[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Problem with internet connection after signing up for AOL, netscape and people PC

Posted on 2006-05-28
20
Medium Priority
?
953 Views
Last Modified: 2008-01-09
Hi,

My daughter has tried netscape, aol and now people PC.

She was having problems with her internet conneciton so I ran adaware and  spybot to remove spywear (there was quite a bit, including alexa) After running these, the internet conneciton seems to be broken. I can connect intermittently, but I seem unable to maintain an internet connection even though I am connected to the ISP.

I also noticed a rather strange symtom (I assume) of some spywear program.  Even though she is not uploading anything, I noticed that there is constant network traffic via the dial up line and there is almost as much as 3 times as many bytes uyploaded as downloaded.  This leads me to believe that there is a background program spying on her PC

I also ran an older version of string.exe

Any ideas
0
Comment
Question by:Christopher Schene
  • 6
  • 5
  • 4
  • +4
20 Comments
 

Author Comment

by:Christopher Schene
ID: 16781638
Oh....there is one other really strange symptom.

The task manager is disabled.
0
 
LVL 5

Assisted Solution

by:Computerguy107
Computerguy107 earned 300 total points
ID: 16781665
You might want to consider reformatting your daughters computer and then secure it with a couple free software programs ....such as Zone Alarm, Ad Aware and Free AVG anti virus. Teenagers tend to mess up a windows based computer with all sorts of virues and spyware and whatever else.
0
 
LVL 30

Assisted Solution

by:Irwin Santos
Irwin Santos earned 700 total points
ID: 16781699
you still have malware running on your system... before you do consider reformatting....run this recipe 1st..it will take you 5 minutes of manpower, though to run the software, may take an hour.
------------------------------------
Download and Install.
http://www.majorgeeks.com/HijackThis_d3155.html

Copy and paste your log to:
http://www.hijackthis.de/index.php?langselect=english
Click ANALYZE

Look for NASTIES and post your Analyze log link here
-------------------
Download Ewido, http://www.ewido.net/en/download/, install, open program, check for updates, restart computer, press F8 before windows logo appears, select safe mode, open Ewido, run full system scan. let Ewido delete all it finds, if anything is called serious by Ewido, disable Norton's Goback, and run Ewido again.
---------------------

If that doesn't immediately resolve your problem...I would reinstall from scratch and apply Computerguy107's comment
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 

Author Comment

by:Christopher Schene
ID: 16781771
OK....I'll try your easy suggestion first.

Thanks.
0
 
LVL 44

Expert Comment

by:scrathcyboy
ID: 16781959
You still ahve viruses.  Use her computer to go to TRENDMICRO.COM and using IE, get their active X virus scanner, and have it remove all viruses and trojans from her computer, and then install a GOOD antivirus program like McAfee antivirus.  Then clean the system again.  Once it is cleaned, she is good, you dont need to reformat or reinstall, when the viruses are gone, they are GONE.

Remember to set a gateway on her internet access to be either the router of the DSL modem, which ever is giving DHCP.  Finally, kids LOVE peer-2-peer chat programs.  They are THE WORST imaginable for viruses.  Teach her to use email, rather than chat programs on peer2peer networks, they are like unprotected Sxx.
0
 

Author Comment

by:Christopher Schene
ID: 16781977
Here is the hijack analysis

Logfile of HijackThis v1.99.1                 Safe.
Safe.               Shows the version of HijackThis an. The newest version is: v1.99.1!
              This should be the newest version. (v1.99.1)
        Platform: Windows 2000 SP1 (WinNT 5.00.2195)                             
              
        MSIE: Internet Explorer v5.00 (5.00.2920.0000)               Possibly out of date
Possibly out of date               Shows the version of your Internet Explorer. Newest Version is: 6.00.2800.1106!
              The version (5.00.2920.0000) is out of date. Check Windowsupdate to update the Internet Explorer.
        C:\WINNT\System32\smss.exe Check with an antivirus scanner               Safe.
Safe.               running process. (smss.exe)
Systemprozess - Anwendung, die benutzt wird um Sitzungen zu starten, verwalten und löschen.
Visitor's assessment: 4 (Safe)               
        C:\WINNT\system32\winlogon.exe Check with an antivirus scanner               Safe.
Safe.               running process. (winlogon.exe)
Systemprozess - Windows Login Routine
Visitor's assessment: 4 (Safe)               
        C:\WINNT\system32\services.exe Check with an antivirus scanner               Safe.
Safe.               running process. (services.exe)
Systemprozess - Verwaltet die Systemdienste.
Visitor's assessment: 4.33 (Safe)               
        C:\WINNT\system32\lsass.exe Check with an antivirus scanner               Safe.
Safe.               running process. (lsass.exe)
Systemprozess
Visitor's assessment: 4.25 (Safe)               
        C:\WINNT\system32\svchost.exe Check with an antivirus scanner               Safe.
Safe.               running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste.
Visitor's assessment: 4.25 (Safe)               
        C:\WINNT\system32\LEXBCES.EXE Check with an antivirus scanner               Safe.
Safe.               running process. (LEXBCES.EXE)
Lexmark LexBce Service
Visitor's assessment: 5 (Very safe)               
        C:\WINNT\system32\spoolsv.exe Check with an antivirus scanner               Safe.
Safe.               running process. (spoolsv.exe)
Systemprozess
Visitor's assessment: 4 (Safe)               
        C:\WINNT\system32\LEXPPS.EXE Check with an antivirus scanner               Safe.
Safe.               running process. (LEXPPS.EXE)

Visitor's assessment: 5 (Very safe)               
        C:\WINNT\System32\svchost.exe Check with an antivirus scanner               Safe.
Safe.               running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste.
Visitor's assessment: 5 (Very safe)               
        C:\PROGRA~1\Iomega\System32\ActivityDisk.exe Check with an antivirus scanner               Safe.
Safe.               running process. (ActivityDisk.exe)
SmartSoft Activity Disk
Currently there is no visitor's assessment!               
        C:\WINNT\system32\drivers\KodakCCS.exe Check with an antivirus scanner               Safe.
Safe.               running process. (KodakCCS.exe)

Visitor's assessment: 4 (Safe)               
        C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe Check with an antivirus scanner               Safe.
Safe.               running process. (ptssvc.exe)

Currently there is no visitor's assessment!               
        C:\WINNT\system32\MSTask.exe Check with an antivirus scanner               Safe.
Safe.               running process. (MSTask.exe)
Gehört zu den Windows Powertoys von MS.
Visitor's assessment: 3 (Neutral)               
        C:\WINNT\system32\stisvc.exe Check with an antivirus scanner               Safe.
Safe.               running process. (stisvc.exe)

Visitor's assessment: 4.33 (Safe)               
        C:\WINNT\System32\WBEM\WinMgmt.exe Check with an antivirus scanner               Safe.
Safe.               running process. (WinMgmt.exe)

Visitor's assessment: 4 (Safe)               
        C:\WINNT\System32\ZipToA.exe Check with an antivirus scanner               Safe.
Safe.               running process. (ZipToA.exe)

Currently there is no visitor's assessment!               
        C:\WINNT\Explorer.exe Check with an antivirus scanner               Safe.
Safe.               running process. (Explorer.exe)
Systemprozess für Desktop und Taskleiste.
Currently there is no visitor's assessment!               
        C:\WINNT\System32\Promon.exe Check with an antivirus scanner               Safe.
Safe.               running process. (Promon.exe)
Intel(R) PROSet Tray Icon - Intel(R) PROMonitor
Currently there is no visitor's assessment!               
        C:\Program Files\Iomega\DriveIcons\ImgIcon.exe Check with an antivirus scanner               Safe.
Safe.               running process. (ImgIcon.exe)

Visitor's assessment: 3 (Neutral)               
        C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE Check with an antivirus scanner               Safe.
Safe.               running process. (INSTAN~1.EXE)
Part of Textbridge
Currently there is no visitor's assessment!               
        C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe Check with an antivirus scanner               Safe.
Safe.               running process. (hpgs2wnd.exe)

Visitor's assessment: 4 (Safe)               
        C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe Check with an antivirus scanner               Safe.
Safe.               running process. (hpgs2wnf.exe)

Visitor's assessment: 3 (Neutral)               
Possibly nasty! According to our database this process runs normally in c:\programme\hewlett-packard\hp share-to-web\! Check if you know this process and arrange a viruscheck where required.
        C:\WINNT\SYSTEM32\3cmlink.exe Check with an antivirus scanner               Safe.
Safe.               running process. (3cmlink.exe)
3Com WinModem Treiber
Currently there is no visitor's assessment!               
        C:\WINNT\SYSTEM32\3cshtdwn.exe Check with an antivirus scanner               Unknown
Unknown               running process. (3cshtdwn.exe)

Visitor's assessment: 4 (Safe)               This is a unknown process.
        C:\WINNT\SYSTEM32\3cmlink.exe Check with an antivirus scanner               Safe.
Safe.               running process. (3cmlink.exe)
3Com WinModem Treiber
Currently there is no visitor's assessment!               
        C:\Program Files\Common Files\ISPCOMP\InstallService.exe Check with an antivirus scanner               Unknown
Unknown               running process. (InstallService.exe)

Visitor's assessment: 3 (Neutral)               This is a unknown process.
        C:\WINNT\System32\per.exe Check with an antivirus scanner               Unknown
Unknown               running process. (per.exe)

Currently there is no visitor's assessment!               This is a unknown process.
        C:\WINNT\System32\dfa8ad7b.exe Check with an antivirus scanner               Unknown
Unknown               running process. (dfa8ad7b.exe)

Currently there is no visitor's assessment!               This is a unknown process.
        C:\WINNT\System32\win32bootcfg.exe Check with an antivirus scanner               Unknown
Unknown               running process. (win32bootcfg.exe)

Currently there is no visitor's assessment!               This is a unknown process.
        C:\WINNT\System32\msnbeta.exe Check with an antivirus scanner               Unknown
Unknown               running process. (msnbeta.exe)

Currently there is no visitor's assessment!               This is a unknown process.
        C:\Program Files\Iomega\AutoDisk\AD2KClient.exe Check with an antivirus scanner               Unknown
Unknown               running process. (AD2KClient.exe)
Executable for Active Disk from Iomega disk - allows software applications to be run directly from an Iomega Zip® disk. Required if you wish the applications to launch on insertion of a disk
Currently there is no visitor's assessment!               This is a unknown process.
        C:\winstall.exe Check with an antivirus scanner               Nasty
Nasty               This entry was classified from our visitors as bad.
Visitor's assessment: 1 (Extremely nasty)               Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
        C:\Program Files\CallWave\IAM.exe Check with an antivirus scanner               Safe.
Safe.               This entry was classified from our visitors as good.
Visitor's assessment: 4 (Safe)               Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
        C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe Check with an antivirus scanner               Unknown
Unknown               running process. (KodakSoftwareUpdater.exe)

Visitor's assessment: 4.67 (Very safe)               This is a unknown process.
        C:\WINNT\system32\ntvdm.exe Check with an antivirus scanner               Safe.
Safe.               running process. (ntvdm.exe)
Systemprozess - Anwendung die es ermöglicht, 16-bit Prozesse auf 32-bit Systemen laufen zu lassen.
Currently there is no visitor's assessment!               
        C:\OPLIMIT\ocrawr32.exe Check with an antivirus scanner               Safe.
Safe.               running process. (ocrawr32.exe)
Bestandteil von Omnipage
Currently there is no visitor's assessment!               
Possibly nasty! According to our database this process runs normally in c:\programme\oplimit\! Check if you know this process and arrange a viruscheck where required.
        C:\Program Files\PeoplePC\ISP6200\Browser\Bartshel.exe Check with an antivirus scanner               Unknown
Unknown               running process. (Bartshel.exe)

Currently there is no visitor's assessment!               This is a unknown process.
        C:\PROGRA~1\PeoplePC\ISP6200\Browser\PPShared.exe Check with an antivirus scanner               Unknown
Unknown               running process. (PPShared.exe)

Currently there is no visitor's assessment!               This is a unknown process.
        C:\WINNT\System32\rsvp.exe Check with an antivirus scanner               Safe.
Safe.               running process. (rsvp.exe)

Currently there is no visitor's assessment!               
        C:\WINNT\System32\msdtc.exe Check with an antivirus scanner               Safe.
Safe.               running process. (msdtc.exe)

Visitor's assessment: 2 (Nasty)               
        E:\tools\stng260.exe Check with an antivirus scanner               Unknown
Unknown               running process. (stng260.exe)

Currently there is no visitor's assessment!               This is a unknown process.
        C:\PROGRA~1\WinZip\winzip32.exe Check with an antivirus scanner               Safe.
Safe.               running process. (winzip32.exe)

Visitor's assessment: 5 (Very safe)               
        C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe Check with an antivirus scanner               Safe.
Safe.               running process. (HijackThis.exe)
Tool, mit dem sie dieses Logfile erzeugt haben. Das Programm sollte so angelegt sein ! C:\Programme\HijackThis\HijackThis.exe
Currently there is no visitor's assessment!               Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups!
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search               Nasty
Nasty               This entry should be fixed by HijackThis!
Currently there is no visitor's assessment!               This entry should be fixed by HijackThis!
        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search               Nasty
Nasty               This entry should be fixed by HijackThis!
Currently there is no visitor's assessment!               This entry should be fixed by HijackThis!
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online               Safe.
Safe.               This page has been identified as safe.
Currently there is no visitor's assessment!               
        R3 - URLSearchHook: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll               Nasty
Nasty               
Currently there is no visitor's assessment!               Should be fixed.
        O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\pbhelper.dll               Safe.
Safe.               Entries found in this registry zone are potentially nasty. This application ([4115122B-85FF-4DD3-9515-F075BEDE5EB5] - Result: 4115122B-85FF-4DD3-9515-F075BEDE5EB5) has been checked. Hit rate: 100,00%
Currently there is no visitor's assessment!               
        O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll               Safe.
Safe.               Entries found in this registry zone are potentially nasty. This application ([53707962-6F74-2D53-2644-206D7942484F] - Result: 53707962-6F74-2D53-2644-206D7942484F) has been checked. Hit rate: 100,00%
Visitor's assessment: 3 (Neutral)               
        O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll               Nasty
Nasty               Entries found in this registry zone are potentially nasty. This application ([A8FB8EB3-183B-4598-924D-86F0E5E37085] - Result: A8FB8EB3-183B-4598-924D-86F0E5E37085) has been checked. Hit rate: 100,00%
Currently there is no visitor's assessment!               Must be fixed!
        O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx               Safe.
Safe.               Entries found in this registry zone are potentially nasty. This application ([8E718888-423F-11D2-876E-00A0C9082467] - Result: 8E718888-423F-11D2-876E-00A0C9082467) has been checked. Hit rate: 100,00%
Currently there is no visitor's assessment!               
        O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll               Nasty
Nasty               Entries found in this registry zone are potentially nasty. This application ([A8FB8EB3-183B-4598-924D-86F0E5E37085] - Result: A8FB8EB3-183B-4598-924D-86F0E5E37085) has been checked. Hit rate: 100,00%
Currently there is no visitor's assessment!               Must be fixed!
        O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon               Safe.
Safe.               Find more information about its use here
Hit rate: 100,00 % (result)
Visitor's assessment: 3 (Neutral)               Not dangerous, but unnecessary.
        O4 - HKLM\..\Run: [Promon.exe] Promon.exe               Safe.
Safe.               System Tray icon for Intel PRO series ethernet adapters giving access to the diagnostic features
Hit rate: 95,00 % (result)
Currently there is no visitor's assessment!               Not dangerous, but unnecessary.
        O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe               Safe.
Safe.               Lexmark/Compaq printer icon in the System Tray for quick access. Not required - uncheck via Printer configuration rather than MSCONFIG. See also LexmarkPrintray and CompaqPrinTray
Hit rate: 95,83 % (result)
Currently there is no visitor's assessment!               Not dangerous, but unnecessary.
        O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER               Safe.
Safe.               System Tray icon for RealPlayer. If you subsequently start RealPlayer manually it adds itself back to the start-up list. You can stop this from happening by right-clicking on the tray icon and disabling StartCenter via Preferences
Hit rate: 100,00 % (result)
Currently there is no visitor's assessment!               Not dangerous, but unnecessary.
        O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe               Safe.
Safe.               Used by Iomega drives. Details of its purpose can be found here. Available via Start -> Programs
Hit rate: 62,50 % (result)
Currently there is no visitor's assessment!               Not dangerous, but unnecessary.
        O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe               Safe.
Safe.               Displays Iomega icons in Explorer/My Computer, ejects Zip disks on shutdown and displays a special delete confirmation box when deleting files on an Iomega drive. Available via Start -> Programs. If you disable it remember to eject disks first before powering the drive down - hence the "U" recommendation. Note - FreeCell may not run with ImgIcon running
Hit rate: 45,22 % (result)
Visitor's assessment: 5 (Very safe)               
        O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h               Safe.
Safe.               From TextBridge Pro 9.0 OCR scanner software. Available via Start -> Programs
Hit rate: 100,00 % (result)
Currently there is no visitor's assessment!               Not dangerous, but unnecessary.
        O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE               Safe.
Safe.               Part of the OCR software TextBridge Pro 9.0 (and possibly earlier versions). Typically used with imaging devices such as scanners and digital cameras for creating text documents from images. This item will probably be displayed twice and will re-instate itself whenever you start the main program so leave it - once started it frees the memory it used. Its purpose and an explanation of how to correct a problem it creates for "Send To" can be found here. Note that you dont have to uninstall TextBridge for this fix to work and the program works fine afterwards. Not used on later versions of the software - hence the U recommendation
Hit rate: 100,00 % (result)
Currently there is no visitor's assessment!               
        O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe               Safe.
Safe.               "HP's exclusive Share-to-Web software makes it easy to share content with others through our affiliate Internet websites." In other words an application that allows users to upload scanned images to their personal webpages if desired. Available via Start -> Programs
Hit rate: 100,00 % (result)
Visitor's assessment: 3 (Neutral)               Not dangerous, but unnecessary.
        O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun               Safe.
Safe.               Part of the USB driver for your Fuji digital cameras - used when uninstalling the USB drivers, erasing all entries from the registry. Only required BEFORE attempting to uninstall the Fuji software or the uninstall may not work correctly
Hit rate: 16,67 % (result)
Currently there is no visitor's assessment!               Not dangerous, but unnecessary.
        O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe               Unknown
Unknown               ??
Hit rate: 59,44 % (result)
Visitor's assessment: 3 (Neutral)               Unknown application.
        O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON               Safe.
Safe.               HP parallel port driver for certain hardware
Hit rate: 70,00 % (result)
Currently there is no visitor's assessment!               
        O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime               Safe.
Safe.               QuickTime
Hit rate: 100,00 % (result)
Visitor's assessment: 3 (Neutral)               Not dangerous, but unnecessary.
        O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd               Unknown
Unknown               
Hit rate: 0,00 % (result)
Currently there is no visitor's assessment!               Unknown application.
        O4 - HKLM\..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe               Unknown
Unknown               
Hit rate: 0,00 % (result)
Currently there is no visitor's assessment!               Unknown application.
        O4 - HKLM\..\Run: [rock] rock.exe               Unknown
Unknown               
Hit rate: 0,00 % (result)
Visitor's assessment: 1 (Extremely nasty)               Unknown application.
        O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\System32\per.exe internat.dll,LoadKeyboardProfile               Unknown
Unknown               
Hit rate: 0,00 % (result)
Currently there is no visitor's assessment!               Unknown application.
        O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6200\BIN\PPCOLink.exe -STATION               Unknown
Unknown               
Hit rate: 0,00 % (result)
Currently there is no visitor's assessment!               Unknown application.
        O4 - HKLM\..\Run: [dfa8ad7b.exe] C:\WINNT\System32\dfa8ad7b.exe               Possibly nasty
Possibly nasty               
Hit rate: 0,00 % (result)
Currently there is no visitor's assessment!               It seems that the name of this program is the same as the name of the file. In the most cases this is the result of trojans. To be sure, you should check this file.
        O4 - HKLM\..\Run: [Windows Core Kernel Update] C:\WINNT\System32\win32bootcfg.exe               Unknown
Unknown               
Hit rate: 0,00 % (result)
Currently there is no visitor's assessment!               Unknown application.
        O4 - HKLM\..\Run: [MSNS PLUS XP2] msnbeta.exe               Unknown
Unknown               
Hit rate: 0,00 % (result)
Currently there is no visitor's assessment!               Unknown application.
        O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE               Safe.
Safe.               Part of the OCR software TextBridge Pro 9.0 (and possibly earlier versions). Typically used with imaging devices such as scanners and digital cameras for creating text documents from images. This item will probably be displayed twice and will re-instate itself whenever you start the main program so leave it - once started it frees the memory it used. Its purpose and an explanation of how to correct a problem it creates for "Send To" can be found here. Note that you dont have to uninstall TextBridge for this fix to work and the program works fine afterwards. Not used on later versions of the software - hence the U recommendation
Hit rate: 100,00 % (result)
Currently there is no visitor's assessment!               
        O4 - HKLM\..\RunServices: [MSNS PLUS XP2] msnbeta.exe               Unknown
Unknown               
Hit rate: 0,00 % (result)
Currently there is no visitor's assessment!               Unknown application.
        O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe               Unknown
Unknown               
Hit rate: 0,00 % (result)
Currently there is no visitor's assessment!               Unknown application.
        O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe               Nasty
Nasty               This entry was classified from our visitors as bad.
Visitor's assessment: 1.08 (Extremely nasty)               Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
        O4 - HKCU\..\Run: [dfa8ad7b.exe] C:\Documents and Settings\Administrator\Local Settings\Application Data\dfa8ad7b.exe               Possibly nasty
Possibly nasty               
Hit rate: 0,00 % (result)
Currently there is no visitor's assessment!               It seems that the name of this program is the same as the name of the file. In the most cases this is the result of trojans. To be sure, you should check this file.
        O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE               Safe.
Safe.               Optical Character Recognition software as part of OmniPage Limited Edition - supplied with some scanners. Scan directly into most word processor applications, such as Word, WordPerfect, etc. Available via Start -> Programs
Hit rate: 4,17 % (result)
Currently there is no visitor's assessment!               Not dangerous, but unnecessary.
        O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe               Safe.
Safe.               Adjusts monitor colours across all programs, including Photoshop. It is needed by some graphics professionals who want their monitor calibrated. Most home users will not need it. In my case I can verify this as Photoshop loads fine
Hit rate: 90,91 % (result)
Currently there is no visitor's assessment!               
        O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe               Safe.
Safe.               This entry was classified from our visitors as good.
Visitor's assessment: 3.8 (Safe)               Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
        O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe               Unknown
Unknown               
Hit rate: 0,00 % (result)
Visitor's assessment: 5 (Very safe)               Unknown application.
        O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe               Safe.
Safe.               Software bundled with Kodak digital cameras to manage the connection between the PC and the Camera. Can be started manually.
Hit rate: 96,15 % (result)
Currently there is no visitor's assessment!               
        O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe               Safe.
Safe.               This entry was classified from our visitors as good.
Visitor's assessment: 4.4 (Safe)               Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
        O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE               Safe.
Safe.               
Hit rate: 94,44 % (result)
Visitor's assessment: 3.5 (Safe)               
        O4 - Global Startup: PageKeeper Jobs.lnk = C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe               Safe.
Safe.               PageKeeper Jobs is a separate PageKeeper program that handles the analysis of new documents and keeps track of the location and content of current documents in PageKeeper. Pagekeeper comes bundled with scanners such has HP, Microtek, etc
Hit rate: 63,30 % (result)
Currently there is no visitor's assessment!               
        O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll               Safe.
Safe.               The entry Real.com has been identified as safe.
Currently there is no visitor's assessment!               If the entry 'Real.com ' is not needed anymore, it should be fixed.
        O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com               Safe.
Safe.               This entry should be fixed if this address does not belong to your PC-manufacturer or your 'Internet-Service-Provider (ISP)'.
Currently there is no visitor's assessment!               
        O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe               Safe.
Safe.               These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
Visitor's assessment: 5 (Very safe)               This service (dmadmin.exe) was identified as a good one.
        O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe               Safe.
Safe.               These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
Currently there is no visitor's assessment!               This service (ActivityDisk.exe) was identified as a good one.
        O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\System32\IomegaAccess.exe               Unknown
Unknown               These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
Visitor's assessment: 5 (Very safe)               Unknown service. (IomegaAccess.exe)
        O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe               Safe.
Safe.               These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
Currently there is no visitor's assessment!               This service (KodakCCS.exe) was identified as a good one.
        O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE               Safe.
Safe.               These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
Currently there is no visitor's assessment!               This service (LEXBCES.EXE) was identified as a good one.
        O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe               Safe.
Safe.               These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
Currently there is no visitor's assessment!               This service (ptssvc.exe) was identified as a good one.
        O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe               Safe.
Safe.               These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
Currently there is no visitor's assessment!               This service (ZipToA.exe) was identified as a good one.

0
 
LVL 30

Expert Comment

by:Irwin Santos
ID: 16781980
Yikes!! post your analyze log link instead.
0
 
LVL 24

Accepted Solution

by:
Mohammed Hamada earned 700 total points
ID: 16782021
This is possibly a trojan, Run your computer with safe mode and disable system restore to uncover the hidden viruses/sypwares...

Run all the recommended programs by experts above.. and download the following..

SpywareBlaster: (http://www.javacoolsoftware.com/spywareblaster.html)
Other crapware reference sites such as:
 
doxdesk.com: (http://www.doxdesk.com/parasite/)
CounterExploitation: (http://cexx.org/adware.htm)
Kephyr.com: (http://www.kephyr.com/)
PestPatrol: (http://www.pestpatrol.com/)
SpywareGuide.com: (http://www.spywareguide.com/)
Webhelper:(http://www.webhelper4u.com/)

Download Hoster 3.1, it's a very useful tool that helps you to fix your Hoster file.
Download Link: http://www.majorgeeks.com/Hoster_d4626.html
Extract it then run and click on restore MS's original Host file..

The trojan might have disabled all the MS utilities such as regedit/msconfig and taskbar as you have indicated above.. download the following tool this will work the same as they do..

http://www.dougknox.com/xp/utils/xp_emergencyutil.zip

The file above will copy and enable the utilities..

You can then use msconfig to disable the startup items, or use regedit to remove and of them..

Make sure you do an antivirus scan.

Good Luck
0
 
LVL 10

Assisted Solution

by:bbrunning
bbrunning earned 300 total points
ID: 16782883
#1 why is dial up being used?

#2  This looks like a trojen....not sure exactly which one.

Currently there is no visitor's assessment!             This is a unknown process.
       C:\WINNT\System32\dfa8ad7b.exe

#3 If you set up all 3 of those programs on her computer they will all broadcast info to the servers they work with. The upload may be high because of the numerous installtions of the programs/ISPs are installed.

Uninstall all the ISP programs you used, then work on this trojen.

Scanspyware is one I'd recommend for this or spysweeper

both of those are pay programs, if you want free one look in google for these:

adaware
spysweeper
and use windows defender from microsoft.com under popular downloads.

0
 
LVL 10

Expert Comment

by:bbrunning
ID: 16782890
Sorry spybot is the other free one I meant
0
 

Author Comment

by:Christopher Schene
ID: 16784815
Yikes!! post your analyze log link instead.
============================
Oh, Sorry.

http://www.hijackthis.de/index.php?langselect=english#anl
0
 
LVL 3

Expert Comment

by:mav7469
ID: 16784823
Looking at that log.. I think that reformatting would be your best bet.  You look like you have a lot of items that should not be there and it would take a while to remove them all safely.  
0
 
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 16784946
1- Locate this file and delete it manually from it's destinations.

C:\Program.exe

2- Uninstall Popup blockers, and use Google toolbar...

3- Uninstall Tencent QQ program from add/remove utility.

4- Uninstall MSN toolbar.

5- Fix the follwoing...


O8 - Extra context menu item: Alexa Web Search - http://client.alexa.com/holiday/script/actions/search.htm
O8 - Extra context menu item: Get Alexa Data - http://client.alexa.com/holiday/script/actions/sitedata.htm
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE

O9 - Extra 'Tools' menuitem: Tencent QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE

O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll

O9 - Extra 'Tools' menuitem: QQìŲʹ¤¾ßÌõÉèÖà - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll



O16 - DPF: {B9B2EE1A-E314-4338-A305-BE845EACB112} (CyberStock 250) - https://www.rhbinvest.com/rhbinvest/control/cswx.cab
0
 
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 16784956
Please Don't forget to use hoster to stop spyware from redirecting your homepage and downloading spywares from different websites..

Use the Emergency tool to extract the msconfig to remove the startup items including malware which might be found there..

Good luck
0
 

Author Comment

by:Christopher Schene
ID: 16785466
Looking at that log.. I think that reformatting would be your best bet.  You look like you have a lot of items that should not be there and it would take a while to remove them all safely.  
=======================================================
I agree and this is what I have suggested to my daughter. She also has a pirated OS (and so she is afraid to download updates) and so far has not purchased a Visruscanner.  I ran the latest version of stng260.exe and found several worms on the computer as well.

It is rather amazing....this is a computer they obtained for a few dollars at a govt auction (it was never taken out of the box) and it has not been used for a few years. After recently being on the internet for less than a month, it is amazing how much junk is on it and much of that junk is newer than 2004 (the last time it was on the internet) so I assume the malware must have been picked up in the last 30 days. wow!

I am obviously going to split points because more than one poster has been helpful to me. I thank you all so much for your assistance.

I will buy my daughter a legit OS, but I assume I cannot buy Win2000 from micorsoft any more (I don't think she has enough space for XP.....only 12 GB): Can I get a legit copy of W 2000 from ebay?

0
 
LVL 30

Expert Comment

by:Irwin Santos
ID: 16785483
"Can I get a legit copy of W 2000 from ebay?"
YES..most definately
0
 
LVL 30

Expert Comment

by:Irwin Santos
ID: 16785490
0
 
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 16785900
12 GB is more than enough for XP, if she only using chat programs not games...! XP need at least 2 or 3 Gigas...

0
 

Author Comment

by:Christopher Schene
ID: 16808756
Thak you all for your help.

I only had 500 pts to split. Wish I had more.
0
 
LVL 30

Expert Comment

by:Irwin Santos
ID: 16809378
cool. thank you!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question