tvm.upd file found, ???

Have found four additional files, three for certain were a part of the TVMedia hijacker that no deep scanning program picked up. The fourth is tvm.upd which I am uncertain as to whether it is related or not. The other three were dll files.

Does anyone have any idea what this upd file is. An internet search for it turned up nothing.
Thanks in advance. Best regards. Nancy.

 

I'm not familiar with it.. I'd say it's bogus and probably related to your TVM hijacker. How is everything running?

 

Not good. This am I couldn't even reply or post new to this forum. I had to reduce my security to allow WYSIWYG Editor to activate (why it deactivated I don't know) to get into this pane. But, at least that initialized again so I can at least read and respond here.

I'm still getting a redirect however:
res://C\WINDOWS\System32\shdoclc.dll/dnserror.htm#http://www.majorgeeks.com

I've deleted the other TVM dll files successfully. They were initially in the TVMedia folder in Programs but they also were hiding in Documents and Settings in another folder. None of the scans picked this up; I found them by doing a manual scan on the C: drive for the word "tvm."

I've done quite a bit of system checks, the latest a check disk in safe mode which successfully completes only 4 of the five stages. In the 5th state, file data, it freezes up at one percent completed.

All deep scans (with files updated) come up empty except for the DSO Exploit bug in Spybot S&D. Programs are running that I have not "started." Some I have never even used. IE often freezes and even Task Manager does not work when that happens. I have to pull power and reboot.

The biggest problem with the initial or residual effects of this TVMedia Hijacker is that even if someone gives you a link for a download or an info site, IE will not take you there. If it does (after dozens of attempts), it often freezes up. You have to start all over again.

I have tried to do a repair with my Reinstallation CD of WindowsXP but get an error message that "unregmp2.exe - entry point not found, procedure entry point GetIUMS could not be located in the dynamic link library MSDart.dll"

I have re-downloaded the service packs and critical updates from Microsoft. I got this error message: "C:\WINDOWS\Service Pack Files\i386/controls.man could not be found - source file KB839645"

I'm at a total loss at this point. I'm a user, not a programmer or techie. I have tried to be very careful with all of the instructions given me to get rid of the highjacker but I fear I deleted something I shouldn't have or a critical file was corrupted in the process. I just don't know at this point. I've been at it for three full weeks now and I'm losing business fast. This is my home office.

Please, someone help. I know you have a lot of problems on the board but so many of them get solved and mine is just getting worse.

I know you need the HijackThis log to see what I'm running (ignore all the programs running please unless you can tell me how to get them off the "run" list, attempts to do this even with system restore off at reboot has failed).

Thanks in advance for any help or guidance. Best regards. Nancy.

Logfile of HijackThis v1.98.0
Scan saved at 10:25:57 AM, on 7/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\tbctray.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.majorgeeks.com/
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - http://www.stamps.com/download/us/registration/2_0_0_745/sdcregie.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {7142BA01-8BDF-11CF-9E23-0000E8A37440} (Surround Video Control Object) - http://www.ireland.travel.ie/seeireland/software/svideo.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ancestry.com/asfiles/files/install/MFImgVwr.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

 

try this program
http://www.majorgeeks.com/download4289.html

also, have you read this?
http://forums.majorgeeks.com/announcement.php?f=35

 

Yes, I have read all of your tutorials and advice stickies. For three weeks I've been reading them. My system was initially hijacked 25 June. I've been posting ever since.

The new software you advise me to upload does not seem to address my problem, or does it? I don't have any remaining "random" .dlls that I can see. I originally had the TVMedia Hijacker. The dlls that I've already removed are the following:
tvm.exe, tvmcove.dll, tvmbho.dll, tvmcwrd.dll, tvmknwrd.dll, tvmuknwrd.dll and I still have a tvm.upd which I am unsure of but it's in my recycle bin.

The shdoclc.dll seems to be a valid MS file that is getting a dnserror, so whatever the target, it clogs up and can't find the IP address. Or, at least that's what I make of it at this point. But I just don't know. I need someone to be specific. Does anyone know of this file and whether it's valid or not?

In my system I have the shdoclc.dll residing in four places:

1. i386 - says its internal name and original version is shdocvw.dll, created by Microsoft Sunday, September 29, 2002, 10:01:57 AM but modified Monday, March 04, 2002, 8:09:46 PM (how can something be modified six months before it is even "created"?)

2. My Documents - does not identify itself, created 30 June 2004

3. c:\WINDOWS\System32 - says its internal name and original version is shdocvw.dll, created by Microsoft 25 June 2002 (two years ago)

4. c:\WINDOWS\System32\DLLCache - says its internal name and original version is shdocvw.dll, created by Microsoft Tuesday, June 25, 2002, 5:46:04 PM (two years ago..)

If I hit "go" enough times on the address bar I (sometimes) eventually get the site I want.

Are you saying it is an invalid file that I should delete? The redirect is exactly as I typed it, no digits or numerics have been left off from what I sent.

I have over a dozen spywear, adaware, firewall, spy blockers and antvirus programs running now. Every time I load a new one, more problems arise. Please, I know it's a pain, but with the redirects and the links people post are difficult to get to. If you can explain in plain English why I should do something...

What in all of the stuff I've sent do you see something wrong with? I was previously advised that I did not have the "About:Blank" thingy. Are you saying I now have it and none of the programs have picked it up?

Best regards. Nancy.
PS: If this is a system problem now and I should not post here anymore, please advise me.

 

Scratch my last post.
lets try to fix these errors stated here first:

lets start with downloading and install this
http://www.microsoft.com/downloads/...e3-c795-4b7d-b037-185d0506396c&DisplayLang=en

and then downloading and installing this
http://www.microsoft.com/downloads/...8E-666B-4C82-A9ED-FC0F84F107BA&displaylang=en

then we'll try repair again...

 

OK, I've downloaded and installed both. What next? (Browser still redirects)
Thanks. Nancy.

 

now try your repair

 

Reloaded XP. Browser would not allow me to connect to MS before reload so I assume at this point the next step is to go get the critical updates. In safe mode or normal?
(Browser still redirecting).
Thanks. No error messages this time from XP disk.
Nancy.

 

ok, I wanted to get rid of those errors first. I knew that wouldn't fix your redirection, but it may have popped up at a later date anyway.
So, it's a good idea to get all the updates.. but they are not going to fix your redirection problem.

I'm 5 minutes from grabbing dinner so bare with me and I'll come back and look at it..

 

ok. I downloaded all of the critical updates, including the Service Pack1 which took forever. I didn't get any error messages from that but with the rest I got the same about KB839645 which, after everything else loaded (after reboot and after all of the other updates loaded), I reloaded again to make sure it was the most pure of whatever is in there.

OK, now what?
Thanks Kodo for sticking with me, that's what I need. I've over-explained this too many times, to too many people, with minimal results. I need someone to track this.
Thanks again. Nancy.

 

I've reloaded some of the other components (non critical) that apply to the programs that I may or may not want to run but are on my pc. The irony is that many are running and I've never used them. Not once. How they got onto the startup menu I have no idea, but task manager says they are running. So be it. Back to the original and persistant problem if you are willing to stick with me Kodo.

What do you want from me now? Please specify whether you want a log in safe mode or with system restore turned off, etc. Please understand that I've been at this a long time and that so many folks (well intentioned) have given me directions contradictory to the other(s) so I am profoundly confused at this point (although technicaly proficient at getting into the system and doing what I'm told to do) and I certainly do not want to do any more damage that has been done already. Not that you would to that... I just want to invoke the MDs credo: do no harm...

Hope you enjoyed your dinner. Best regards. Nancy.
PS: Please stick with me and respond....

 

Kodo & ChasLang:
I read it. I agree, it is my problem. Or at least it appears to be.

The previous time I could not access those websites no matter what I did. Which, as I explained before, is the major headache of this problem. If you can't get to the site, you can't read the material or download anything.

This time I could. I've learned to trick this sucker a little bit into eventually getting me to where I want to go.

I downloaded and executed the first uninstall and at reboot it seemed to work. Briefly. Rebooted again and it was back. I downloaded and executed the second uninstall file. At reboot I was still experiencing the same redirect. I searched my system and I cannot find any remaining new.net (or newdotnet)files (if I ever had them??) I don't recall ever having that program. News to me.

Should I try running lspfix? It was mentioned in one of the pieces and I've downloaded the zip file successfully but haven't run it yet. I'm getting wary of running all of this stuff now. Some of it works, some seem to make things worse...

I don't have Kazaa. I have nothing they reference in either my programs file or in the add/remove programs list (newdotnet files or programs)

 

I just found this fix on another site and would like someone to review it:

http://forums.techguy.org/t244639.html

"I had this same problem because like an idiot, I was trying to remove spyware to rid of the about:this homepage problem. I tried everything. Then I tried lspfix which lists components (dlls) that are being used on your pc - like a knucklehead, I just deleted them, assuming they were bad. They were not and then I got the error you get everytime. I found a forum with the fix and I will need to find it again, but the suggestion (with perfect results) was to go into the control panel and the network tab and remove all the adaptors and protocols that are listed...sounds scary, but it works. It will ask you to reboot say no. Then you go to Add/Remove programs and to the set up tab and uncheck the communications tab. If asked to reboot - say no. Now you need to go to the registry and delete the winsock2 folder. So, got to start - run- and type in regedit. I forgot where it is in there, but will post back late tonight when I get home. I have the instructions printed out. Anyway, after you delete that, then reboot. Upon reboot, windows will find new hardware like your network card etc...depending on what you got, you may have to insert a floppy with drivers. I didn't have to put in windows cd. It took care of everything except my network adaptor card. it asked for the floppy. I selected the driver and that was it. Now I am back up and running like a top. It took me all of 10 mins and I was elated, thinking that I'd have to reformat my hard drive.
HERE IT IS: Delete the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock and \Winsock2 keys from the registry. (Start, Run, Regedit, Find, winsock)"

Can this method do any further harm? Sounds scary.
Best regards. Nancy.

 

Bump. I left another post but it seems to have disappeared. ???

Best regards. All help appreciated. Nancy.

 

well that took some reading through, and to be honest some of the stuff from across the internet is pretty random and seems fairly harsh to me
forgive me if youve already listed some of this information, how do you connect to the internet and what kind of connection is it,
can you please run lspfix by double clicking the exe file dont do anything else yet just copy all the items listed in the left hand pane then close the program by clicking the cross in the top rh corner and paste the results here
BTW often you can repair problems like this by uninstalling and re-installing your ISP software,
please answer these questions and we can take it from there, stick with it and im sure we can solve it
just a thought do you have any other user accounts on your machine and if yes, can you access the internet with those?

 

Thanks ChasLang for sticking with me. I know, the directions on that post do not seem to address the problem in XP as there are no such "bottons" or "tabs." Can you recommend another forum (Geek or other) that may know something about fixing this, specifically in XP? I've checked the MS site and it is pretty useless. Again, they assume you know what they are talking about (code words), which of course I don't. I do have all of the driver disks I think. At least I'm pretty organized that way... I just need to have someone walk me through it carefully so I don't do anything stupid.

You have been great. I really appreciate the help with all of the hijacker and parasite problems. It seems my machine is now clean of that stuff. Now I need to fix this part. Any advice on who may be able to help would be appreciated.
Best regards. Nancy.

 

Dear General Lee Stoned

Thanks for responding. I'll log off now and do what you say. My ISP is Optimum Online, a cable modem. I have disconnected it several times in previous instructions about getting rid of the hijacker. But, I have not as yet tried reloading the softwear (didn't even think of that!). Give me a minute and I'll be back with the other answers.
Best, Nancy.

 

Hi Chas cant say i know much about Optionline must be an American thing i guess
@Nancy ok ill wait for your reply before we go any further

 

OK, my lspfix file said this:
mswsock.dll - tcpip
winrnr.dll - TTDS
nwprovau.dll - NWLink IPX/SPX/NetBIOS
rsvpsp.dll - (Protocol handler)

Optonline does have a disk but I think ChasLang is correct, it's basically a setup for the service, not really a software piece except for the configuration for their email client (optonline.net), which I don't use. I use Worldnet (AT&T) and Outlook Express. IE for my browser (unfortunately). I think with their email you have the built in choice of Outlook or Outlook Express. I'm not aware of any others or any other browsers.

I went to the other (newly created by the way when I reloaded WindowsXP) identity and the redirect is still there in IE. Boo.

I was, at one time, set up with AOL as well but I dumped them a few years ago. Long before this started. ??? I don't know if that has anything to do with anything but I thought I'd mention it. Despite uninstalling aol, I have 134 files that still identify with aol. Go figure.

There is still a winsock.aol file on my system. Just in case this means anything, it's in c:\FTW (which is a genealogical software program). Others are:
C:\I386/WINSOCK.DLL
C:\WINDOWS\SYSTEM32/winsock.dll
C:\WINDOWS\SYSTEM32/DLLCACHE/winsock.dll
Again, I don't know whether this is helpful, but it can't hurt...

So, that's that. It (the redirect) seems to be system wide, not just with my identity.
I'll await your advice. Best regards. Nancy.

 

hmm this sure is a strange problem are you using a network at all?
if not can press CTRL-ALT-DELETE and end this process if you see it snmp.exe then try connecting to the internet
we really need to try this before we go any further, but if you are not networked you do not need this protocol installed
nwprovau.dll - NWLink IPX/SPX/NetBIOS
or do you use Novell Netware?

 

I'm not on a network at all, it's just a standalone Dell PC. But, WindowsXP does come with an awful lot of networking software that I have no use for.

snmp.exe was running and I ended that task. You would not believe how many things are running that not only have I no use for, I've never asked for it to be a running process. This is one of the wierd things that has happened.

I went to Add/Remove Programs to see what was checked and it seems as though on my last reinstall of WindowsXP the following three boxes (in Windows Programs) got checked:
Management and Monitoring Tools
Networking Services
Other Network File and Print Services
Again, how these got checked (unless they are a default), is beyond me. Should I uncheck? and remove them? Or are some parts necessary for Messenger or other programs? It also has MSN Explorer which seems redundant to me since I use IE...
I closed IE and was able to get it back. Redirect is still there though. I know we aren't to that point yet...

I'll await your advice...
Best regards. Nancy.

 

Hi Nancy ok this is starting to make some sense, none of those windows components are needed for your present set-up so please uninstall those through add-remove windows components then reboot
then before i go anywhere else with this, ive just re-read through this thread and forgive me if im wrong but it seems you are running Norton Internet Security and Zone Alarm at the same time, not a good idea please disable one or the other then attempt to access the net, if this doesnt work log off, then log in and try following the same procedure but the other way around
let me know how this goes, if after doing these things you still have no luck re-run LSPFIX and if this line is still there
nwprovau.dll - NWLink IPX/SPX/NetBIOS
check the box i know what i am doing and select that line and use the arrow to send it to the remove box select finish, if the line has gone just select finish to reset everything making sure nothing is in the remove box
exit the program, reboot and try your internet connection
if still nothing then we are going to have to get down and dirty and start uninstalling/ reinstalling
dont worry well get there

ill await your reply

 

OK, General Lee, before I go any further... Should I also uncheck the MSN Explorer? Like I said, it seem redundant but I don't know what else it runs other than it's own MS branded browser. ???
I already unchecked the other three and when I rebooted they were still unchecked. So that is good I guess.
Also, Norton Internet Security seems to be the more troublesome for me vs. Zone Alarm. Meaning, as a user, it has an inordinantly over abundance of popups that, given my settings, should not pop up and annoy me all of the time. But, I do pay for it. I'm not certain how to disable it without disabling Norton Anti Virus (sold to me as a package) but I'll go in and look. WindowsXP also has a firewall. Should I disable it as well and just go with Zone Alarm or Norton?
Funny thing is that I've been running both Norton and Zone Alarm for at least two years with no problem. Until now of course.
Please advise and I will proceed with other instructions.
Thanks to the moon General. Best. Nancy.

 

General?

 

Nancy,
If deemed necessary or worthwhile by some MGeeks experts:

I don't think we've seen enough about what programs your running on your computer... I think it would be a good idea to have a list of those items via some other freeware... I might would use RegCleaner 4.3 by JouniVuorio saving the Software page as text and also it would be good to see your Adaware scan.

Did you back up your registry? I think we can get rid of those DOS exploits:
1) Run SpyBot
2) Go near the Registry icon and Right Click and go to JumpToLocation
3) You are now here -- Software\Microsoft\Windows\Current Version|internet settings\Zones\0\1004!=W=3
4) Make sure your in the '0' folder and Right Click 1004 key and export it to your documents (just in case) then Right click again and delete it
5) Right click some open space in the '0' folder and choose new DWORD
6) Name this new key 1004 with a value of 3 in hexadecimal
7) Do this to all your DSO exploits. Your icons will change from a brown AB to blue #'s, most likely
8) Run SpyBot again untill you get them all
Another Way to get to the registry is by Right Clicking open space on desktop and going to the Shortcut key and typing in 'regedit'.

The truth is these DSO might just be FalsePositives like someone else mentioned earlier

Now, I think it would also be good to know what viruses/trojans the online scans picked up... I read all your posts in various threads and it seems that you might not even be sure... correct me if I'm wrong... the reason this is important is it might help someone locate the missing link or links.

I would think that removing all of those AOL files would also be a good idea... I don't think deleting all of the winstock and winstock2 folders should be done... there could be some valuable keys in there... not sure though.

Also what programs have you removed so far and what various other goodies? Have you run Adaware with all hidden files, operating system files, and extensions showing? Sorry for the redundancy but don't want to miss nothin.

Also in your HJT this can be deleted again
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

Like was said this file 'nwprovau.dll' and your network setting don't make sense, and I'm wondering how the rest of your basic internet settings are looking?

These are just some of my suggestions and aren't to be bothered with unless Chaslang, GeneralLeeStoned, or some other more experienced MGeek thinks they could prove usefull... GLS seems to fixing the problems as is so I don't want to knock this thread off course.

 

Hi Nancy sorry i had to go to bed last night
Anyway yes you can remove the MSN explorer its not needed, seeing as youve had Norton and Zone Alarm for a while then we can forget that probably, please do as i suggested with LSPFIX

Now if you are still have problems we need to check your Winsock 2 is not damaged, there are two ways to do this please read these instructions from Microsoft here
http://support.microsoft.com/?kbid=811259
Now if you determine that your winsock is in fact damaged, you can either fix it manually by following the instructions there or if you feel uncomfortable with this download and run this
http://www.spychecker.com/program/winsockxpfix.html

okay let me know how this goes sorry if it all seems a bit complicated, unfortunately troubleshooting over a message board can seem like a never ending story. But believe me its frustrating for all of us it would be so much easier if i had the machine here, but stick with it and well get it sorted

 

Good Morning all, good afternoon for those of you in earlier time zones!
(Sleep is good...)

OK. I ran lspfix and deleted the NWLink IPX/SPX/NetBIOS. Gone. I also removed MSN Explorer in the Add/Remove Programs. I rebooted.

I printed out both of your messages and am taking it one step at a time. I went to MS and printed out the "How to determine and recover from Winsock2 corruption" MKBA811259. I first tried to download the Windows XP Support Tools in order to use the Netdiag tool. In the middle of the download Norton sends me a very mean warning that a "Malicious Script Detected"
Object: File System Object
Activity: GetSpecialFolder
File: MsiExec.exe

I cancelled and backed out.

I then tried method #2, using the msinfo32 program. Expanded components, expanded network, clicked protocol. The MS piece said I should have only ten sections; I have 17! Most of it is the nwlnk stuff. They say the NWLink installs 7 more, which accounts for the 17. I have saved the file if you need to see it.

So, I obviously have a corrupt winsock(s) and removing the network stuff in add/remove programs and removing the nwlnk in the lspfix did not straighten this out. I am going to try the instructions in the MS memo to manually remove and restore them. I hope it works. I'll let you know.
Best regards. Nancy.

 

OK, I did everything as instructed. Twice in fact. Something is still not right, however. Redirect is still active. I went back into Msinfo32 and there are still 17 sections with the Nwlnk stuff still there. Yes, I rebooted after each action. Should I have turned off system restore?
Best regards. Nancy.
PS: Winsockxpfix fixed nothing either.

 

ok hi Nancy
well thats a pain, been looking seems youve had this problem for several weeks now, guess it must be really pissing you off
what i want you to do is try reinstalling your Dial Up Networking protocols
so go to
Start-Run-and type command-then press ok
at the DOS window, type netsh int ip reset c:\tcpipreset.txt
then press enter, dont worry if nothing happens it will take a minute or so to rebuild your TCP/IP stack, once the flashing cursor comes back type Exit then enter
reboot and try your internet connection, keeping your fingers crossed

if this dont work, can you just do a test for me, again go to Start-Run-and type command-press ok
in the DOS window type ipconfig> \text
then enter, once cursor returns type exit and enter, now go to my computer and double click your C drive and you will see a file called text, right click and open this file with notepad then copy and paste it all here in your next post

ill await your reply, but please be patient as im pretty busy at the moment but ill keep an eye out

 

Dear General:

Thanks for sticking with me. I had to take a break and a short overnight trip as well so don't feel pressured. Yes, I've been at this for weeks now. This is Monday? I'm on my fourth week. I'm over being pissed off at this point. I just want to resolve it safely without crashing my whole system. Although I would dearly love to serve on the jury that arrests one of these cretins for creating these browser hijackers. Fifty years to life would be my sentence!

Anyway, it's been lightyears since I've done any work in DOS. To say the least. So, first off I get the string:
C:\DOCUMEN~1\NANCYC~1\
typing your instructions after that appears to do nothing except return me to the same line again. I forget how to change this, forgive me. (The window header toolbar does say C:\SYSTEM32\command.com)
I know I have to change this string (the first one) but don't know to what or how to do it. Sorry.
Best regards. Nancy.

 

cd

that means change directory.... this is what i think your looking for

http://www.sitepoint.com/article/846?SID=437d93e655c3bd932177799443effd88

 

Thanks so much. Egg on my face for not remembering that. Like I said, it's been eons since I've had to use DOS.

Thanks again. Best regards. Nancy.

 

Dear General:
First idea failed. Redirect still active.
Second idea succeeded, results follow:
Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

IP Address. . . . . . . . . . . . : 24.186.100.85

Subnet Mask . . . . . . . . . . . : 255.255.248.0

IP Address. . . . . . . . . . . . : ?

Default Gateway . . . . . . . . . : 24.186.96.1

Looks like I'm missing something important...
I'll await your advice.
Thanks again to all who are helping. Best regards. Nancy.

 

Thanks Chaslang, here it is:

Windows IP Configuration

Host Name . . . . . . . . . . . . : ncroots

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : CNet PRO200WL PCI Fast Ethernet Adapter

Physical Address. . . . . . . . . : 00-08-A1-2A-60-D9

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 24.186.100.85

Subnet Mask . . . . . . . . . . . : 255.255.248.0

IP Address. . . . . . . . . . . . : ?

Default Gateway . . . . . . . . . : 24.186.96.1

DHCP Server . . . . . . . . . . . : 167.206.3.212

DNS Servers . . . . . . . . . . . : 167.206.3.212

167.206.3.211

167.206.3.146

?

?

?

Lease Obtained. . . . . . . . . . : Monday, July 19, 2004 5:19:27 PM

Lease Expires . . . . . . . . . . : Friday, July 23, 2004 5:19:27 AM

Tunnel adapter 6to4 Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : 6to4 Tunneling Pseudo-Interface

Physical Address. . . . . . . . . : 18-BA-64-55

Dhcp Enabled. . . . . . . . . . . : No

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . : ?

?

?

NetBIOS over Tcpip. . . . . . . . : Disabled

Thanks again everyone for sticking with me.
Best regards. Nancy.

 

Ping, ping, ping.

Kodo, Chaslang, General, Major.

Don't lose me now guys. You'll send me to page two again...
We're on the home stretch I hope...

Best regards, Nancy.

 

Will do, thanks.

 

jeez, I totally forgot about this thread. sorry..

Ok, so I reviewed what you and the Gen were talking about and I would suggest running this to fix the corrupted winsock.

 

Unfortunately, Kodo, I've tried the winxpfix several times and it does not seem to fix anything. I've asked this before, do I need to turn off system restore?

Here is the latest ipconfig log:


Windows IP Configuration

Host Name . . . . . . . . . . . . : ncroots
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : CNet PRO200WL PCI Fast Ethernet Adapter
Physical Address. . . . . . . . . : 00-08-A1-2A-60-D9
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 24.186.100.85
Subnet Mask . . . . . . . . . . . : 255.255.248.0
IP Address. . . . . . . . . . . . : ?
Default Gateway . . . . . . . . . : 24.186.96.1
DHCP Server . . . . . . . . . . . : 167.206.3.212
DNS Servers . . . . . . . . . . . : 167.206.3.212
167.206.3.211
167.206.3.146
?
?
?
Lease Obtained. . . . . . . . . . : Tuesday, July 20, 2004 11:18:45 AM
Lease Expires . . . . . . . . . . : Friday, July 23, 2004 11:18:45 PM

Tunnel adapter 6to4 Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 6to4 Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 18-BA-64-55
Dhcp Enabled. . . . . . . . . . . : No
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : ?
?
?
NetBIOS over Tcpip. . . . . . . . : Disabled

Does this indicate anything?
Best regards. Nancy.

 

you can if you want to, but unless you have a virus, I don't see where it would help you.

Try removing your Network Card from the device manager (have drivers ready before you do this so you can reinstall the card if XP asks for drivers) then reboot.

 

OK sorry i havent been about Nancy, really busy at the moment thanks for understanding,
Anyway thanks for posting the info i only wanted the basics, just to see if you were being assigned a IP address and seeing as your starts with 24 thats standard for cable
this is a bit of a strange one hey? agreed with Kodo you could try a re-install but seeing as yours is an always on connection can you humour me and reboot into safe mode, press f8 repeatedly when starting your machine and select safe mode with networking then try your connection again, obviously dont go mad as your firewall protection will be gone just try your home page then reboot back into windows as normal, i really want you to try this just to eliminate possible problems with your firewall as its strange your connections work sometimes and not others, ive seen Zone Alarm play up like this before after spyware removal, process of elimination
Otherwise if you want to there is a built in network troubleshooter in XP that tests your connection if you wanted to try it?

 

Kodo, where do you want me to do this from? (Not knowing whether there is more than one place to do this) I have gone into Control Panel, System, Hardware, Device Manager. Under Network Adapters is my CNET PRO200WL PCI Fast Ethernet Adapter. My choices are to disable, uninstall, or update. If this is what you are talking about, what choice do you want me to make?

In the meantime, I'll do the General's idea first and will come back here with the results and see what you say.

Thanks guys. Nancy.

 

that's the spot and I would like you to UNINSTALL the network card. Then reboot.

 

Good luck with those Nancy ill keep my fingers crossed that it all works out for you

 

OK, General, I did what you said. Everything went well but the redirect is still there. I pinged google and major geeks and got the exact same redirect as before. So, even in safe mode with the firewall(s) inactive it seems to still be there.

Now, before I try Kodo's idea, I want to make sure I know where the drivers are (which cd).

I have the Dell Resource CD for Reinstalling Device Drivers and Using Diagnostics. ??

I have the Motorola CD for Cable Modem Installation. One of functions is to install USB drivers. This disc says it also has an uninstall feature.

I also have an Optimum Online CD that installs that software, configures their email program and activates my account. I doubt this is the one...

I hate to sound stupid here but which disc is the most likely candidate?
Best regards. Nancy.