View Full Version : Some problems with internet-Start Page-Very very slow to start up
Spiderman
2006-02-15, 18:19
Hello,
I had recently a problem with my internet explorer (i noticed after installing the MSN beta version 8.0-but am not sure because I also installed and uninstalled a router Trend Net which was working only when both equipement was in the same room). When i start the internet it was very very slow to start up (may take 5-15minutes to show fully with my start page). I therefore uninstalled the internet and reinstalled it again from the web (I had to use Mozilla firefox to download). Now it opens up correctly but when I tried to change the start page to test (i shifted it to google then i returned it back to its original setting www.polymtl.ca) since I have got tea timer operating i allowed the change in registry. Since then ieach time I start my computer tea timer still ask me to allow or to deny this change. so I ticked the option to remember the action and now it does not ask me. But the problem is that I have noticed in the tea timer log that everyday when I start my pc it has an action to put my start page (for which I defined that is www.polymtl.ca). I noticed also that before I had not this action. I should be grateful if you could help me in that as i am sure there should be a small problem somewhere.
I thank you in advance
I use AVG free edition (I scanned the whole pc with updated database but there was no virus)
I use spybot latest version and update with tea timer on.
I use adadware SE personal to clean up regularly with latest updates.
I have also spywareblaster installed
I did also IE Spyad IE restriction latest one.
Thanking you in advance for your reply
Hello.
Please go here and follow instructions.
Before you post a log, and who will advise you. (http://forums.spybot.info/showthread.php?t=288)
Copy paste the HJT log into your topic here and then someone will advise you as soon as available to do so.
Cheers. :)
Spiderman
2006-02-16, 03:32
Hello,
I had recently a problem with my internet explorer (i noticed after installing the MSN beta version 8.0-but am not sure because I also installed and uninstalled a router Trend Net which was working only when both equipement was in the same room). When i start the internet it was very very slow to start up (may take 5-15minutes to show fully with my start page). I therefore uninstalled the internet and reinstalled it again from the web (I had to use Mozilla firefox to download). Now it opens up correctly but when I tried to change the start page to test (i shifted it to google then i returned it back to its original setting www.polymtl.ca) since I have got tea timer operating i allowed the change in registry. Since then ieach time I start my computer tea timer still ask me to allow or to deny this change. so I ticked the option to remember the action and now it does not ask me. But the problem is that I have noticed in the tea timer log that everyday when I start my pc it has an action to put my start page (for which I defined that is www.polymtl.ca). I noticed also that before I had not this action. I should be grateful if you could help me in that as i am sure there should be a small problem somewhere.
I thank you in advance
I use AVG free edition (I scanned the whole pc with updated database but there was no virus)
I use spybot latest version and update with tea timer on.
I use adadware SE personal to clean up regularly with latest updates.
I have also spywareblaster installed
I did also IE Spyad IE restriction latest one.
Thanking you in advance for your reply
Here is the log of HJT for 15feb 2006:
Logfile of HijackThis v1.99.1
Scan saved at 11:16:41, on 2006-02-15
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\TextTwist\TextTwist.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\antispyware\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.polymtl.ca/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.biblio.polymtl.ca:8080/biblio
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CommCtr] C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/094c80af0f7d19f01815/netzip/RdxIE601_fr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C7256BB-E90A-4484-AA8C-39E1676B683F}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{54EB7058-9B49-4CF4-A438-76F777F28E8C}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C7256BB-E90A-4484-AA8C-39E1676B683F}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{1C7256BB-E90A-4484-AA8C-39E1676B683F}: NameServer = 69.50.176.156,195.225.176.31
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: vskype - (no CLSID) - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Hello and sorry for the wait.
Please go here and post a link back to this topic to flag a helper.
If you have waited three days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)
LonnyRJones
2006-02-19, 09:17
Hi
Post a report from this tool
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them.....legitimate files can be listed.
Spiderman
2006-02-19, 17:53
Hi
Post a report from this tool
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them.....legitimate files can be listed.
Here is the entry from blacklight, thanks:
02/19/06 10:49:32 [Info]: BlackLight Engine 1.0.32 initialized
02/19/06 10:49:32 [Info]: OS: 5.1 build 2600 (Service Pack 1)
02/19/06 10:49:32 [Note]: 7019 4
02/19/06 10:49:32 [Note]: 7005 0
02/19/06 10:49:45 [Note]: 7006 0
02/19/06 10:49:45 [Note]: 7011 232
02/19/06 10:49:46 [Note]: FSRAW library version 1.7.1015
02/19/06 10:51:46 [Note]: 7007 0
LonnyRJones
2006-02-19, 18:58
Close all browser's Start Hijackthis and place a check next to these items If there.
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C7256BB-E90A-4484-AA8C-39E1676B683F}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{54EB7058-9B49-4CF4-A438-76F777F28E8C}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C7256BB-E90A-4484-AA8C-39E1676B683F}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{1C7256BB-E90A-4484-AA8C-39E1676B683F}: NameServer = 69.50.176.156,195.225.176.31
O18 - Protocol: vskype - (no CLSID) - (no file)
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)
If You have connection problems or those 017's ~ 69.50.176.156,195.225.176.31, return >
Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable one some systems
Download unzip then scan with RootkitRevealer
http://www.sysinternals.com/utilities/rootkitrevealer.html
when its done go file > save, attach or post the log back here in your next reply
Not to worry, normal there are a few of item shown.
It's an intensive scan, I suggest you disconnect from the internet and leave the PC alone until its finished.
Since the log might be very large, Please edit out items in
C:\RECYCLER\NPROTECT if there.
c:\windows\temps
documents and settings\your name\---- temporary internet files.
And C:\System Volume Information, before posting
Post a fresh hijackthis log please, be sure to mention any current problems.
Spiderman
2006-02-20, 23:41
I followed everything as requested in the last reply.
For this part: "If You have connection problems or those 017's ~ 69.50.176.156,195.225.176.31, return >''
I did not have connexion problem.
For this part:"Since the log might be very large, Please edit out items in
C:\RECYCLER\NPROTECT if there.
c:\windows\temps
documents and settings\your name\---- temporary internet files.
And C:\System Volume Information, before posting"
I did not find any log files in these directories.The scan with RootkitRevealer gave :"Scan Complete: No discrepancies found".When doing save after the scan the file was completely empty.
Here is the log for hijackthis after scanning (and removing the entries 017 & 018) after the rootkit revealer:
Logfile of HijackThis v1.99.1
Scan saved at 16:23:07, on 2006-02-20
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\IEXPLORE.EXE
C:\antispyware\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.polymtl.ca/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.biblio.polymtl.ca:8080/biblio
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CommCtr] C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/094c80af0f7d19f01815/netzip/RdxIE601_fr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: vskype - (no CLSID) - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
----------------------------------------------------
Persisting Problem:
Each time I restart my PC tea timer still tells me it is allowing the change to my homepage.
Please find attached the log for the tea timer :
I thank you all again for your effort and time. Thanks.
LonnyRJones
2006-02-21, 06:17
:"Scan Complete: No discrepancies found".
Thats a good sign :)
About Tea timer , see this quote by md usa spybot fan
For TeaTimer 1.4 Registry changes.
If you checked "Remember this decision" on a change the information concerning that change it is stored in a file. TeaTimer uses that information to automatically "Allow" or "Deny" changes. To edit this information:
Right click on the TeaTimer system tray icon and select Settings. This will bring up TeaTimer's "White & Black List". There are four (4) Buttons across the top of the "White & Black List":
Allowed processes
Blocked processes
Allowed registry changes
Blocked registry changes
Note: If you don't see all four buttons, try expanding the window to the right.
You can review all the entries that you have stored by clicking on these buttons. The entries that you should review are in "Allowed registry changes" and "Denied registry changes". You can delete entries by clicking on the scripted black "X" to the right of the entry that you want to delete and then clicking the "OK" button when you're done. This will in effect make TeaTimer forget what you told it to remember so that during future changes to these items TeaTimer will issue a pop-up dialog rather then just a notification pop-up.
Spiderman
2006-02-21, 16:34
:"Scan Complete: No discrepancies found".
Thats a good sign :)
About Tea timer , see this quote by md usa spybot fan
I have seen in the Tea timer the allowed registry changes in fact contain one entry allowing to change my start page to www.polymtl.ca:
"HKEY_CURRENT_USER\SOftware\Microsoft\Internet Explorer\Main\Start Page=http://www.polymtl.ca/index.php"
. But there is also an entry in Blocked Registry changes saying:
"HKEY_CURRENT_USER\SOftware\Microsoft\Internet Explorer\Main\Start Page=http://www.searchportal.info/10039/"
Which I suppose means that search portal is present (but on scanning with Spybot and ad-adware SE Personal I found absolutely no problems) and wants to change my default page. I should be grateful if you could help me in removing it. I am therefore afraid to delete these two processes as it could change my default page. Pls help/advise.
Thank you again.
LonnyRJones
2006-02-21, 20:40
Turn off Tea Timer (right-click its icon in the tray area near the windows clock and choose exit) and close SpyBot if open. Download ResetTeaTimer.bat
http://downloads.subratam.org/ResetTeaTimer.bat
To your desktop, run ResetTeaTimer.bat.
Since it will not be needed again delete ResetTeaTimer.bat.
Turn Tea timer back on again via SpyBots tools resident page.
Spiderman
2006-02-22, 07:10
After running the bat file as suggested I restarted the PC and noticed that i did not have the problem which I told was persisting in the last mail. I thank you very much for your efforts. I just wanted to know if the bat file was a patch on the tea timer or it was the original tea timer file and if the problem was occuring because I changed the tea timer with reshack to correct the display button problem in the Deny/Allow change window of tea timer.
Thanking you again and in advance.
Spiderman
2006-02-22, 18:19
I am actually using the free version of avg, but I suppose it does not detect rootkit viruses.Is there other free good antivirus out there which you may suggest please or is the avg free edition still good?Will Spybot be scanning the rootkit in the future?What else as complement (free ones in particular)can we use for the time being to make regular checks particularly for the rootkit attacks.? (I have tea timer resident on, I scan regularly with adadware SE Personal free version now and have also Spywareblaster installed as well as IE_SPYAD, i also use clean up from time to time)
Thank you beforehand
Spiderman
2006-02-22, 20:03
One last information please.Could u suggest to me a free software (preferably which do not need installation) which u can use in order to save an internet page together also with the files/other pages that the page links to and u can choose the depth to which u want to save.
Thank you
LonnyRJones
2006-02-22, 21:37
AVG is a good program , if you can though get its pro version.
Ad_aware does have a root kit plugin tool.
If you suspect a rootkit you can use
Blacklight: http://www.f-secure.com/blacklight/try.shtml
Or system internals rootkill revieler
Normaly though running your antivirus and antispyware programs while in safe mode will help as most stealth virus/trojans dont run in safe mode.
For your last question, have you checked into microsofts offline browser pack ? when you save a favorite tick the box in make available offline.
Spiderman
2006-02-23, 04:52
Thanks for everything.
Does these two (Backlight n rootkit revealer) automatically remove the problem (like does spybot).?In fact i cannot go to safe mode with my PC. Don't know why. When i try at start up to press the F8 (or F5 to go to safe mode forgot) it just don't. For the offline browsing in fact I have access to a site with login n password and wish to store part of the site by saving it on hard disk for future acess (without connexion) but I cant it continues to ask to connect and to put login/password in order to acess other pages (the first main page is well saved) for which the links in this saved page access to. Perhaps one cannot save sites which requires login/password apart from the first page.:scratch: .
Anyway please advise if u can and thank you once more.
PS:U did not tell me what the bat file for tea timer was for.
LonnyRJones
2006-02-23, 06:56
Resetteatimer.bat did about that same as the manual instructions in post 9 would have
http://forums.spybot.info/showpost.php?p=12828&postcount=9
No they do not automaticly fix, Use discrection when scanning with rootkilrevieler and blacklite, they can and do show false possitives, Its best to post there logs in a help forum.
You might ask in a more gerneral forum section about offline browsing
I actualy havent used IE's offline browsing capability.
Spiderman
2006-02-23, 07:21
Thanks for all the info.
You are great Guys.
LonnyRJones
2006-02-23, 07:25
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me or Tashi know.
Regards
Lonny