an absolutely fantastic job. Lets hear it for the girl!

    Dread to help you again, no! You were easy to work with. You see this stuff is easy for me, the hardest things for me was getting the time to help. Usually it is getting someone to follow instructions at all, and if so doing it correctly.

    This thread is a classic. Not only was it a learning experience not just for you, but also hopefully for others following it.

    You had it all. Viri, lockups and freezes, I know you found much spy/adware, configuration issues, installed new hub/switch added router, removed HW (NIC). Connected to network and all to WAN thru the router. Performance issues.

    These cover most of what people come here for individually. You had and fixed them all.

    If your dad doesn’t pay you, he should pay for a membership on this BBS for you. The BBS is free, but needs contributions to exist. Even though I actually only volunteer ( my kind of candy striping) even I also contributed.

    (I charge 85.00 per hr to do it on the side, when someone begs or convinces me to do it)

    You seemed surprised that I work? Matter of fact I do this for a living. I am a Sr. Systems Analyst and Systems Administrator. Been doing it for 25 years, administer over 1000 stations in 62 networks in 6 states.

    OK moving on to the things you need to do to finish up.

    In answer to some questions you asked, that I forgot or did not take the time to answer.

    The Dump. Search for and delete it. *.dmp

    Yahoo web mail: Not downloading and processing mail on Yahoo does give a measure of protection. But I see no reason he cannot filter and delete the Spam and other junk mail then down load what he has left. They may not keep legit messages for long.

    Verify what you did?
    Firewall. Did you install it on the 2K?

    Did Spybot find much on any of the stations, especially the 2K machine?

    Status of system performance now? Is it as fast as it has ever been? Should be. Don’t forget to let us know about the stability after a few days of normal use.

    Things I saw that I personally don’t like in a place business. Your choice here but they at best are useless and at worse rob performance and stability.

    Screen savers and backgrounds.

    Norton SystemFooler and SystemCrasher otherwise known as SystemWorks.

    Other things to do.

    Don’t forget to do a Scandisk and Defrag on all before job done. On 2k the scandisk is called chkdsk. Run it from the command prompt like this

    Chkdsk /r

    It will want to do it on next boot.

    Windows update on all
    Don’t bother with DirectX or WMP9 unless they do play music and videos.
    For sure don’t get critical update reminders, nor anything dot net.

    XpAntispy forgot this, used to think it was only for 2K and XP but recently tried it on 98 and it works there also but not as many items to control.

    http://www.webattack.com/get/xpantispy.shtml

    Startups: Here are some sites to tell you what startups do.
    Look at the startup list from HiJackThis and kill the ones you don’t need. They are robbing performance. These apply to 2k and 98 both. Use the Startup Control Panel I sent.

    Cleaning startups
    <http://www.pacs-portal.co.uk/startup_pages/startup_full.htm>
    <http://jeh.ne.client2.attbi.com/TechSupport/index.htm>
    <http://www.3feetunder.com/krick/startup/list.html>
    <http://www.answersthatwork.com/Tasklist_pages/tasklist.htm>
    <http://ww2.whidbey.net/djdenham/Uncheck.htm>
    <http://www.pcisys.net/~ravnos2/techinfo/MSConfig.htm>
    <http://www.forrestandassociates.co.uk/pcforrest/startups.html>
    <http://www.djbdesigns.com/wtvzone/startup.html>

    Services: these apply only the 2K, and XP if needed elsewhere, do these carefully. Black Vipers safe recommendations should be used. They are startups but different than the above.

    The following I believe can be set to manual and stopped on his 2K.
    Indexing, Messenger, DHCP Client, DNS Client, Smart card, UPS if you do not have a UPS that connects back to the computer port. Look for others, reboot after changes and confirm everthing still works as normal.

    XP & 2K Tweaks and services configuration
    <<http://blackviper.com/WinXP/servicecfg.htm>>
    <http://members.internettrash.com/megapolon/xptweak2.html>
    <http://www.theeldergeek.com/index.htm>
    <http://www.kellys-korner-xp.com/xp_h.htm>
    <http://www.dougknox.com/>
    <http://tweakxp.com/tweakxp/>
    <http://beemerworld.com/tips/servicesxp.htm>
    <http://www.aumha.org/regfiles.htm>
    <http://win2000tips.home.att.net/Tipstricks.htm#Pagefile>

    So tweak the Startups and services to get Max performance and stability by removing as many as possible..

    Lastly: The trick I told you about to keep the others from browsing the Internet.

    The following will stop the Browser but will allow Virus updates and other programs to update even Email to work.

    Copy and paste the following 3 lines into a WordPad file and save it as c:\windows\ieoff.cmd.

    @echo off
    ren c:\progra~1\intern~1\iexplore.exe iexplore.sav
    exit

    Copy and paste the following 3 lines into a WordPad file and save it as c:\windows\ieon.cmd.

    @echo off
    ren c:\progra~1\intern~1\iexplore.sav iexplore.exe
    exit

    To use after you have used Internet explorer and exited from it. Go to command prompt and type

    Ieoff (Internet explporer off)

    This will disable Internet explorer from running.

    When you come back and need it. Go to command prompt and type

    Ieon (Internet explorer on) this will turn it on,

    Don’t forget to turn it off when you leave.

    To keep the user from trying to click dead shortcuts you should do a search and delete them all. Make sure you delete shortcuts (lnk) s not iexplore.exe. This means you will have to browse to c:\program files\internet explorer and click Iexplore.exe to run it or drag a shortcut to the desktop until you get through.

    OK! Good luck, do this before it gets cold.

    Let me know how it goes.

    Mike
     
    Last edited: 2003/06/21
  12. 2003/06/22
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Hi Shannon

    I actually began this before my last letter and forgot to send it.

    First some more cleanup. Go to add/remove and remove WeatherBug and any Screen savers.

    Then rt click on a blank spot on the Desktop and then properties. On Background set all to none. Screen saver set to none. In Appearance Scheme select windows classic. In effects uncheck everything except Show Icons using all possible colors. In settings make sure the Colors are set to highest resolution. Save and exit.

    MobSync Synchronization Manager = mobsync.exe /logon
    The above is not needed and is installed by default in 2K and XP. Use these steps to turn it off.

    start-programs-accessories-synchronize-setup uncheck my current home page on the first screen

    then click setup and uncheck all boxes on "all the tabsâ€

    in the On Idle options tab Advanced, uncheck the 2 boxes

    in scheduled remove all items.

    Close.

    To finish this open My Computer select tools-folder options-offline files: uncheck "enable offline files" option

    Ok on to the others.

    In looking more closely at the startup list you sent I not only see many bad things but things that should not be there if SpyBot has been run properly. So let’s run it again after maxing out its config.

    First go to start-programs-spybot and find the SpyBot Advanced icon and run it.

    On the left hand panel click online, then click search for updates. After it finds a list select every thing except skins and languages unless it says English. After these are selected go over to Unido (Europe) and pull down the menu. Select EON (Australia) and download updates.

    Now after updates we need to max the config so in left hand panel select Settings and then Filesets. Select all, usually the 3 at the bottom are unchecked so select them.

    Then in left panel select settings and find Scan priority and select the last item "Time critical" this will cause a quicker scan.

    Then slide to bottom and find Expert settings select both Show expert items.

    Now we are ready to run. Run it twice select all it finds including registry items that you will have to individually OK. Anything left after the 2nd run is cleaned is OK.

    Now in the left panel select Immunize, it will say so many items need to be blocked. Click OK and to the right is another Immunize button, Click it. It should say so many items now blocked.

    If you check again it should say all items blocked and give the number.

    Now reboot the computer.

    Some of the items below may now be gone. So we will deal with the ones that are left.

    If you have not, then install the Startup Control Panel and use it first to uncheck the items and after we are sure they are not needed then we will delete them.

    We will do this in steps by category

    Begin with these:

    These 5, there is no doubt as to needed or not just delete them in Startup Control panel.

    C:\Winamp\Winampa.exe
    C:\Program Files\ScreenMates\FULL_FEL.EXE,
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    SCRNSAVE.EXE=C:\WINNT\System32\ssflwbox.scr

    The following 7 items should all be unchecked to stop them from running.

    You then should reboot and test that all Internet and email access works. If so leave the items unchecked for a few days and if no problem then delete them in Startup Control panel.

    I am positive about the all except the first, the "pppoeservice ", so if problems accessing the Internet then recheck this one only, reboot and retest.

    C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe

    C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe

    C:\Program Files\BroadJump\Client Foundation\CFD.exe

    C:\Program Files\Support.com\bin\tgcmd.exe

    C:\Program Files\SBC\Connection Manager\CManager.exe

    C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe

    BJCFD = C:\Program Files\BroadJump\Client Foundation\CFD.exe
    tgcmdprovidersbc = "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray


    The following seems related to a Trojan, so uncheck it, reboot and if Internet works leave it a few days before deletion. When and if you do delete this from Startup then also delete the file proxy.exe.

    C:\WINNT\system32\Proxy.exe

    Finally uncheck Yahoo companion, should not be needed, see if dad even misses it if so put it back.

    Yahoo! Companion BHO - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll - {13F537F0-AF09-11d6-9029-0002B31F9E59}

    The following should be gone after uninstalling WeatherBug and running SpyBot as above if not delete it.

    [MiniBugTransporterX Class]
    InProcServer32 = C:\WINNT\DOWNLO~1\MINIBU~1.DLL
    CODEBASE = http://download.weatherbug.com/mini...?rand=200341118

    Not quite sure what the below is see if you dad knows what Eshare NetAgent is, if he don’t know then disable it also.

    [eshare communications NetAgent Customer ActiveX Control version 2]
    InProcServer32 = C:\WINNT\Downloaded Program Files\custappx2.dll
    CODEBASE = http://www.cabeagent.com/netagent/objects/custappx2.CAB

    Same here but this seems related to ****?? Disable for a while and then delete if all is well.

    [{D6E66235-7AA6-44ED-A06C-6F2033B1D993}]
    CODEBASE = http://distribution.trafficsyndicate.com/msiein.cab

    The following should be gone after the SpyBot run above if not delete it. Popup ads.

    [{D9EC0A76-03BF-11D4-A509-0090270F86E3}]
    CODEBASE = http://bannerfarm.ace.advertising.c...r1123030505.exe
    Whoosh! When I saw all the above, I mention I saw a lot that I did not like but now I am surprised at just how much. Must have been tired.

    Print this out and do it thoroughly and carefully and keep me posted.

    This should finally finish up everything. So now let them roll and wait and watch.

    Mike
     
  13. 2003/06/23
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Shannon

    Thank you for the nice direct email. And the offer from your dad to subscribe.

    Let me know when you plan on finishing up.

    And if you complete all of the items in my last 2 messages then
    post me a new Startup list.

    Additionally I am very interested in you opinion of the system response and performance in comparison to before we did all this. We will only know about the stability after a few days of normal use.

    And is dad now happy?

    If so and he said he would contribute, then here is the link to do that. What he should do is just pay for your existing shenanigins membership. It is very expensive at 19.95 per year! Smile!

    To do it by mail or credit card, go here: http://www.windowsbbs.com/subscribe.php

    Be sure to add a note to Arie reminding him not to forget my commission! Lol!

    Mike
     
  14. 2003/06/23
    shenanigins

    shenanigins Inactive Thread Starter

    Joined:
    2002/08/02
    Messages:
    104
    Likes Received:
    0
    Good evening, Mike.

    As you probably guessed, I decided to take today off from the computer world. :)

    I will be back at the office tomorrow and will begin processing the lists you posted in your last two posts. I just reviewed them to make sure I don't have any questions and all looks fine.

    You recommended removing the following item from his startup:
    C:\Program Files\ScreenMates\FULL_FEL.EXE

    This is a very small program that runs a "pet" cat on his desktop named Felix. Unless you see a real hazard in him keeping it I won't delete it... it brings him great pleasure. ;) However, if you think it is something that could be a hazard to his system I will see if I can convince him to depart with his pal.

    Other than that, I think it all looks pretty straightforward. I am looking forward to seeing how all goes after a few days. I will definitely keep you informed!

    Be back soon.....
    ~Shannon
     
  15. 2003/06/24
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Good morning Shannon

    You you are ready to ride this bull again huh.

    Well we have tamed him enough to be managable now!

    Yes I knew that FULL_FEL.EXE was a felix the car Screeen saver. Yeah it is OK if he likes it. But chop off any connection to the internet for updating it. If it needs updating it should be done manually.

    Same for windows updates. Don't do the Update reminders but go there ocassionlly and pick and choose the updates.

    Remember as you disable the Broadjump stuff to reboot immediately and comfirm all browisng and email access before actually deleteing those item.

    Same for the Yahoo stuff, disable them all, imediately reboot and test the browsing and email.

    Also when you put in the Kerio firewall as soon as you reboot from the install. Run the browser and give IE permission to get out and tell Kerio to remember this by putting the check in the box. Same for Outlook. Then see if he has anything else that need permissinon like the QuickBooks update and give it permission.

    Then tell him not to give anything else permission until he checks with you. Because if he does accumulate a Viri or Trojan or Spyware he does not want it inviting friends over to play. In this case we are using the firewall as a very specific detection device.

    Keep me posted!

    Mike
     
  16. 2003/06/25
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Shannon

    I just remembered someting I told you that is incorrect.

    When using the IEON and IEOFF proceedure as here:

    "Copy and paste the following 3 lines into a WordPad file and save it as c:\windows\ieoff.cmd. "

    The ??????.cmd will only work on 2K or XP, for the 98 it has to be named ??????.bat

    so name them ieon.bat and ieoff.bat

    Mike
     
  17. 2003/06/25
    shenanigins

    shenanigins Inactive Thread Starter

    Joined:
    2002/08/02
    Messages:
    104
    Likes Received:
    0
    Hey Mike!

    I've finished updating the 98 systems, but ran into a snag with the ieoff & ieon commands. I receive a "bad command" response when I try to run either. I named them with *.bat as directed in your last post and placed them in the system folder. Not sure what the prob is... double checked that everything is exactly as in your post, etc.

    Other snag is on the admin computer (2k) and removing all the startup items you advised. I ran spybot first, as directed, and it found a large number of items which have been fixed. I immunized, etc. When I run the startup control panel, however, I don't find several of the items on your list to uncheck. The following items do not appear:

    C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
    C:\WINNT\system32\Proxy.exe


    All the other items you listed appeared and I have unchecked them and rebooted... everything is working fine so far. But I'm a little confused about the missing items, especially since some of them appeared to be related to others that were still listed?

    I'm going to hang a bit and wait to hear back from you... if you're still around!

    ~Shannon
     
  18. 2003/06/25
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Hi Shannon

    Oh yeah I am here.

    All you said sounds good.

    The IEON we can fix.

    The other stuff that was missing on the 2k is good because we wanted to get rid of it any way if it did not break anything and I did not think it would any way. SpyBot could have gotten it I remember telling you some for sure should not be there if SpyBot ran correctly.

    Sounds like you did everything right again.

    I am sending this now so you will know I am here.

    An will be back for a solution on the IEON thing in a few minutes.

    Just to be sure send another startup list from HiJackThis.

    And also tell me about the speed and performance to this point.

    Mike
     
  19. 2003/06/25
    shenanigins

    shenanigins Inactive Thread Starter

    Joined:
    2002/08/02
    Messages:
    104
    Likes Received:
    0
    Speed and performance are great so far :) as you assured me it would be. All programs are running smoothly and the admin computer hasn't received any more virus alerts since last week.

    While I'm thinking about it, what is your advice on system backups? I've used the microsoft backup utility to run a weekly backup of the entire system. Is there a better way? Frequently the backup doesn't run because something interferes with the task scheduler?

    I ran another list from hijackthis. Although I stated earlier that those other items didn't appear in the Startup Control list, they do appear to still be present in the hijack list. How do I get to them? Also the mobsync still appears, even after I followed your steps to disable.


    OK ~ Here's the list:

    StartupList report, 6/25/2003, 4:20:12 PM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\Administrator\Desktop\dowloaded disk utilities\HijackThis.EXE
    Detected: Windows 2000 SP3 (WinNT 5.00.2195)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\Program Files\Kerio\Personal Firewall\persfw.exe
    C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\Proxy.exe
    C:\WINNT\system32\MSTask.exe
    C:\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SymTray.exe
    C:\WINNT\SOUNDMAN.EXE
    C:\NORTON~1\NORTON~1\navapw32.exe
    C:\Program Files\ScreenMates\FULL_FEL.EXE
    C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Administrator\Desktop\dowloaded disk utilities\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
    Felix.lnk = C:\ScreenMates\FULL_FEL.EXE

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Synchronization Manager = mobsync.exe /logon
    SoundMan = SOUNDMAN.EXE
    NAV Agent = C:\NORTON~1\NORTON~1\navapw32.exe
    SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Felix = C:\Program Files\ScreenMates\FULL_FEL.EXE

    --------------------------------------------------

    Shell & screensaver key from C:\WINNT\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINNT\System32\ssflwbox.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    NAV Helper - C:\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Backup.job
    Symantec NetDetect.job
    Weekly Backup.job
    weekly system backup.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINNT\Downloaded Program Files\avsniff.dll
    CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

    [eshare communications NetAgent Customer ActiveX Control version 2]
    InProcServer32 = C:\WINNT\Downloaded Program Files\custappx2.dll
    CODEBASE = http://www.cabeagent.com/netagent/objects/custappx2.CAB

    [Symantec RuFSI Utility Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

    [HouseCall Control]
    InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab

    [AvxScanOnline Control]
    InProcServer32 = C:\WINNT\DOWNLO~1\BITDEF~1.OCX
    CODEBASE = http://www.bitdefender.com/scan/Msie/bitdefender.cab

    [Update Class]
    InProcServer32 = C:\WINNT\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37508.65375

    [YahooYMailTo Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\ymmapi.dll
    CODEBASE = http://download.yahoo.com/dl/installs/ymail/ymmapi.dll

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\system32\Macromed\flash\flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
    WebCheck: C:\WINNT\System32\webcheck.dll
    SysTray: stobject.dll

    --------------------------------------------------
    End of report, 6,215 bytes
    Report generated in 0.062 seconds


    Let me know what you suggest from here!
     
  20. 2003/06/25
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Ok Shannon

    For the IEON thing.

    First go to command prompt and cd\windows
    type

    dir ieon.*

    If it shows you something like ieon.bat.txt etc make sure it is renamed only ieon.bat


    If that is ok then do this

    we will use the attrib command to find in dos

    attrib iexplore.exe /s

    this should show the dos path with ~ to iexplore.

    if this search matches exactly what we pasted into the bat file, then I am stumped for the moment.

    If it does not match then use wordpad and edit each to reflect the correct path from attrib

    Mike
     
  21. 2003/06/25
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Check your private mail. PM at top of one of your message to me.

    Mike
     
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.