hmmm, lets see.... killer101... it sounds like you are on the "commission sales/leads" list for some software company. You know, the kind of programs you sign up for and they give you a couple of bucks for every user you turn on to their products...but I digress. KATIE OH... if you still cannot get on the internet (cannot display webpages) in the process of fixing your problems you may have removed such threats as NewDotNet, or WebHancer. If so, removing these can cause a specific problem that makes it impossible for your browser to load webpages. That's over-simplified, but you get the idea. If you removed NewDotNet or WebHancer and can connect but not seem to load any webpages, let us know. There is a fix for this. killer101...if you can be so helpful through email, please be just as helpful on a public forum such as this and leave behind a legacy that will help anyone that visits here. KATIE OH, ask for more help if you need it. good luck AOSCLAY

0

umm sales rep good one clay and all this time i thought i was helping peps.. well i wish but knowledge is free. big surprise is all these so called "techinicans" are either behind on that or stick with the same old thing so if i reccommend someone to view a top rated site that has the awards and testing to back it up and also free then thats a winner..cant make peps stop viewing cracker and porn sites next best thing is to give them a realiable product that protects them from the incomeing viruses/worms/trojans/spyware/malware and etc. above is my personal opinion and take it as that no harm intented. killer101

0

Hello, Here's an update to let you know where I am (computer still sick, needless to say): Ad-Aware 6.0 Scan complete, 0 new objects ********* Spy-Hunter Runs for a partial scan, but then shuts down the computer ********** CWShredded v1.56.3 0 present, none infected ************* Spybot S&D 1.2 Found: Message Mates User settings Wild Tangent Global Settings (I removed these) *************** Nod32 AntiVirus Program C:\hiberfil.sys-error opening [file locked] C:\pagefile.sys-error opening [file locked] C:\Program Files\CommonFiles\updater\ delupdat.exe-error opening [access denied] C:\Program Files\Common Files\updater\ sui.exe-error opening [access denied] REASON CODE FOR THESE WAS [4] = File cannot be opened. It is being exclusively used by another application or operating system. ***************** Last one was... AVG - Antivirus (Free Edition) 1. Virus Virus Trojan horse Downloader-Keenval.B is found in file C:\Program files\Common Files\updater\ delupdat.exe To remove this virus, please run AVG for Windows 2.Virus Trojan horse Downloader.Keenval.C is found in file C:\Program files\Common Files\updater\ sui.exe To remove this virus, please run AVG for Windows Resident Shield msg: Virus Trojan horse Downloader-Keenval.B is found in file C:\PROGRA~1\COMMON~1\updater\delupdat.exe To remove this virus, please run AVG for Windows Virus Trojan horse Downloader-Keenval.C is found in file C:\PROGRA~1\COMMON~1\updater\sui.exe To remove this virus, please run AVG for Windows Thanks for all you've done to help, but it seems as though I'm stuck. Can you think of anything else for me to try before I send my computer out for repair? I am able to connect to the internet but cannot view any pages, cannot send or receive email, can't "go" to any sites anywhere; seems to want to take me to incredifind.com but never fully loads the page. I am very appreciative of all your help, so thanks again in advance!

0

hmmm... if you still have access to another computer you can download from, I would be curious to see what TDS-3 does with keenval.* (if anything). this is a two step process: First download TDS-3 TDS-3 Then follow this link to get the latest Radius Database update for TDS-3. FOLLOW THE INSTRUCTIONS YOU SEE ON THAT PAGE TO APPLY THIS UPDATE. Update Radius Database I see a lot of people fighting with keenval.* on here lately and on other sites, and i haven't yet seen a hard fix. If you are up for it, give this a try. I'd be very interested in the results. AOSCLAY

0

nonsense your never stuck as long as you ask for help..i notice these files C:\Program files\Common Files\updater\ delupdat.exe C:\Program files\Common Files\updater\ sui.exe C:\PROGRA~1\COMMON~1\updater\delupdat.exe C:\PROGRA~1\COMMON~1\updater\sui.exe whats happening is this particular trojan is useing windows enviroment program as it runs meaning u cant delete it as it is running.. try this first to prove if it is running or not. click start. search...find files folders..tools folder options..view..scroll down and select show hidden and system files once that is done type this one first in search path. delupdat.exe your get a message from avg saying its a trojan justingore that message and right click on delupdat.exe and try to delete it.. same goes for the next file sui.exe both of these are exe files and sometimes u can remove them thru windows and sometimes not but try it and see...next move on to the other ones that avg was unable to clean. if by chance it says access denied u going to have to remove it manually but first try that and repost on here if it worked or not.i will lead you thru the manuall remove step good luck.

0

PS: Download HijackThis! (if you can) Let's see your log. Hijack This! good luck! AOSCLAY

0

AOSCLAY, which should I try first, TDS3/update database or Hijack This? Thanks, Katie

0

either or...TDS-3 is intended as a potential fix HijackThis! is to help you get info about your system. DON'T START USING HIJACK THIS TO REMOVE THINGS WITHOUT ASKING FOR HELP FIRST! I say go ahead and try TDS-3/update database first. After you've installed/updated/run TDS-3, then we'll worry about looking at your Hijack Log. TDS-3 is not so straightforward and user-friendly as many products you might be used to. If yuo find yourself looking at it saying "Now what?" don't worry. good luck AOSCLAY

0

OK, I'm back again! I downloaded TDS-3 onto a cd but have hit a snag with the radius update. How do I save the downloaded radius to the TDS directory? Nothing happens when I right-click radius.td3; when I left-click I get the message that Windows can't open the file. Thanks!

0

ok, have you: 1) downloaded the file: radius.td3 ?? 2) Installed TDS-3 on the troubled computer? To manually update the radius file, you must first install TDS-3 on the machine you want to use it on. Once you install TDS-3, copy and paste the downloaded file radius.td3 into the TDS-3 directory. Overwrite the existing file. Location of the TDS-3 directory should be: C:\Program Files\TDS3 The file radius.td3 already exists in this directory. The one you downloaded is a more "current" version. You want to replace the one that already exists in the TDS-3 directory with the one you downloaded. Let's get that far first good luck! AOSCLAY

0

OK, I installed TDS-3 and pasted the downloaded "update" into the TDS file (thanks for the great instructions or I would never have been able to figure it out!) The TDS scan came back with "No trojan mutexes found." I also deleted "delupdat.exe" and "sui.exe" following VirusKiller101's instructions. And then I also deleted it from the recycle bin. I ran AVG again and it came back "nothing detected" Should I run "Hijack This"? Thanks, Katie

0

First Question: Is your troubled PC back to behaving normally yet? If the answer is YES, then ignore the rest of this reply :) If not, let's do the following. 1)Run TDS-3 (Start>All Programs>TDS-3>TDS-3) You will see the TDS-3 Control Console Open, you will see it run a quick scan of processes, etc...This will run pretty quickly. Let this short scan finish. 2)Select: System Testing > Normal Scan You will see a scan begin. This one will take quite a bit longer, so be patient. If it turns up any results, let me know. I am curious if it turns up any remnants of keenval.* You can try this if you would like. AOSCLAY

0

No, I still am not able to open any internet pages, nor my email account. I ran TDS, and I got a message of "No Trojan mutexes" on the "quick" scan. When I ran "System Testing>Normal Scan" I got a list of "alarms," but I don't see Keenval in the list. (Also I can't figure out how to print or save what's listed in case you want to know what's on there) HERE'S SOMETHING ELSE THOUGH!!! AVG Resident Shield popped up with a message: Trojan horse Downloader.Keenval.B is found in file C:\System Volume Information\_restore {A HUGE STRING OF NUMBERS HERE!}\RP430\A0058323.exe So it looks like Keenval is back even though the last AVG scan came back clean. This is one stubborn bug! GRRRRRR! Katie

0

Can someone please help me. A pop up comes on my computer that says: Trojan horse Downloader.Keenval.B C:\System Volume Information\-restore {3521653B-96CD-43B7-BFFE-F1BE5E5F3921}\RP142\A0010365.exe Can someone please tell me how I can get rid of this........this is a new computer and I do not want to have it crash. Thank you. GreenEyes

0

Green Eyes, This sounds like what I'm battling right now. I'm not able to acess email or any other sites because I'm hijacked to a page called "incredifind.com" (I'm using another computer in our house to communicate here) I have found lots of very patient and kind people here, stay tuned to this thread and maybe someone can help you (I hope). Good luck! Katie

0

hey Katie Oh, I believe the message when TDS-3 detects a confirmed threat is "Positive Identification" or something similar (the exact phrasing slips my mind. Possibly "Positively Identified". Run the scan again, just like you did before. The "alarms" are potential or confirmed threats. In the column on the left hand side of the console it will tell you the status of the detected threat. Anything that is positively identified... "DELETE" it. When you right-click on one of the detected items, one of the options is to delete it. Do so for anything comfirmed as a threat or adware. Not every threat may be automatically deleted. If its a running process, TDS-3 will ask you if it can kill it first before attempting to delete it. As for the name, every Virus / Trojan scanner reports threats by different names. I don't know what TDS-3 calls keenval. Also, it may have detected other threats that your other scanners did not. IF IN DOUBT, WRITE THEM DOWN BY HAND, along with their disposition (Adware Threat, Positively Identified, etc...) Like I said, TDS-3 is not quite as simple as some scanners you might be used too, but it is very effective. Run, the TDS-3 scan again, trying the above suggestions. If this still does not clear things up, we will talk about a Hijack This Log. good luck! (I may not be back until tomorrow, but post anyway. I or somebody else will see it soon). GOOD LUCK! AOSCLAY

0

Katie Oh, I forgot about your incredifind problem... after you scan and attempt removal with TDS-3, feel free to post your Hijack This Log. We've gone this far...might as well go all the way. If you need help in doing this, justlet me know. DO NOT REMOVE ANYTHING WITH HIJACK THIS WITHOUT SOME HELP! good luck! AOSCLAY

0

Katie Oh, Sounds like we have the same virus, however, I still have access to email and the internet............I just want to get rid of the darn thing. Please keep me posted. Thanx. GreenEyes

0

Hey GreenEyes, stick around, and we'll get yours too gotta go for tonight hang tough KatieOh / GreenEyes there will be some light at the end of the tunnel (even if its a freight train). see you tomorrow AOSCLAY

0

Hi AOSCLAY, Here's my logfile as of this morning. Just ran all virus scans again with no viruses present. Still can't read email or webpages. Thanks! Katie Logfile of HijackThis v1.97.7 Scan saved at 11:13:52 AM, on 4/28/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\System32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe C:\WINDOWS\System32\atiptaxx.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\System32\ICO.exe C:\Program Files\Sony\Jog Dial Navigator\JogServ2.exe C:\Program Files\Sony\HotKey Utility\HKserv.exe C:\WINDOWS\System32\ezSP_Px.exe C:\WINDOWS\System32\WScript.exe C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\iedriver.exe C:\Program Files\Eset\nod32kui.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe C:\Program Files\PowerPanel\Program\PcfMgr.exe C:\WINDOWS\FSScrCtl.exe C:\WINDOWS\SCMain.exe C:\WINDOWS\WCMain.exe c:\progra~1\Support.com\client\bin\tgcmd.exe F:\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myfunstart.com/?pc=srhp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myway.com/mysearch/?ptnrS=BW R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~2\BHO\INCFIN~1.DLL O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~2\BHO\INCFIN~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.exe O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Navigator\JogServ2.exe O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe" O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe" O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe" O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iedriver] C:\WINDOWS\System32\iedriver.exe O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: PowerPanel.lnk = ? O4 - Global Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe O4 - Global Startup: Stardust Screen Saver Control 2003.lnk = C:\WINDOWS\SCMain.exe O4 - Global Startup: Stardust Wallpaper Control 2003.lnk = C:\WINDOWS\WCMain.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O9 - Extra button: RemindU (HKCU) O10 - Broken Internet access because of LSP provider 'imon.dll' missing O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1082135711984 O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37673.3688078704 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0

First, you ran TDS-3 again, and last night it found alarms, but today found nothing? I am going to assume you use it to remove some things...anyway on with the show. Yes, you have a bunch of junk on your computer. Here we go. Baby steps... Use HijackThis to remove the following entries: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myfunstart.com/?pc=srhp R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myway.com/mysearch/?ptnrS=BW R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~2\BHO\INCFIN~1.DLL O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing) O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~2\BHO\INCFIN~1.DLL do those first, then we'll get the rest (don't want to overwhelm you) good luck! AOSCLAY

0

O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe O4 - HKLM\..\Run: [iedriver] C:\WINDOWS\System32\iedriver.exe O10 - Broken Internet access because of LSP provider 'imon.dll' missing (uh, oh...you will probably need to try LSPfix) If you still cannot load web pages, let me know. You might have another problem (disucssed much earlier in this thread) Remove this junk and post a new log. Good luck! AOSCLAY

0

HOPE YOU READ THIS BEFORE YOU FIX! when you run Hijack THis, you will see a notification warning you to copy HijackThis to a permanent directory, rather than run it from removable media such as a CD. In other words, on your hard drive, and not to run it from CD. I assume F:\ is a CD-ROM drive on your computer. If yuo do not do this, Hijack This cannot make back ups of things you fix with it. Copy Hijack This into its own folder on your computer AOSCLAY

0

and this: O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm AOSCLAY

0

and this: O9 - Extra button: RemindU (HKCU) AOSCLAY

0

AOSCLAY, How do I remove my Trojan horse Downloader.Keenval.B? I downloaded SpyBotS&D last night and ran it.........it removed a bunch of infected things, but low and behold, today I logged on and BANG..............my trojan popped up again. What can I do? I already have AVG and Freedom virus scanners on here and now I have SpyBot..........what more can I do? Thanx. GreenEyes

0

GreenEyes :-) First, you should post/start your own separate question. Not everyone, has the same exact problem. Second, what is your operating system? WinXP, WinME? My guess, would be one of the those :-) Since you posted on someone elses question, we can't see that. Third, where is this trojan at? (The address, e.g. c:\_restore\temp) By that, I'm asking where AVG said it was. If it's in the restore folder, system restore will need to be disabled, to delete it right away. Or it..... I'm rambling, so I'll stop :-) not enough sleep.

0

Hi, AOSCLAY, You wrote: "O10 - Broken Internet access because of LSP provider 'imon.dll' missing (uh, oh...you will probably need to try LSPfix)" That sounds icky! What's LSPfix? Unfortunately I will not be able to post again until Monday. I'll let you know what happens after I delete all those things you listed above. Have a good weekend! Katie

0

"That sounds icky! What's LSPfix?" LOL...icky.... no, don't worry, its not icky and you may not even have to do it. we'll cross that bridge when we come to it see you on Monday! good luck! AOSCLAY

0

AOLCLAY, I have WindowsXP. The trojan that I have says: Trojan horse Downloader.Keenval.B C:\System Volume Information\-restore{3521653B-96CD*43B7-BFFE-F1BE5E5F3921}\RP142\A0010365.exe Can you help me now? Thanx. GreenEyes

0

yes, turn off your System Restore, and run your AV software again. Many AV programs cannot remove viruses backed up in your System Restore. This is a "must-do" step in attempting to remove any virus, pest, or other threat. good luck! AOSCLAY

0

PS: its ao-S-clay ao-L-clay is a Time Warner spokesman I believe :) smile, I even type aol--- some times. AOSCLAY

0

GreenEyes :-) This, will help explain, how to do that. If, you didn't know. Good Luck ;-) p.s. I kind of thought, that might be the problem. C.O.

0

Hi AOSCLAY, I'm back again! OK, I removed the entries you indicated in response #27, 28, 30 & 31. Still can't load web pages. GRRRR! Katie

0

Post a new Hijack Log here and when you can, download this: LSPFix Lets check your log and see if you are ready to get rolling again. PS: This entry: O1 - Hosts: 64.91.255.87 www.dcsresearch.com was legit (dcsresearch.com is often redirected, but this was the legit address) but it won't hurt anything if you removed it from your hosts file. Post your new Hijack log and download LSPFix good luck AOSCLAY

0

This was on the site: "Before Downloading {LSPFix}, read this: There is a known issue with using this software in combination with obsolete versions of Lavasoft's popular AD-Aware utility. A known issue in some versions of AD-Aware results in improper removal of pests such as New.Net, CommonName, and WebHancer, resulting in lost Internet access. If LSP-Fix is used subsequently to repair these errors, the system may begin exhibiting crashes in MSAFD.DLL and/or RPCSS. This can be fixed by performing a "hard restore" of Windows' networking components. This involves uninstalling the "Communications" item in Windows setup, deleting the Winsock2 registry key, and reinstalling Communications. http://support.earthlink.net/mu/1/psc/img/walkthroughs/windows_9x_nt/dialers/dun_1.3/5289.psc.html explains this procedure in detail." I installed Ad-Aware on 4/20. Will this be a problem for me? Thanks; I'll repost Hijack Log in a bit. Katie

0

I have never had this problem with Ad-Aware 6.0 that is likely to be the version you have AOSCLAY

0

Hi AOSCLAY, Here is my most recent hijack this log. Katie Logfile of HijackThis v1.97.7 Scan saved at 8:32:23 PM, on 5/3/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\System32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe C:\WINDOWS\System32\atiptaxx.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\System32\ICO.exe C:\Program Files\Sony\Jog Dial Navigator\JogServ2.exe C:\Program Files\Sony\HotKey Utility\HKserv.exe C:\WINDOWS\System32\ezSP_Px.exe C:\WINDOWS\System32\WScript.exe C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe C:\Program Files\Eset\nod32kui.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe C:\Program Files\PowerPanel\Program\PcfMgr.exe C:\WINDOWS\FSScrCtl.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe C:\WINDOWS\SCMain.exe C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe C:\WINDOWS\WCMain.exe c:\progra~1\Support.com\client\bin\tgcmd.exe C:\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.exe O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Navigator\JogServ2.exe O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe" O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe" O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe" O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: PowerPanel.lnk = ? O4 - Global Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe O4 - Global Startup: Stardust Screen Saver Control 2003.lnk = C:\WINDOWS\SCMain.exe O4 - Global Startup: Stardust Wallpaper Control 2003.lnk = C:\WINDOWS\WCMain.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1082135711984 O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37673.3688078704 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0

PS Something that I read today raised a flag...right before all "this" happenned, I downloaded a security update from Windows. Now I'm reading about problems with Windows Service Pack 2. One of the messages that I get when I log on and try to use "Messenger" is that my internet firewall is prohibiting me from using Messenger (or something to that effect). I have not made any changes to my firewall that I know of. Could the update have changed my firewall settings? Could that be why I can't get to my email or any webpages? Might be a dumb question, but I'm really stretching for answers now :P Katie

0

ok, Katie Oh... What program did you download Service Pack 2 for? WinXP SP2 isn't really out yet (it should be this summer), and looking at your log your XP SP1. Perhaps I am lumping two different statements together...sorry if I am. Did you download LSPFix? If in doubt about the Windows security update you downloaded, UNINSTALL IT. Go into add and remove programs. You will find all the updates you've downloaded listed there as Windows Hotfix-KB83.... Anyway, IF YOU CAN ESTABLISH AN INTERNET CONNECTION BUT CANNOT LOAD ANY PAGES (CANNOT BROWSE) ITS ABOUT TIME TO TRY LSPFIX...I SEE NOTHING LEFT IN YOUR LOG THAT SHOULD BE PREVENTING YOU FROM ACCESSING WEB SITES AND EMAIL. In fact, just about the only thing left in your log are some "unecessary" but not dangerous items. It wouldn't hurt you to get rid of Spy Hunter either. Its questionable at best. This entry should not be causing you problems (it appears legit, not a hijack) but if in doubt, you can remove it with Hijack This and restore it if you don't like the result: O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople If there was a problem or error with this entry, it could conceivably interfere with the functionality of your browser. (long shot, though). My best guess is that your LSP chain was broken by the infection by or removal of spyware elements. LSPFix will reorder this to a functional state. I have used it many times. If LSPfix scares you, there are other Winsock Repair Utilites on that same site you can try. The only time I have had it go bad on me was when I got a little too creative using it. But I expected that when I did it. IT IS AN AUTOMATED TOOL. If it finds problems, it will show them to you and fix them. It is not likely to hurt to try it. IF YOU CANNOT ESTABLISH A CONNECTION AT ALL then i am going to kick myself. You may have developed hardware problems. It happens all the time. Let me know what you are willing to try from here. My suggestion is to try LSPFix...and confirm that your Hardware is working...check your modem. Do you have a connection? (you would be shocked at how many people do not know if they are even connected to their DSL or Cable connection). Second, what firewall are you using...and what happens when you disable it? Try this if you haven't. When you reach the end of the line like this KatieOh, you have to start shaking things up to get back in the game. Do not be afraid to try things. But if you tinker, tinker one step at a time so you can go back and undo what you just did, and don't step off of cliffs...stop when you get uncomfortable. Let me know how you come out...if you want to try something and need help, ask and I will be happy to advise you. gotta go to bed now. Try what you would like, KatieOh GOOD LUCK! AOSCLAY

0

Before I start I just wanted to THANK YOU again for all the time you've spent giving me advice about my sick computer. I really do appreciate it very much! To answer your questions: Q: What program did you download Service Pack 2 for? WinXP SP2 isn't really out yet (it should be this summer), and looking at your log your XP SP1. A: I wasn't actually sure that I downloaded it (and from your response it looks like I didn't!). Just thought it was interesting that some people have had connection problems after downloading the trial version. I automatically click the balloon whenever Windows sends me an update, so I wondered if I possibly downloaded the trial version. Q Did you download LSPFix? A Yes, will try running that tomorrow. Q check your modem. Do you have a connection? (you would be shocked at how many people do not know if they are even connected to their DSL or Cable connection). A I think I have a connection, but I am a novice so...when I click "sign on" I hear a dial tone, then connection "noise;" then it gives me my usual "Good morning," but when it comes to signing in, it goes directly to "2nd attempt" and then tells me net passport is unavailable. I'm nearly positive I'm connected, just can't browse. Q Second, what firewall are you using...and what happens when you disable it? Try this if you haven't. A. Just using the firewall that came with Windows XP. I will try disabling it. I'll keep you posted. Thanks again, AOSCLAY! See you tomorrow. Katie

0

KATIE OH - !WARNING! I meant TEMPORARIRLY disable your firewall...just to see if it could be interfering! DO NOT LEAVE IT DISABLED FOR LONG IF YOU ARE CONNECTED TO THE INTERNET! I have yet to have a serious problem with XP's firewall. BE CAREFUL ABOUT CONNECTING TO THE INTERNET WITH A DISABLED FIREWALL If it doesn't make any difference....RE-ENABLE IT IMMEDIATELY! sorry, I should have told you this before. How up-to-date are your XP patches? And what kind of connectivity do you have...DSL, Cable, dial-up, etc... good luck! AOSCLAY

0

I'll try turning off the firewall, but will disconnect and turn it back on immediately if that doesn't work. I think I already tried that, but I'll give it another go. Q How up-to-date are your XP patches? A How can I find out? Q And what kind of connectivity do you have...DSL, Cable, dial-up, etc... A Dial-up Katie

0

"Q How up-to-date are your XP patches? A How can I find out?" Since you don't seem to be able to access sites and such, it will be difficult to say exactly. There will be a list of "Windows Hot Fixes" in your add/remove programs list. There are tools to tell you (like Microsoft's Baseline Security Analyzer) but they require a working connection. Visiting the WIndows Update site and following the steps there will also tell you. But that's all pretty much irrelevant. Have you ever done a Windows Update? and if so, how long ago, and did you download the "Critical" updates? Its not that important for me to know, but is important for you to do so when you can. AOSCLAY My Computer Works

0

I download all updates when prompted by Windows, so I'm sure I've downloaded all the critical updates. This morning I turned off system restore and ran AVG, AdAware, SpyBot S&D and TDS full system scan one more time. All came back clear except Spybot (detected Wild Tangent Hikey_Local_Machine\software\Wild Tangent). I removed that one. As for LSP Fix: What do I do with this? This is what it indicates: Under the "file" column it reads: mswsock.dll winmr.dll rsvpsp.dll And under the Description Column it reads: Tcpip NDTS (Protocol Handler) It doesn't look like I can select anything unless I click the box "I know what I'm doing" or something to that effect. How should I proceed? Thanks! Katie

0

Ok, just click "FINISH" in the window that comes up when you run LSPFix. A list will then pop up (Repair Summary) detailing what fixes if any were applied. That's all there is to it. DO NOT CHECK "I KNOW WHAT I AM DOING" and start tinkering. Does it report any repairs were made? AOSCLAY My Computer Works

0

Repair Summary Repairs complete 0 Name Space provider entries removed 0 Name Space provider entries renumbered 0 Protocol provider entries removed 0 Protocol provider entries renumbered So I guess it didn't change anything?

0

nope, it didn't change anything I am growing suspicious of your hardware... If yuo connect via dial-up modem, you should plainly see a connection icon down by your clock. sorry, KatieOh, you may have a problem that isn't going to be fixed this way I will admit, that we have been at this so long, I don't remember where we started. If you're modem is not funcioning properly, you will not be able to get on the net or check email. Yes, I am becoming hardware suspicious Tell me what you want to do from here... good luck AOSCLAY My Computer Works

0

AOSCLAY, Well, we can't say you didn't try! You've been a great help, but it does look like I'm going to need to send her in for repairs. I, too, am beginning to suspect that it's hardware related. Before we sign off, please give me your best advice on how to completely protect THIS computer so it doesn't go the same route as my other one. Which virus/spyware/firewalls do you think I should install? How often should I run them? This computer is using PC-cillen only, so I guess I'm lucky we haven't already fallen prey to anything worse. Thanks again for everything! Katie

0

Forgot to mention that this one is a Sony Vaio notebook (laptop?). Using Windows XP.

0

sorry KatieOh, Sometimes these things are hard to fix in such a remote manner. The variables are endless, and there are only so many things we can cover on a forum like this. As for protecting your other PC... I think you said it's running XP (I thought the laptop was the sick machine during all of this). If you are running XP on the machine you want to protect here is my advice. ONE: Do your Windows Updates regularly and faithfully. They are important. You will spend less time on them than on fixing the problems that come from not having them. TWO: The best anti-virus protection is between the keyboard and the chair....YOU! Don't get baited by bogus emails, don't cruise bad sites, and be very selective in what you download and from where. Use the Anit-Virus software of your choice, but I will always recommend Symantec's Norton Anti-Virus. THREE: If yuo are not content with XP's built-in firewall (which is sufficient, but not outstanding) try Zone Alarm...It is well liked by many and should serve you well. FOUR: To guard against spyware I will recommend the following products hands down. They are free and they are wonderful. CWShredder Download, Unzip, Run, “Fix” - Run the Shredder from time to time...You will be surprised. And update it whenever you can. SpyBot S&D Download, Install, Update, Run - SpyBot has several built in features to help protect you, like a hosts-file add-in to block bad sites, "immunizations", and a little thing called Resident. Read up on it, use all the protections it offers, and run it every once in a while to kepe the house clean. Ad-Aware 6 Download, Install, Update, Run - Feel free to use Ad-Aware in conjunction with SpyBot to help keep things cleaned up. Ad-Aware is updated frequently these days and will be very useful to you. Update it often, and use it for cleaning. SpywareBlaster Download, Install, Download Latest Protection Updates, Enable All Protection This step is important. SpywareBlaster will not remove spyware. It is intended to help keep it from installing in the first place. It is top notch...Use it as above, and check it often for updates. You would be amazed at how effective these simple things are... But no protection is more important than your smart behavoir. Stay away from the adult sites, the casinos, and the peer-to-peer file sharing networks. I could go on and on, but you get the idea. I cannot give you advice on how to COMPLETELY protect any computer...it cannot be done. But this will help you. GOOD LUCK, KATIE OH YOU WERE A CHAMP! AOSCLAY

0

AOSCLAY, Yes, both computers are Sony Vaio laptops! I'm in the process of downloading and running everything you mentioned above. Thanks again for all the help and advice. You've been great! Katie

0

AOSCLAY, Thank you very much for all your help, my trojan horse is gone. Katie, I hope your problems are soon solved. Thank you again. GreenEyes

0