Error=633 modem in use or not configured - Page 2

Raggedy · 02-27-2006, 04:43 AM

Hi Ried. K .. coupla things. As I said this is a friend's machine. He had to collect it - his daughter needed to do some school work. So it'll be this evening before I can do anything more. Sorry.

The Modem Lock business .. I had contacted BT the guy's ISP who supply that software. They advise me to reinstall his Internet Connection and have given me full instructions to do so online.

The WinPFind. I can't get into Safe Mode so should I try that in Normal ?

Again, sorry about the delay.

Ried · 02-27-2006, 06:48 AM

When the machine is in your posession once again, try this tool instead and let's see what it can ferret out.

Download, install & launch - Webroot SpySweeper ( Trial) (8.3 MB)

When SpySweeper starts, please accept any prompts to update definitions.

Disconnect from the internet.

Launch & use the diagnostic version of SpySweeper & configure it as follows:

Click on the Start button
After it has finished scanning, click the Next button
Allow Spysweeper to reboot your machine to remove the infected files.

## IMPORTANT - do not use your computer as you scan.

# Reboot back to Normal Mode

Launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply along with a new HJT log.

Raggedy · 02-27-2006, 03:57 PM

Hi Ried. Another tale.

Went to the guy's house to try this stuff.

Followed instructions received from BT (ISP) to download & reinstall software. No luck (error extracting cab file). Tried from disk he had. Same result.

Disabled Modem Lock in msconfig but it still alerts that it's disabled. That's 1 SOB piece of software.

Ran SpySweeper and as you'll see from log more dodgy stuff showing. 1 of which (Winantispyware) he told me he'd clicked on as he thought it was something I'd put on !

While I was trying to install the BT stuff from disk spysweeper alerted me to hyjk, so I'm posting the log that includes that alert as well as HJT log.

VundoFix found nothing.

Thanks for your patience.

********
21:18: | Start of Session, 27 February 2006 |
21:18: Spy Sweeper started
21:18: Sweep initiated using definitions version 622
21:18: Starting Memory Sweep
21:22: Memory Sweep Complete, Elapsed Time: 00:03:55
21:22: Starting Registry Sweep
21:22: Found Adware: exact cashback/bargain buddy
21:22: HKLM\software\microsoft\windows\currentversion\app management\arpcache\bargain buddy\ (2 subtraces) (ID = 104023)
21:22: Found Adware: blazefind
21:22: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\bridge.dll (ID = 104541)
21:22: Found Adware: seekseek.com hijacker
21:22: HKLM\software\microsoft\internet explorer\search\ || search assistant (ID = 141574)
21:22: Found Adware: searchsail
21:22: HKCR\kwpopper.application\ (3 subtraces) (ID = 1139487)
21:22: HKCR\clsid\{9d0505fd-6e32-497c-a2f1-8b9d5241e2c9}\ (7 subtraces) (ID = 1139491)
21:22: HKLM\software\classes\kwpopper.application\ (3 subtraces) (ID = 1139499)
21:22: HKLM\software\classes\clsid\{9d0505fd-6e32-497c-a2f1-8b9d5241e2c9}\ (7 subtraces) (ID = 1139503)
21:23: Registry Sweep Complete, Elapsed Time:00:00:55
21:23: Starting Cookie Sweep
21:23: Found Spy Cookie: touchclarity cookie
21:23: owner@btow.touchclarity[1].txt (ID = 3566)
21:23: Found Spy Cookie: reliablestats cookie
21:23: owner@stats1.reliablestats[2].txt (ID = 3254)
21:23: owner@btow.touchclarity[1].txt (ID = 3566)
21:23: Found Spy Cookie: tribalfusion cookie
21:23: owner@tribalfusion[1].txt (ID = 3589)
21:23: Cookie Sweep Complete, Elapsed Time: 00:00:01
21:23: Starting File Sweep
21:24: Found Adware: 180search assistant/zango
21:24: c:\documents and settings\owner\local settings\temp\fleok (1 subtraces) (ID = -2147480558)
21:24: Found Adware: seekseek
21:24: c:\program files\common files\slmss (ID = -2147481537)
21:26: Found Adware: tvmedia
21:26: tvmknwrd.dll (ID = 81726)
21:38: Found Adware: winantispyware 2005
21:38: setup.exe (ID = 162517)
21:38: setup.exe (ID = 122245)
21:39: tvm.upd (ID = 81653)
21:40: Found Adware: adlogix
21:40: sp32.xml (ID = 49240)
21:41: dfd.sys (ID = 162513)
21:42: Found Adware: directrevenue-abetterinternet
21:42: alchem.inf (ID = 83109)
21:42: Found Adware: twain-tech
21:42: polmx.inf (ID = 81856)
21:42: mxtarget.inf (ID = 81843)
21:42: trial.updates.winsoftware[1].txt (ID = 149943)
21:45: File Sweep Complete, Elapsed Time: 00:21:56
21:45: Full Sweep has completed. Elapsed time 00:26:57
21:45: Traces Found: 46
21:45: Removal process initiated
21:45: Quarantining All Traces: 180search assistant/zango
21:45: Quarantining All Traces: adlogix
21:45: Quarantining All Traces: directrevenue-abetterinternet
21:45: Quarantining All Traces: blazefind
21:45: Quarantining All Traces: exact cashback/bargain buddy
21:45: Quarantining All Traces: searchsail
21:45: Quarantining All Traces: seekseek.com hijacker
21:45: Quarantining All Traces: seekseek
21:45: Quarantining All Traces: tvmedia
21:46: Quarantining All Traces: twain-tech
21:46: Quarantining All Traces: reliablestats cookie
21:46: Quarantining All Traces: touchclarity cookie
21:46: Quarantining All Traces: tribalfusion cookie
21:46: Quarantining All Traces: winantispyware 2005
21:47: Removal process completed. Elapsed time 00:01:22
22:07: Processing Startup Alerts
22:07: Removed Startup entry: hyjk
22:15: BHO Shield: found: ysidebarIE.dll-- BHO installation denied at user request
22:16: BHO Shield: found: YPager.exe-- BHO installation denied at user request
********
21:09: | Start of Session, 27 February 2006 |
21:09: Spy Sweeper started
21:17: Your spyware definitions have been updated.
21:18: | End of Session, 27 February 2006 |

Logfile of HijackThis v1.99.1
Scan saved at 21:53:24, on 27/02/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\BT Yahoo! Internet\ModemLock.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctxsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpane
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://gb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btopenworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [controlkids] C:\Program Files\Control Kids\controlkids.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ctxsvc] C:\WINDOWS\System32\ctxsvc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1137416512640
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templ...control023.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BT Modem Lock - British Telecommunications plc - C:\Program Files\BT Yahoo! Internet\ModemLock.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Ried · 02-27-2006, 08:23 PM

Webroot seems to have taken care of any remaining 'nasties', including the hyjk

Quote:

Disabled Modem Lock in msconfig but it still alerts that it's disabled.

Let's 'test' and see if that is in fact the problem here.

Click Start->Run - type SERVICES.MSC & then click on the OK button
*Locate the service - BT Modem Lock - British Telecommunications plc
*Double-click on it to open the Properties dialog.
*Under the General tab:
*Stop the service by using the Stop button.
*Change the Startup type to Disabled & then click on the OK button and reboot.

Any luck now? If not, I'm wondering if your friend may not have the Control Kids program set up properly. You may want to check into that aspect.

Raggedy · 02-28-2006, 03:36 PM

Hi Ried.

Ran services.msc > Modem Lock > general tab
Stop button was grayed out and it wouldn’t hold the Disabled option.

Control Kids exe wasn’t on machine so couldn’t change settings.
Wasn’t in the Add/Remove programs Control panel either.

Lost a little patience then.
Ran HJT, checked Control Kids and Modem Lock entries and “Fixed” them
No change

Ran services.msc > Modem Lock ….. had a look … > Log On tab
In Hardware Profile selected Profile 1 (only one available)
Clicked Disable
Apply
Reboot

Hey Presto !

I was able to download and install the Internet connection software and connect, disconnect and reconnect OK.
I was also able to boot to Safe Mode.

Enabled Modem Lock in the Hardware Profile again,
Rebooted.
Modem Lock came on OK and had no problem with connecting, disconnecting and reconnecting to Internet.
Couldn’t boot to Safe Mode though.

I’d like to get to the bottom of the Safe Mode problem BUT my friend is content that his machine is running much better and his Internet connection is OK again. I guess it’s a successful conclusion.

I hope you don’t feel we’ve wasted your time by drawing this to a close before a complete solution.

Many, many thanks for your help, advice, time and patience

Ried · 02-28-2006, 11:25 PM

Hi Raggedy,

Not a waste of time at all, we cleared out some nasty stuff.

Nice job tracking down the modem issue.

Based on what you've just said, it would seem the Safe Mode issue is related to the Modem Lock Program and not malware. If your friend decides to try to resolve the Safe Mode issue, he (or you) may want to post in the Windows XP section.

Please contact your friend and have him carry out these important final steps, with emphasis on flushing out System Restore.

Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Keep my computer up to date"
*Under Settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER

Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls

More information and free downloads are available at the following links:

Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items .

Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email.

This is a self-extracting .ZIP file, and save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4 - Add the old porn sites domain

Download Spyware Guard to catch and block spyware before it can execute.

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

Follow this list and the potential for being infected again will reduce dramatically.

Raggedy · 03-01-2006, 12:46 AM

Thanks Ried.

I've put ZoneAlarm, AVG, Ad-Aware, SpyBot S&D and PanicWare's PoP-Up stopper on his machine and stressed the importance of updating and scanning regularly. And of the hazards of accepting downloads without being sure about them.

Hopefully he will bear these things in mind.

I'll do the other stuff you've specified also.

Again, thanks. This is a great site and I've learned a lot from just following your instructions.

02-27-2006, 06:48 AM	#22 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,854 OS: WinXP and Vista	When the machine is in your posession once again, try this tool instead and let's see what it can ferret out. Download, install & launch - Webroot SpySweeper ( Trial) (8.3 MB) When SpySweeper starts, please accept any prompts to update definitions. Disconnect from the internet. Launch & use the diagnostic version of SpySweeper & configure it as follows: Click on the Start button After it has finished scanning, click the Next button Allow Spysweeper to reboot your machine to remove the infected files. ## IMPORTANT - do not use your computer as you scan. # Reboot back to Normal Mode Launch SpySweeper & select Results from the left pane Click the 'Session Log' tab & choose Save to File to create a log. Post that in your next reply along with a new HJT log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

02-28-2006, 11:25 PM	#26 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,854 OS: WinXP and Vista	Hi Raggedy, Not a waste of time at all, we cleared out some nasty stuff. Nice job tracking down the modem issue. Based on what you've just said, it would seem the Safe Mode issue is related to the Modem Lock Program and not malware. If your friend decides to try to resolve the Safe Mode issue, he (or you) may want to post in the Windows XP section. Please contact your friend and have him carry out these important final steps, with emphasis on flushing out System Restore. Reset hidden/system files and folders Windows XP =============== Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View tab. * Deselect the Show hidden files and folders option. * Select the Hide file extensions for known types option. * Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Enable Windows Auto Update Go to Start>Run* - type wuaucpl.cpl Tick on the checkbox - "Keep my computer up to date" Under *Settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Create a new System Restore point* Click Start >> Run - type SYSDM.CPL & press Enter * Select the System Restore Tab * Tick on the checkbox - "Turn off System Restore on all drives" Click Apply * Then untick the same checkbox & click OK This will prevent any reinfection from previous restore points. In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles: HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For a tutorial on Firewalls and a listing of some available ones see the link below: Understanding and Using Firewalls More information and free downloads are available at the following links: Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items . Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. This is a self-extracting .ZIP file, and save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD) From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list. Then return to the main menu. Select option #4 - Add the old porn sites domain Download Spyware Guard to catch and block spyware before it can execute. Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released. Follow this list and the potential for being infected again will reduce dramatically. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

02-27-2006, 04:43 AM	#21 (permalink)
Raggedy Registered User Join Date: Sep 2005 Posts: 36 OS: Wondows 2000	Hi Ried. K .. coupla things. As I said this is a friend's machine. He had to collect it - his daughter needed to do some school work. So it'll be this evening before I can do anything more. Sorry. The Modem Lock business .. I had contacted BT the guy's ISP who supply that software. They advise me to reinstall his Internet Connection and have given me full instructions to do so online. The WinPFind. I can't get into Safe Mode so should I try that in Normal ? Again, sorry about the delay.

02-27-2006, 03:57 PM	#23 (permalink)
Raggedy Registered User Join Date: Sep 2005 Posts: 36 OS: Wondows 2000	Hi Ried. Another tale. Went to the guy's house to try this stuff. Followed instructions received from BT (ISP) to download & reinstall software. No luck (error extracting cab file). Tried from disk he had. Same result. Disabled Modem Lock in msconfig but it still alerts that it's disabled. That's 1 SOB piece of software. Ran SpySweeper and as you'll see from log more dodgy stuff showing. 1 of which (Winantispyware) he told me he'd clicked on as he thought it was something I'd put on ! While I was trying to install the BT stuff from disk spysweeper alerted me to hyjk, so I'm posting the log that includes that alert as well as HJT log. VundoFix found nothing. Thanks for your patience. ****** 21:18: \| Start of Session, 27 February 2006 \| 21:18: Spy Sweeper started 21:18: Sweep initiated using definitions version 622 21:18: Starting Memory Sweep 21:22: Memory Sweep Complete, Elapsed Time: 00:03:55 21:22: Starting Registry Sweep 21:22: Found Adware: exact cashback/bargain buddy 21:22: HKLM\software\microsoft\windows\currentversion\app management\arpcache\bargain buddy\ (2 subtraces) (ID = 104023) 21:22: Found Adware: blazefind 21:22: HKLM\software\microsoft\windows\currentversion\shareddlls\ \|\| c:\windows\downloaded program files\bridge.dll (ID = 104541) 21:22: Found Adware: seekseek.com hijacker 21:22: HKLM\software\microsoft\internet explorer\search\ \|\| search assistant (ID = 141574) 21:22: Found Adware: searchsail 21:22: HKCR\kwpopper.application\ (3 subtraces) (ID = 1139487) 21:22: HKCR\clsid\{9d0505fd-6e32-497c-a2f1-8b9d5241e2c9}\ (7 subtraces) (ID = 1139491) 21:22: HKLM\software\classes\kwpopper.application\ (3 subtraces) (ID = 1139499) 21:22: HKLM\software\classes\clsid\{9d0505fd-6e32-497c-a2f1-8b9d5241e2c9}\ (7 subtraces) (ID = 1139503) 21:23: Registry Sweep Complete, Elapsed Time:00:00:55 21:23: Starting Cookie Sweep 21:23: Found Spy Cookie: touchclarity cookie 21:23: owner@btow.touchclarity[1].txt (ID = 3566) 21:23: Found Spy Cookie: reliablestats cookie 21:23: owner@stats1.reliablestats[2].txt (ID = 3254) 21:23: owner@btow.touchclarity[1].txt (ID = 3566) 21:23: Found Spy Cookie: tribalfusion cookie 21:23: owner@tribalfusion[1].txt (ID = 3589) 21:23: Cookie Sweep Complete, Elapsed Time: 00:00:01 21:23: Starting File Sweep 21:24: Found Adware: 180search assistant/zango 21:24: c:\documents and settings\owner\local settings\temp\fleok (1 subtraces) (ID = -2147480558) 21:24: Found Adware: seekseek 21:24: c:\program files\common files\slmss (ID = -2147481537) 21:26: Found Adware: tvmedia 21:26: tvmknwrd.dll (ID = 81726) 21:38: Found Adware: winantispyware 2005 21:38: setup.exe (ID = 162517) 21:38: setup.exe (ID = 122245) 21:39: tvm.upd (ID = 81653) 21:40: Found Adware: adlogix 21:40: sp32.xml (ID = 49240) 21:41: dfd.sys (ID = 162513) 21:42: Found Adware: directrevenue-abetterinternet 21:42: alchem.inf (ID = 83109) 21:42: Found Adware: twain-tech 21:42: polmx.inf (ID = 81856) 21:42: mxtarget.inf (ID = 81843) 21:42: trial.updates.winsoftware[1].txt (ID = 149943) 21:45: File Sweep Complete, Elapsed Time: 00:21:56 21:45: Full Sweep has completed. Elapsed time 00:26:57 21:45: Traces Found: 46 21:45: Removal process initiated 21:45: Quarantining All Traces: 180search assistant/zango 21:45: Quarantining All Traces: adlogix 21:45: Quarantining All Traces: directrevenue-abetterinternet 21:45: Quarantining All Traces: blazefind 21:45: Quarantining All Traces: exact cashback/bargain buddy 21:45: Quarantining All Traces: searchsail 21:45: Quarantining All Traces: seekseek.com hijacker 21:45: Quarantining All Traces: seekseek 21:45: Quarantining All Traces: tvmedia 21:46: Quarantining All Traces: twain-tech 21:46: Quarantining All Traces: reliablestats cookie 21:46: Quarantining All Traces: touchclarity cookie 21:46: Quarantining All Traces: tribalfusion cookie 21:46: Quarantining All Traces: winantispyware 2005 21:47: Removal process completed. Elapsed time 00:01:22 22:07: Processing Startup Alerts 22:07: Removed Startup entry: hyjk 22:15: BHO Shield: found: ysidebarIE.dll-- BHO installation denied at user request 22:16: BHO Shield: found: YPager.exe-- BHO installation denied at user request ****** 21:09: \| Start of Session, 27 February 2006 \| 21:09: Spy Sweeper started 21:17: Your spyware definitions have been updated. 21:18: \| End of Session, 27 February 2006 \| Logfile of HijackThis v1.99.1 Scan saved at 21:53:24, on 27/02/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\BT Yahoo! Internet\ModemLock.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\System32\hkcmd.exe C:\HP\KBD\KBD.EXE C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\ctxsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\System32\hphmon05.exe C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\HJT\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gb10.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb10.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpane R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://gb10.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btopenworld.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [controlkids] C:\Program Files\Control Kids\controlkids.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ctxsvc] C:\WINDOWS\System32\ctxsvc.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1137416512640 O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templ...control023.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: BT Modem Lock - British Telecommunications plc - C:\Program Files\BT Yahoo! Internet\ModemLock.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

02-28-2006, 03:36 PM	#25 (permalink)
Raggedy Registered User Join Date: Sep 2005 Posts: 36 OS: Wondows 2000	Hi Ried. Ran services.msc > Modem Lock > general tab Stop button was grayed out and it wouldn’t hold the Disabled option. Control Kids exe wasn’t on machine so couldn’t change settings. Wasn’t in the Add/Remove programs Control panel either. Lost a little patience then. Ran HJT, checked Control Kids and Modem Lock entries and “Fixed” them No change Ran services.msc > Modem Lock ….. had a look … > Log On tab In Hardware Profile selected Profile 1 (only one available) Clicked Disable Apply Reboot Hey Presto ! I was able to download and install the Internet connection software and connect, disconnect and reconnect OK. I was also able to boot to Safe Mode. Enabled Modem Lock in the Hardware Profile again, Rebooted. Modem Lock came on OK and had no problem with connecting, disconnecting and reconnecting to Internet. Couldn’t boot to Safe Mode though. I’d like to get to the bottom of the Safe Mode problem BUT my friend is content that his machine is running much better and his Internet connection is OK again. I guess it’s a successful conclusion. I hope you don’t feel we’ve wasted your time by drawing this to a close before a complete solution. Many, many thanks for your help, advice, time and patience

03-01-2006, 12:46 AM	#27 (permalink)
Raggedy Registered User Join Date: Sep 2005 Posts: 36 OS: Wondows 2000	Thanks Ried. I've put ZoneAlarm, AVG, Ad-Aware, SpyBot S&D and PanicWare's PoP-Up stopper on his machine and stressed the importance of updating and scanning regularly. And of the hazards of accepting downloads without being sure about them. Hopefully he will bear these things in mind. I'll do the other stuff you've specified also. Again, thanks. This is a great site and I've learned a lot from just following your instructions.