Router disconnection problems

MadCowDisease · #1 (**permalink**) 02-08-2006, 02:49 AM

Hi - my roommates and I have a 4-person network set up through a cable broadband connection. They are all ethernet wired, but I am wireless because I'm upstairs. All of us get disconnected periodically. It seems mine is anywhere from every few minutes to every half-hour or so. Because we all get disconnected, I don't think that it is a wireless problem. The disconnection always reconnects itself after a few seconds, but it gets very annoying, especially if I'm playing an online game.

I'm on a desktop running Windows XP, the router is a D-Link 774, I have a 2Wire wireless USB adapter with updated drivers. The firmware on the router is updated. Windows is updated except SP2 (afraid to install that...).

I changed my IP to static, turned the power control for my wireless to Off, turned off my windows firewall, tried opening some ports on my router.

I'm thinking it has to be a router problem because it is happening on all of our computers (3 desktops (2 Windows XP, one Windows 2000) and 1 laptop (XP)). I also don't think it is a wireless problem because, once again, we are all getting it and I used to be connected over ethernet cable. I don't know if my anti-virus program (McAfee VirusScan Enterprise 8.0) has a firewall - I couldn't find it if it does.

Here's my HijackThis log, even though I think it's a router problem. All the NetworkAssociates are McAfee.

Logfile of HijackThis v1.99.1
Scan saved at 9:12:19 PM, on 8/1/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\System32\Ati2evxx.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\logonui.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINXP\system32\Ati2evxx.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Matteo\LOCALS~1\Temp\Rar$EX00.390\Hija ckThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINXP\System32\msdxm.ocx
O3 - Toolbar: Copernic Desktop Search - {C5F7A735-70F1-477F-8C36-6FF3C736017B} - C:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration977.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINXP\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [taskdir] C:\WINXP\System32\taskdir.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1140907628905
O16 - DPF: {825F6528-3FC4-477C-9999-4A1DCE2F9DD0} - http://surveygold.com/ftp/oneclick/setup.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://hickcam.sbu.edu/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B286E93F-2120-4556-B0BE-3DAA4DADB4E8}: NameServer = 192.168.0.1,192.168.1.1
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINXP\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

Any help would be much appreciated!

VopThis · #2 (**permalink**) 02-08-2006, 04:50 AM

Do all of the PCs also have the following Hijackthis line item?:

O4 - HKCU\..\Run: [TASKDIR] C:\WINXP\System32\taskdir.exe

Appears to be a trojan:

Name: [taskdir]
Status: X
File: taskdir.exe

Added by Win32/TrojanProxy.Lager.AQ http://www.eset.com/msgs/trojanproxylageraq.htm TROJAN! Read the link rootkit type stealth involved. Note: located in C: Windows System (Win9x/Me) C: %WINDIR% System32 (XP/WinNT/2K)
http://www.castlecops.com/startuplist-12923.html
---------------------------------------------------------------

Download and install Ewido anti-spyware 4.0 (uninstall any previous version first).

Click the Download BUTTON. On the next page click the Download now BUTTON.
Save and then install (Run) from the save location.
Open/Run ewido anti-spyware
Wait a few moments and Ewido should Auto update itself (note date of last update). If it doesn't update, click the update ICON at top of screen:
Quote:
Click on the Update now LINK at the top of the window
Click on the Start update button

Wait for the update to download and install
This is very important to get the LATEST updates
Click on the Status ICON
- Under "Your computers Security"
  Click change status on Resident shield to inactive (ONLY consider activation of that feature once you are clean)
Click on the Scanner ICON at the top of the window
Click on the Settings tab then select Recommended Actions and choose Quarantine
When updating has finished. Close Ewido.

We will be using this tool in a later step.

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

______________________________

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer and quit any instances of Windows Explorer.
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan:

Click on the default Status ICON and select the Scan now LINK.

OR
Click on the Scanner ICON . Select the Scan TAB.
- Select Complete System Scan. Ewido will now begin to scan your system.

If Ewido finds anything it will list them in the Preview WINDOW:
- Make sure that Set all elements to: shows Quarantine, if not click on the link and choose Quarantine from the popup menu.
- Select Apply all actions at the bottom of the window (and the items found will be quarantined – and recoverable, if any items are needed back).
When the scan has completed, click on the Save Scan Report button and save the scan to your Desktop where it can be easily found.
Copy and paste the EWIDO scan results into your next post.
Close Ewido and REBOOT.

Post a revised HijackThis LOG, as well, please.

MadCowDisease · #3 (**permalink**) 02-08-2006, 10:51 PM

H-O-L-Y C-R-A-P!

I had no idea that I had that much crap on my computer. I consider myself to be pretty computer savvy, and I have automatic virus and spyware scans every few days, so when I see that I have all of these Trojans and stuff it is kinda strange. Ah well, I've always been told to use a few different apps to scan because 1 doesn't scan everything. Anyway, I haven't really been able to be on my comp a lot after the scan, but the internet cut out again while I was writing this, so I don't think it is fixed. Here's my ewido log:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:31:05 PM 8/2/2006

+ Scan result:

C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr7EFC -> Adware.Apropos : Cleaned with backup (quarantined).
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Documents and Settings/Owner/Local Settings/Temp/ln_reco.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Documents and Settings/Owner/Local Settings/Temp/randreco.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Documents and Settings/Owner/Local Settings/Temporary Internet Files/Content.IE5/I3Q7Q9Q7/better_new[1].exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Documents and Settings/Owner/Local Settings/Temp/THI3204.tmp/localNRD.dll -> Adware.BiSpy : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/WINDOWS/localNRD.dll -> Adware.BiSpy : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/WINDOWS/preinsln.exe -> Adware.BiSpy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\Xcite.dll -> Adware.BrowsePal : Cleaned with backup (quarantined).
C:\WINDOWS\system32\OMsetup.exe -> Adware.ClientMan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cm1.dll -> Adware.ClientMan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\CometTB.exe -> Adware.EZula : Cleaned with backup (quarantined).
C:\WINDOWS\system32\Freeze.exe -> Adware.EZula : Cleaned with backup (quarantined).
C:\WINDOWS\system32\Xcite.exe -> Adware.F1Organizer : Cleaned with backup (quarantined).
C:\WINDOWS\system32\szla2.exe -> Adware.F1Organizer : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Program Files/web_rebates/webrebates0.exe -> Adware.HelpExpress : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Program Files/web_rebates/webrebates0.to_be_deleted -> Adware.HelpExpress : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Program Files/istbar/istbar.dll -> Adware.MyTool : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Program Files/istbar/istbar.to_be_deleted -> Adware.MyTool : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Program Files/istbar/istbar.to_be_deleted_x -> Adware.MyTool : Cleaned with backup (quarantined).
C:\Program Files\PestPatrol\Quarantine\20050403121542.zip/WINDOWS/downloaded program files/webp2pinstaller.dll -> Adware.PeerNet : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Documents and Settings/Owner/Local Settings/Temp/powerscan.exe -> Adware.PowerScan : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Documents and Settings/Owner/Local Settings/Temporary Internet Files/Content.IE5/I3Q7Q9Q7/powerscan[1].exe -> Adware.PowerScan : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/program files/power scan/powerscan.exe -> Adware.PowerScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\SHAgent.dll -> Adware.Sahat : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ctbv2.dll -> Adware.Sahat : Cleaned with backup (quarantined).
C:\QUARANTINE\20051115000336.zip.Vir/Documents and Settings/Owner/local settings/temp/vvsninst.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\QUARANTINE\20051115000336.zip.Vir/Program Files/BearShare/Installer/saveinstwm.exe/VVSN.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Documents and Settings/Owner/Local Settings/Temporary Internet Files/Content.IE5/G5WXU3WP/sidefind13[1].dll -> Adware.SideFind : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Documents and Settings/Owner/Local Settings/Temporary Internet Files/Content.IE5/I3Q7Q9Q7/sfbho13[1].dll -> Adware.SideFind : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Program Files/sidefind/sfbho.dll -> Adware.SideFind : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Program Files/sidefind/sidefind.dll -> Adware.SideFind : Cleaned with backup (quarantined).
C:\Downloads\GoldMinerSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Documents and Settings/Owner/Local Settings/Temp/djtopr1150.exe -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Program Files/web_rebates/disp1150.exe -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Program Files/web_rebates/webrebates1.exe -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Program Files/web_rebates/webrebates1.to_be_deleted -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\QUARANTINE\T-768605-Rosetta Stone Ultimate Multi-Language Disk - 26 languag.rar.Vir/Setup.exe -> Backdoor.IRCBot.dd : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Documents and Settings/Owner/Local Settings/Temp/THI3204.tmp/polall1l.exe -> Downloader.Agent.ae : Cleaned with backup (quarantined).
C:\QUARANTINE\temp.frE37B.Vir -> Downloader.Apropo.w : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Documents and Settings/Owner/Local Settings/Temporary Internet Files/Content.IE5/G5WXU3WP/nem219[1].dll -> Downloader.Dyfuca : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/WINDOWS/nem219.dll -> Downloader.Dyfuca : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Program Files/internet optimizer/actalert.exe -> Downloader.Dyfuca.cr : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Program Files/internet optimizer/update/actalert.exe -> Downloader.Dyfuca.cr : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Documents and Settings/Owner/local settings/temp/optimize.exe -> Downloader.Dyfuca.cy : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Program Files/internet optimizer/optimize.exe -> Downloader.Dyfuca.cy : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Program Files/internet optimizer/install.exe -> Downloader.Dyfuca.de : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Program Files/internet optimizer/update/install.exe -> Downloader.Dyfuca.de : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Documents and Settings/Owner/Local Settings/Temp/THI1B5B.tmp/wupdt.exe -> Downloader.Intexp.a : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Documents and Settings/Owner/Local Settings/Temp/THI6E44.tmp/wupdt.exe -> Downloader.Intexp.a : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Documents and Settings/Owner/Local Settings/Temp/sidefind.exe -> Downloader.IstBar : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Documents and Settings/Owner/Local Settings/Temporary Internet Files/Content.IE5/I3Q7Q9Q7/sidefind[1].exe -> Downloader.IstBar : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Program Files/sidefind/update/sidefind.exe -> Downloader.IstBar : Cleaned with backup (quarantined).
C:\WINDOWS\mgrsts.exe -> Downloader.IstBar.er : Cleaned with backup (quarantined).
C:\WINDOWS\oeunist.exe -> Downloader.IstBar.er : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Program Files/istsvc/istsvc.exe -> Downloader.IstBar.fr : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Program Files/istsvc/istsvc.to_be_deleted -> Downloader.IstBar.fr : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Program Files/istsvc/istsvc.to_be_deleted_x -> Downloader.IstBar.fr : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/Documents and Settings/Owner/Local Settings/Temp/conscorr.exe -> Downloader.Stubby.c : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/WINDOWS/conscorr.exe -> Downloader.Stubby.c : Cleaned with backup (quarantined).
C:\Documents and Settings\Matteo\Local Settings\Temp\cclj.exe -> Dropper.Agent.ail : Cleaned with backup (quarantined).
C:\WINDOWS\system32\nostalgia1.dll -> Dropper.Agent.og : Cleaned with backup (quarantined).
C:\QUARANTINE\20040905002533687.zip.Vir/temp/installer2.exe -> Dropper.Delf.dj : Cleaned with backup (quarantined).
:mozilla.100:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.101:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.67:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.68:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.69:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.70:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.71:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.77:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.28:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ufhwvj0c.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.29:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ufhwvj0c.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.30:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ufhwvj0c.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.45:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.46:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.47:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.48:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.49:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.11:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.9:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ufhwvj0c.default\coo kies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
:mozilla.50:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.51:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.52:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.13:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.26:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ufhwvj0c.default\coo kies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.27:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ufhwvj0c.default\coo kies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@com[2].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.17:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ufhwvj0c.default\coo kies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.55:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.72:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.73:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.74:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.75:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.76:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.79:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.80:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.12:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.29:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.30:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.31:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.32:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.22:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.23:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.24:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.82:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.83:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.25:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.26:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.27:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.28:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.31:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ufhwvj0c.default\coo kies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.32:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ufhwvj0c.default\coo kies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.33:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ufhwvj0c.default\coo kies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.34:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ufhwvj0c.default\coo kies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.58:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.59:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.60:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.61:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.62:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.63:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.64:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.65:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.66:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.25:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ufhwvj0c.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.43:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.44:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.22:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ufhwvj0c.default\coo kies.txt -> TrackingCookie.Valueclick : Cleaned with backup (quarantined).
:mozilla.23:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ufhwvj0c.default\coo kies.txt -> TrackingCookie.Valueclick : Cleaned with backup (quarantined).
:mozilla.12:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ufhwvj0c.default\coo kies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.13:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ufhwvj0c.default\coo kies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.6:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ufhwvj0c.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.7:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ufhwvj0c.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.84:C:\Documents and Settings\Matteo\Application Data\Mozilla\Firefox\Profiles\ecw7q2kz.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.8:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ufhwvj0c.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\QUARANTINE\A0000116.dll.Vir -> Trojan.Goldid : Cleaned with backup (quarantined).
C:\QUARANTINE\bsemyyms.dll.Vir -> Trojan.Goldid : Cleaned with backup (quarantined).
C:\WINXP\system32\oleext.dll -> Trojan.Small.ev : Cleaned with backup (quarantined).
C:\WINXP\uninstDsk.exe -> Trojan.Small.ev : Cleaned with backup (quarantined).
C:\QUARANTINE\T-202477-Learn To Speak Italian 2.8.zip.Vir/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).

::Report end

And here's my new HjackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:39:17 PM, on 8/2/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\System32\Ati2evxx.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINXP\system32\Ati2evxx.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
C:\WINXP\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matteo\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINXP\System32\msdxm.ocx
O3 - Toolbar: Copernic Desktop Search - {C5F7A735-70F1-477F-8C36-6FF3C736017B} - C:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration977.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [taskdir] C:\WINXP\System32\taskdir.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1140907628905
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {825F6528-3FC4-477C-9999-4A1DCE2F9DD0} - http://surveygold.com/ftp/oneclick/setup.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://hickcam.sbu.edu/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B286E93F-2120-4556-B0BE-3DAA4DADB4E8}: NameServer = 192.168.0.1,192.168.1.1
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINXP\System32\Ati2evxx.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

See anything strange? I'll be back on later tonight to screw around with some stuff, but I just thought I'd post this now. Even if I can't get this resolved, thanks for showing me ewido and gettin' all that crap off of my comp!

VopThis · #4 (**permalink**) 02-08-2006, 11:51 PM

Many of the items found by EWIDO were already in quarantine. Keep such toolkit areas cleaned out from time-to-time (after several days of no consequences).

You also have no FIREWALL which SP1 made available and SP2 installed by default - very risky on todays Internet. You need to get your critical security updates (once you are clean) or your PC's healthy times may again be limited. You will need at least Service Pack 1 (SP1) applied to a healthy PC, as a minimum SP level.

Read over the following directions. Ask if anything appears unclear to you.

Download Clean.bat to your desktop: for later use to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat

We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

O4 - HKCU\..\Run: [TASKDIR] C:\WINXP\System32\taskdir.exe

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.

HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).

Delete TEMPORARY FILES: Now, hunt down the most common temporary file locations and the temporary file clutter contained therein (and of possible malware hiding places):

Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:

Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files

Click OK or Enter

For additional, more thorough cleaning and for multi-profile user configurations:
(*) Run Clean.bat to clean up your TEMPorary files.

***** Clean out the Recycle Bin for items removed below, ONLY once you have regained the full functional use of your PC.

Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):

DELETE FILES:

C:\WINXP\System32\taskdir.exe

POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.

MadCowDisease · #5 (**permalink**) 03-08-2006, 02:20 AM

Ok, here's what I did.

I turned off my firewall because I thought that it may be interfering with Battle.net (online game) and my router signal. I also "port forwarded" the appropriate ports and stuff and that still didn't help, so it probably doesn't have to do with my firewall. Turning it off didn't seem to help, so I'll turn it back on.

I have SP1 and the critical updates - just not SP2 because I heard (and witnessed - I used to work in Tech Services for my college) that it could cause a lot of problems. I have autoupdate on for windows, so everything should be fine with that. I just checked myself and the only update was the genuine advantage tool to check if my windows is pirated, which it isn't.

cleanmgr.exe froze every time I tried to run it in safe mode. I tried to run it and after 20 minutes the status bar was still at about half an inch and nothing had changed so I closed it, had to kill the process in taskmanager, and reran it. The same thing happened again. I rebooted and tried again with the same results.

I deleted my temporary internet files manually, but i was afraid to go into windows/system and delete things in the temp folder.

I ran clean.bat and didn't have any errors.

taskdir.exe was not in my system32 folder. I looked for myself and ran a search in the system32 folder and both didn't locate anything. I assume it got deleted with the other viruses as it is also no longer in my HijackThis log. Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 8:58:31 PM, on 8/2/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\System32\Ati2evxx.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINXP\system32\Ati2evxx.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matteo\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINXP\System32\msdxm.ocx
O3 - Toolbar: Copernic Desktop Search - {C5F7A735-70F1-477F-8C36-6FF3C736017B} - C:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration977.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1140907628905
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {825F6528-3FC4-477C-9999-4A1DCE2F9DD0} - http://surveygold.com/ftp/oneclick/setup.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://hickcam.sbu.edu/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B286E93F-2120-4556-B0BE-3DAA4DADB4E8}: NameServer = 192.168.0.1,192.168.1.1
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINXP\System32\Ati2evxx.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

I'm still having random disconnects. I disconnected four times while writing this post (w/in about 15 minutes).

I'm not sure if this would affect anything, but I have a parallel install of 2 Windows XP's on my comp. My old one got screwed up because I accidentally used a Dell Windows CD to restore my windows and my comp is an HP. Since it wouldn't let me log back on because windows was corrupt, i just parallel installed another version of windows (the C:\WINXP instead of C:\WINDOWS). Not sure if that changes anything, but I just thought you should know.

BTW thanks for all your continued help! I'm not sure what else to do! I'm thinking it HAS to be a router problem...

MadCowDisease · #6 (**permalink**) 03-08-2006, 04:12 AM

I fixed my disk cleanup utility. It had something to do with a bad registry value.

I'm still getting disconnected

. Although it seems like not as often maybe? Hard to tell, but only once in like half an hour whihc seems like an improvement.

VopThis · #7 (**permalink**) 03-08-2006, 04:47 AM

Your hijackthis LOG now appears to be clean.

Quote:

I'm not sure if this would affect anything, but I have a parallel install of 2 Windows XP's on my comp. My old one got screwed up because I accidentally used a Dell Windows CD to restore my windows and my comp is an HP. Since it wouldn't let me log back on because windows was corrupt, i just parallel installed another version of windows (the C:\WINXP instead of C:\WINDOWS). Not sure if that changes anything, but I just thought you should know.

Let me get this straight. You reinstalled a random version of XP on a HP (after first trying a DELL disk). Is the current version even legitimate let alone uncorrupted. Also, if this PC was on Service Pack 1, it would be reflected in a HijackThis line items as follows:

Platform: Windows XP SP1 (WinNT 5.01.2600)

There are too many potentially loose ends and unknows here. Do any of the other PCs have any similar infections since they are all experiencing the same behavior? Are any of the other PCs verifiably on SP1 or better?

Quote:

I'm thinking it HAS to be a router problem...

I see you are pursuing that possibility in our 'Firewalls and Networking' Forum. But the loose ends above do not completely support any conclusive justification for any particular line of investigation.

MadCowDisease · #8 (**permalink**) 03-08-2006, 05:32 AM

I installed the same version of Windows XP that was on my computer before I parallel installed, but the new version is not corrupted. The way that my original XP got corrupted was when I accidentally used a Dell windows CD (which was in my box of computer stuff for some reason) on my HP computer. It wouldn't let me start up my computer past the first few screens because of BIOS differences between dell and HP, so I just did a parallel install of windows, the same version that i had before, so that the BIOS would be set properly.

It ran perfectly, in fact much better than before, until I moved into an off-campus house. I was fine at school in the dorms as well as at my house, meaning I did not get disconnected frequently, but now that we set up this off-campus house network, we all get disconnected all the time.

My windows version is Version 5.1 (Build 2600.xpclnt_qfe.021108-2107)

I don't see how it could be offering me service pack 2 if service pack 1 is not installed, but i guess it is possible that 1 is not necessary to install 2.

I know at least 1 of the computers being disconnected is on SP1 or better.

I'm going to have my roommates download the ewido and see if they have the same infections.

VopThis · #9 (**permalink**) 03-08-2006, 06:04 AM

Quote:

I don't see how it could be offering me service pack 2 if service pack 1 is not installed, but i guess it is possible that 1 is not necessary to install 2.

Just make sure that you have a stable PC (clear of malware) and the cumulative upgrade to SP2 should go well.

Have you considered moving the router's location in case there is the potential for nearby electrical interference issues?

MadCowDisease · #10 (**permalink**) 03-08-2006, 06:17 PM

i'll upgrade to SP2 now that my PC is clean.

ya, i wanted to move the hub, but this campus house is one of those old houses and the only cable line outputs are in the same area (living room and a room right next to it where the hub is now).