Help

If you have run ALL the steps in the READ ME and still have problems, follow the steps below exactly and then post your log attachment.

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Make sure you have system restore disabled and viewing of hidden files enabled.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: (no name) - {106F55D1-21F5-4241-B470-43218D01D6BB} - C:\WINDOWS\System32\mssmc.dll
O2 - BHO: (no name) - {7F59C36C-0255-4818-B337-E68AA095F88F} - C:\WINDOWS\System32\mssmc.dll
O2 - BHO: (no name) - {947DE1E9-3D62-4D9A-861F-F2220E9103DA} - C:\WINDOWS\System32\mcicdb.dll (file missing)
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O4 - HKLM\..\Run: [sp2chk.exe] sp2chk.exe
O4 - HKLM\..\Run: [LOPTCON] Testimonials.exe
O4 - HKLM\..\Run: [srbho] ABCXYZ.exe
O4 - HKLM\..\Run: [RecoverFromReboo] C:\WINDOWS\Temp\RECOVE~1.EXE
O9 - Extra button: (no name) - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://69.50.166.212/counter/new/x.chm::/update.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k42033/sb028.cab

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\mssmc.dll
sp2chk.exe
Testimonials.exe
ABCXYZ.exe
C:\WINDOWS\Temp\RECOVE~1.EXE
c:\counter.cab

Additional step to delete C:\WINDOWS\Downloaded Program Files\SbCIe028.dll:
- Click Start, Run, and enter cmd in the box and click OK. This opens a commend prompt windows.
- Enter the following command lines each followed by the enter key
cd C:\WINDOWS\Downloaded Program Files\
attrib -r -h -s SbCIe028.dll
del SbCIe028.dll
exit

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Let me know if you have any problems finding or deleting any of these files.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.






Do you recognize the below IP addresses? Is it for your ISP and home network?
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DB9AD7C-E04F-4B3D-B0E3-62593E91A81D}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{F080E9E2-6EFC-45E1-9DFB-56AFBDCBAFB4}: NameServer = 69.50.188.180,195.225.176.31

 

This line is still in your log:
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll

Did you remember to exit all browsers before fixing it? And did you perform the steps I gave you to delete it from the Downloaded Program Files folder?

As far as the cmanger problem, I don't know why it is coming up but you don't need that program anyway and should be able to uninstall it from Add/Remove programs. See this:

http://startup.iamnotageek.com/srch-CManager.exe.html

 

Are you saying you open Control Panel and looked in Add/Remove Programs and Connection Manager was not there?

 

Please download and extract the getWDPF.bat file from the attached getWDPF.zip file. Then run the getWDPF.bat file by double clicking on it. It will create a text file when finished and it will be in your root directory on drive C: The file will be c:\wdlfile-list.txt

You should be able to attach the wdlfile-list.txt file here as an attachment with no problem.

This file will contain a file listing of your C:Windows\Downloaded Program File folder. It will show hidden, system, and normal files and will show file ownership information.

 

Sorry! I had an error in that file which caused it not to work properly. Please go back to the previous message and download the ZIP file again. And run the getWDPF.bat and post the new output. I deleted your previous attachment that contained no file information. This way you will not have a problem uploading the same filename again.

 

The file is still there and the owner is Katie:

04/22/2004 02:42 PM 208,896 TOSHIBA-USER\KATIE SbCIe028.dll

You need to be logged in as Katie and then delete this file (possible in safe mode) and fix the line in HJT this in both user accounts. Make sure you download the new HJT 1.99.1.

 

Whose account is this log from? I see more problems!

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O4 - HKCU\..\Run: [gabber] StartCpl.exe
O4 - HKCU\..\Run: [jopplerg] corrida.exe
O4 - HKCU\..\Run: [SetupExeDll] driver32.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\windows\system32\StartCpl.exe
C:\windows\system32\corrida.exe
C:\windows\system32\driver32.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Now:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin
And Click OK.

Now we need to Reset Web Settings (I assumed this is your preferred start page: http://dsl.sbc.yahoo.com/)
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to http://dsl.sbc.yahoo.com/ Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address http://dsl.sbc.yahoo.com/ Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

As long as you have run all the steps of the READ ME, then yes go ahead and attach your log. I'm adding a bold print message here though for me and anyone else who reads the thread so that we notice a new PC is being worked on.

=================================================
NOTE: NEW PC BEING WORKED ON FROM THIS POINT ON!
=================================================

 

At first glance (still looking at other lines):
You must not use multiple firewalls. I see signs of something from Norton/Symantec and also ZoneAlarm. Also have you disabled the XP SP2 built-in firewall. It is enabled by default.

 

I see some info indicating something relating to Norton firewall. And does that mean you actually physically went and disable the one in Win XP?

Do you use Viewpoint Manager?
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Do you use Real Player?
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
Do you really need Logitech to automatically download and update you without notice?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

The below 3 lines should be fixed! Note nothing belongs in the Trusted Zone. If you cannot use Musicmatch without that entry, I would not use their software.
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/026ad4f7202f894fff06/netzip/RdxIE601.cab

 

Goto Add/Remove programs and uninstall Viewpoint Manager (crap from AOL) also uninstall Real Player if not needed. It's a resource hog. Fix the Logitech line use HijackThis.

 

Are you sure this SPBBCSvc.exe Symantec Internet Security Service

Is not really the same as a firewall!

You also have this running:
NPFMntor.exe Norton AntiVirus Firewall Install Monitor.

I don't your Norton/Symantec software so I'm not sure exactly what these really are but the sure sound firewall related.

 

OK! It does not hurt to check because multiple firewalls can cause conflicts and also waste system resources (something Symantec/Norton is pretty good at doing).

Other that what's been mentioned you should be okay on this PC.

 

You're welcome!