No Internet access + malware checkup

[kouye]

Hi, I have a Fujitsu Siemens Scaleo P running XP Home Edition SP2, that had an issue with Windows stalling on startup followed by a reboot sequence that ran in circles. I originally thought of a hard disk failure, but the problem was apparently rather software driven and was finally solved by repairing Windows with the XP CD.
Now the PC works fine, except for Internet Explorer and Outlook Express not being able to access the Internet through my LAN, although the network configuration is OK. The PC gets an IP address from the router through DHCP and is able to successfully ping outside of the LAN.
The owner of the PC is using an ISP called Alice (in France) that seems to rely on rather specific connection parameters and tools. I suspect this is what is preventing me from going online with this PC through my own LAN.
Also, this PC has Norton installed but apparently not running. I therefore assume it has been functionning with no active antivirus protection for some time.
Before I give the PC back to its rightful owner, I just wanted to check if there was no malware present and if my inability to go online with it is indeed due to some restrictions liked to the user's usual ISP Alice or to something more aggressive.
An opinion on the following log would be greatly appreciated.
Thanks.

BTW, with no Internet access, the five steps have been only partially conducted.


Deckard's System Scanner v20071014.68

Run by MANUELA on 2007-12-20 19:28:45

Computer is in Normal Mode.

--------------------------------------------------------------------------------



-- System Restore --------------------------------------------------------------



Successfully created a Deckard's System Scanner Restore Point.





-- Last 3 Restore Point(s) --

3: 2007-12-20 18:28:48 UTC - RP3 - Deckard's System Scanner Restore Point

2: 2007-12-19 19:17:36 UTC - RP2 - Digital Angels

1: 2007-12-19 13:26:45 UTC - RP1 - Point de vÈrification systËme





Backed up registry hives.

Performed disk cleanup.







-- HijackThis (run as MANUELA.exe) ---------------------------------------------



Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:33:06, on 20/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\fichiers communs\logitech\lvmvfm\LVPrcSrv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\TechCity Solutions\AliceSAV\AliceAgent.exe

C:\Program Files\Logitech\Video\CameraAssistant.exe

C:\WINDOWS\system32\ElkCtrl.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\MessengerPlus! 3\MsgPlus.exe

C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\PROGRA~1\INCRED~1\bin\IMApp.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Fichiers communs\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\system32\wpabaln.exe

C:\Documents and Settings\MANUELA\Bureau\dss.exe

C:\PROGRA~1\TRENDM~1\HIJACK~1\MANUELA.exe



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.aliceadsl.fr

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Alice ADSL

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Fichiers communs\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Fichiers communs\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [AliceSAV] C:\Program Files\TechCity Solutions\AliceSAV\AliceAgent.exe

O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe

O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect

O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [fsc-reminder.exe] C:\WINDOWS\reminder\fsc-reminder.exe 2453624 14

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE R…SEAU')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: La Solution Enseignement Ciel.lnk = C:\CIEL\STARTER.EXE

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: Ouvrir dans un nouvel onglet d'arriËre-plan - res://C:\Program Files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/229?0369a831757845448b3c9c8f453622ca

O8 - Extra context menu item: Ouvrir dans un nouvel onglet de premier plan - res://C:\Program Files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/230?0369a831757845448b3c9c8f453622ca

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {8F48147B-78D9-40F9-ACC0-BDDE59B246F4} (AccountHelper Class) - http://abonnement.aliceadsl.fr/confi...ountHelper.cab

O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.co...p/PhtPkMSN.cab

O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.co...p/DigWXMSN.cab

O16 - DPF: {FFFDF6F2-F7BC-4B90-B789-CB7BBDA13AD6} (CLaunchPrint Object) - http://photosmart.hpphoto.com/Downlo...LocalPrint.CAB

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\fichiers communs\logitech\lvmvfm\LVPrcSrv.exe

O23 - Service: Planificateur LiveUpdate automatique - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\AppCore\AppSvc32.exe



--

End of file - 10565 bytes



-- File Associations -----------------------------------------------------------



All associations okay.





-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------



R3 LVPrcMon (Logitech LVPrcMon Driver) - c:\windows\system32\drivers\lvprcmon.sys





-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------



All services whitelisted.





-- Device Manager: Disabled ----------------------------------------------------



No disabled devices found.





-- Scheduled Tasks -------------------------------------------------------------



2007-12-20 19:20:00 256 --a------ C:\WINDOWS\Tasks\VÈrifier les mises ‡ jour de Windows Live Toolbar.job

2007-12-10 22:47:19 662 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Analyse systËme complËte - MANUELA.job





-- Files created between 2007-11-20 and 2007-12-20 -----------------------------



2007-12-19 20:20:02 0 --a------ C:\WINDOWS\nsreg.dat

2007-12-19 20:20:00 0 d-------- C:\Documents and Settings\MANUELA\Application Data\Mozilla

2007-12-19 14:58:36 0 d-------- C:\Program Files\Trend Micro

2007-12-19 14:23:17 0 d-------- C:\WINDOWS\Prefetch

2007-12-01 03:00:28 0 d-------- C:\Program Files\Windows Live Favorites





-- Find3M Report ---------------------------------------------------------------



2007-12-19 14:31:32 13242 --a------ C:\Documents and Settings\MANUELA\Application Data\wklnhst.dat

2007-12-19 14:27:07 448510 --a------ C:\WINDOWS\system32\perfh00C.dat

2007-12-19 14:27:07 65626 --a------ C:\WINDOWS\system32\perfc00C.dat

2007-12-19 14:16:05 0 d-------- C:\Program Files\Movie Maker

2007-12-19 14:15:27 23756 --a------ C:\WINDOWS\system32\emptyregdb.dat

2007-12-19 14:14:22 0 d-------- C:\Program Files\Windows NT

2007-12-11 19:51:44 0 d-------- C:\Program Files\Fichiers communs\Symantec Shared

2007-12-01 03:00:49 0 d-------- C:\Program Files\Windows Live Toolbar

2007-11-28 19:17:50 0 d-------- C:\Program Files\Windows Live Safety Center

2007-11-28 16:08:57 0 d-------- C:\Program Files\Norton Internet Security

2007-11-18 20:59:53 0 d-------- C:\Documents and Settings\MANUELA\Application Data\AdobeUM

2007-11-18 19:54:06 0 d-------- C:\Program Files\Fichiers communs

2007-11-18 19:54:06 0 d-------- C:\Program Files\Fichiers communs\Adobe

2007-11-06 06:33:27 0 d-------- C:\Program Files\Symantec

2007-11-02 17:22:27 0 d-------- C:\Documents and Settings\MANUELA\Application Data\Image Zone Express





-- Registry Dump ---------------------------------------------------------------



*Note* empty entries & legit default entries are not shown





[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [03/05/2005 20:05]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 09:50]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [11/05/2005 22:12]

"AliceSAV"="C:\Program Files\TechCity Solutions\AliceSAV\AliceAgent.exe" [14/09/2005 17:15]

"LogitechCameraAssistant"="C:\Program Files\Logitech\Video\CameraAssistant.exe" [05/01/2006 07:58]

"LogitechVideo[inspector]"="C:\Program Files\Logitech\Video\InstallHelper.exe" [05/01/2006 08:15]

"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [01/11/2004 17:22]

"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [09/12/2005 15:32]

"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [26/04/2006 16:43]

"ccApp"="C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" [09/01/2007 22:59]

"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [14/01/2007 00:11]

"Symantec PIF AlertEng"="C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [12/03/2007 09:22]

"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [05/08/2004 13:00]

"SoundMan"="SOUNDMAN.EXE" [17/05/2005 17:48 C:\WINDOWS\SOUNDMAN.EXE]



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [19/08/2004 15:09]

"fsc-reminder.exe"="C:\WINDOWS\reminder\fsc-reminder.exe" [19/01/2005 16:10]

"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [06/08/2004 14:33]

"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [24/02/2007 20:20]

"IncrediMail"="C:\PROGRA~1\INCRED~1\bin\IncMail.exe" [23/01/2007 08:06]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [22/02/2005 07:55]

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [30/03/2006 16:45]



C:\Documents and Settings\MANUELA\Menu DÇmarrer\Programmes\DÇmarrage\

La Solution Enseignement Ciel.lnk - C:\CIEL\STARTER.EXE [23/10/2005 10:50:41]



C:\Documents and Settings\All Users\Menu DÇmarrer\Programmes\DÇmarrage\

HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/05/2005 22:23:26]

Lancement rapide d'Adobe Reader.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]

Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [24/02/2007 20:20:07]



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=MsgPlusLoader.dll









-- End of Deckard's System Scanner: finished at 2007-12-20 19:33:45 ------------

[tetonbob]

Hi kouye -

I'm not seeing any obious malware in that log, but there is one file I'd like more information about.

Please check file properties for the following file:

C:\WINDOWS\reminder\fsc-reminder.exe

Right click > Properties > Check on the Version tab for Company name, or any pertinent information.

Quote:

The owner of the PC is using an ISP called Alice (in France) that seems to rely on rather specific connection parameters and tools. I suspect this is what is preventing me from going online with this PC through my own LAN.

Have you checked the TCP/IP settings on the machine's LAN connection? If they are static rather than dynamic (automatically obtained), that would be a possible reason why it won't connect at your LAN.

Please go to Start -> Control Panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.

Double-click on the Internet Protocol (TCP/IP) item.

Before doing this next step, write down all the settings. Note that not all system/setups even have these settings, While some connection services will require them.

Select the radio button that says Obtain an IP address automatically

Select the radio button that says Obtain DNS servers automatically.

Press OK twice to get out of the properties screen and reboot if it asks.

If that doesn't allow the machine access, copy the file to USB stick, and carry it to another machine. (or transfer via network)

Please go to: VirusTotal

• On the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following in BOLD:
  
  C:\WINDOWS\reminder\fsc-reminder.exe
  
  
• Then click the "Send File " button just below.
• This will scan the file. Please be patient.
• Once scanned, copy and paste the results in your next reply.

[kouye]

Hi tetonbob,

The information provided on fsc-reminder.exe is sparse :
File type : application
Size : 28 Kb
Created : sept 9th 2005
Last access : dec 2nd 2007, 11:20 (it's now 12:00)
There's nothing in the version tab.
For what it's worth, the reminder folder also contains text files with what looks like messages inviting the user to register their PC at Fujitsu-Siemens (I'll spare you the french cut and paste ;-).

The TCP/IP settings are already set to 'Obtain an IP address auomatically' and 'Obtain DNS serves automatically'. And the PC gets an IP addess from the router OK. But no access using Internet Explorer or Outlook Express.

Here is the result of the VirusTotal scan, run from another PC :

File fsc-reminder.exe received on 12.22.2007 12:16:58 (CET)Antivirus Version Last Update Result
AhnLab-V3 2007.12.22.10 2007.12.21 -
AntiVir 7.6.0.46 2007.12.21 -
Authentium 4.93.8 2007.12.21 Possibly a new variant of W32/SelfStarterInternetTrojan!Maximus
Avast 4.7.1098.0 2007.12.21 -
AVG 7.5.0.503 2007.12.21 -
BitDefender 7.2 2007.12.22 -
CAT-QuickHeal 9.00 2007.12.22 -
ClamAV 0.91.2 2007.12.22 -
DrWeb 4.44.0.09170 2007.12.21 -
eSafe 7.0.15.0 2007.12.20 suspicious Trojan/Worm
eTrust-Vet 31.3.5395 2007.12.21 -
Ewido 4.0 2007.12.21 -
FileAdvisor 1 2007.12.22 -
Fortinet 3.14.0.0 2007.12.22 -
F-Prot 4.4.2.54 2007.12.21 W32/SelfStarterInternetTrojan!Maximus
F-Secure 6.70.13030.0 2007.12.21 -
Ikarus T3.1.1.15 2007.12.22 -
Kaspersky 7.0.0.125 2007.12.22 -
McAfee 5191 2007.12.21 -
Microsoft 1.3109 2007.12.22 -
NOD32v2 2740 2007.12.21 -
Norman 5.80.02 2007.12.21 -
Panda 9.0.0.4 2007.12.22 -
Prevx1 V2 2007.12.22 -
Rising 20.23.51.00 2007.12.22 -
Sophos 4.24.0 2007.12.22 -
Sunbelt 2.2.907.0 2007.12.21 -
Symantec 10 2007.12.22 -
TheHacker 6.2.9.167 2007.12.21 -
VBA32 3.12.2.5 2007.12.21 -
VirusBuster 4.3.26:9 2007.12.21 -
Webwasher-Gateway 6.6.2 2007.12.22 -

Additional information
File size: 28672 bytes
MD5: 675fdfc4e610b49bb06d73c859d23a59
SHA1: 1d01c9070bb2062ca657ffc0f4f1f46f4ea115ef
PEiD: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
packers: UPX
packers: UPX
packers: UPX

[tetonbob]

Hi kouye -

Thanks for the info on the file. With a name like that, I expected it to be a registration reminder of some sort.

The two hits at VirusTotal are due to it's auto-connect ability.

No need to have it running at startup all the time, though.


Open HijackThis and click on 'Do a System Scan Only'. Check the following entry and click Fix Checked

O4 - HKCU\..\Run: [fsc-reminder.exe] C:\WINDOWS\reminder\fsc-reminder.exe 2453624 14

Close HijackThis now.

---------------------------------------------------------------------------------------------

Quote:

But no access using Internet Explorer or Outlook Express

Regarding the internet connection, does it work ok at the owner's location? If so, I wouldn't worry about it. Have you looked at Control Panel > Internet Options > Connections ? What is the setting there?


If machine does not connect to IE and OE at owner's location, you may be better off asking the folks in Networking or Internet Explorer sections.

To better rule out malware as any cause, and due to lack of internet connection, download next tool and transport it to the machine. Using the settings below, it will report only.

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe

• Doubleclick the drweb-cureit.exe file.
• Click on Start, and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, we need to change the default settings.
• In the Menu Bar, Go to Options>Change Settings.
• Click on the Actions tab
• Using the drop down menus, change each item under Objects, Infected Packages and Malware to Report, then click OK
• Next, tick the Complete Scan radio button.
• Click the green arrow at the right, and the scan will start.
• Click 'No to All' if it asks if you want to cure/move the file.
• After the scan has completed, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Ignore and close any windows which open, prompting you to buy DrWeb.
• Post the contents of the log from Dr.Web you saved previously in your next reply.

[tetonbob]

Another thought about internet...

You can ping, but cannot use IE or OE.

Can you open a browser to an IP address? For example:

http://72.14.207.99

[kouye]

The 04 line has been fixed.
The Connections tab in the Internet Options has no dialing options presets and the list of bullet points is grayed out ('Never establish connection' is selected in the greyed out list). Theses are the same settings as my other PCs on the same LAN.
I cannot open the browser to an IP address. With Internet Explorer, I get the following message : "Internet Explorer could not open the search page".
I also get on the bottom line :
Download from : res://C:\WINDOWS\system32\shdoclc.dll\dnserror.html
Could this be narrowing down the problem to some web redirection involving a server at Alice ?
Anyway, unless this seems clear to you, I can indeed try out the Internet access at the user's home. They didn't mention a problem accessing the Internet.
If we can just rule out malware presence on the PC, this would be of great help and I can move on with the rest.
Here is the Dr Web log (it seems unusually short, though, did I miss anything ?) :

Account.dll;C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files;Probablement DLOADER.Trojan;;

5C1B43D8.pif;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Win32.HLLM.Netsky.based;;


tetonbob, I'm going to be out of town for a few days. I'm back online next wednesday. Happy Christmas to you...

[tetonbob]

I still think it's machine setting specific, unless you know there's connection issues at home.

Try Control Panel > Internet Options > Connections > LAN Settings > and then change the setting for the Automatically Detect Settings check box to the opposite of the current setting. Click OK until all dialog boxes are closed, and then quit and restart Internet Explorer.

Short DrWeb log is good log, means there's no infection. One file seems to be false positive, one in Norton Quarantine.

[kouye]

Unchecking 'Automatically Detect Settings' in the Connections tab did not help much.
However, I mentioned in my initial post that Norton was installed but apparently not running. I tried to uninstall Norton through 'AddRemove programs'. That failed. So I ran SymNRT. This successfully removed Norton and after reboot, Internet access was functional again for both Internet Explorer and Outlook Express (and Windows activation for that matter)...
I'll let you draw the conclusions as to wether or not we should submit Norton to be listed as malware ?

Having said that, I undestand that the issue is certainly the result of a faulty installation, rather than the program itself, n'est-ce pas ?

[tetonbob]

LOL...that was actually my next line of attack. Nice job!

You may want to consider taking the opportunity to give the owner a different AV. I remove it whenever I can.

Avira, Avast, and AVG are all very good freeware programs.

Looks like we can consider this one solved? In time for the holidays, no less! C'est tres bien!

You have my closing recommendations from your other thread.

[kouye]

I had Avast in mind, along with a firewall program. I'll also apply your closing recommendations.
Thanks a lot for your help, tetonbob. Have a good Christmas break if you take some time off as well.