alexandra and cws - AOL problem, too!

alexandra and cws

(Mod Note: Member has posted a more recent hijackthis log, which has been merged into this current thread (see post #3)

philandsuehshop - please do not start a new topic each time you post a log. Stay with this one until your computer is cleaned. I will lock and remove the other three threads you have since they are older now. - snap



ive been infcted with these hijacks
when aol browser cache gets a little full it causes browser problems.
please look at this log?

Logfile of HijackThis v1.97.7
Scan saved at 23:03:01, on 25/06/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ROXIO\GOBACK\GBPOLL.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\GENERIC\USB CARD READER DRIVER V1.7\DISK_MONITOR.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\PROGRAM FILES\VOYAGERTEST\FTS.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\ROXIO\GOBACK\GBTRAY.EXE
C:\PROGRAM FILES\VCOM\SYSTEMSUITE\MXTASK.EXE
C:\PROGRAM FILES\AOL 9.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\KBDTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\SYSTEM\IETie.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\USB Card Reader Driver v1.7\Disk_Monitor.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [RCScheduleCheck] C:\PROGRAM FILES\VCOM\RECOVERY COMMANDER\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MEMCHECK.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Roxio\GoBack\GBPoll.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - Startup: SystemSuite.lnk = C:\Program Files\VCOM\SystemSuite\MXTask.exe
O4 - Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Startup: TCLOCKEX.lnk = C:\Program Files\TCLOCKEX.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38151.2650810185

 

Re: alexandra and cws

Hello philandsuehshop,

Download CWShredder Click on update, then close all browsers, and then click on Fix, not scan.

Next, download Spybot S&D Check for Updates first, download ALL Updates and Do a Scan. When finished, make sure ALL RED items have been ticked, and click the "Fix Selected Problems" Button.

Reboot the computer.

Run Hijackthis again and post a fresh log here.

 

still got problems - sue h-look at this log?

I would be so grate full if you could have a look for me - something is still causing problems when my browser cache gets about 500kb full - its fine when i clear cache.
Thx Sue

Logfile of HijackThis v1.97.7
Scan saved at 13:04:27, on 27/06/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ROXIO\GOBACK\GBPOLL.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\GENERIC\USB CARD READER DRIVER V1.7\DISK_MONITOR.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\PROGRAM FILES\VOYAGERTEST\FTS.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\ROXIO\GOBACK\GBTRAY.EXE
C:\PROGRAM FILES\VCOM\SYSTEMSUITE\MXTASK.EXE
C:\PROGRAM FILES\AOL 9.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\KBDTRAY.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\AOL 9.0\WAOL.EXE
C:\PROGRAM FILES\AOL 9.0\SHELLMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\SYSTEM\IETie.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\USB Card Reader Driver v1.7\Disk_Monitor.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [RCScheduleCheck] C:\PROGRAM FILES\VCOM\RECOVERY COMMANDER\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MEMCHECK.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Roxio\GoBack\GBPoll.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - Startup: SystemSuite.lnk = C:\Program Files\VCOM\SystemSuite\MXTask.exe
O4 - Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Startup: TCLOCKEX.lnk = C:\Program Files\TCLOCKEX.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

 

Re: alexandra and cws

sorry if we are not following any etiquette but we are trying to learn - thanks for been patient!
Sue and phil

 

Re: alexandra and cws

Hello,

What problems do you have? Your log looks pretty good.

Cache is something you should clean on a regular basis.

This is also something I suggest:

1. Open My Computer
2. Right click on your hard drive that you wish to clean (C drive, for example)
3. In the context menu that opens, select properties
4. Under the general tab you should select Disk Cleanup
5. Windows will scan your drive which will take a few seconds/minutes
6. A box will display the various files you can remove. Here are some safe examples:

Temporary Internet Files
Recycle Bin
Temporary Files
(I personally will delete download program files also)

7. Click OK and windows will comply.

 

Re: alexandra and cws

Thanks for putting us on the straight and narrow - I think we have it now!!!

The problem we still have is this:
We are running Win ME and AOL 9
When I have visited a few sites I start to get text (which I have copied and you can see at the end of this message) instead of seeing the site as it should.
This stops when I click START, PROGRAMS, AOL, AOL System Information - then I select the UTILITIES tab then click CLEAR BROWSER CACHE.
Every thing is fine for a while until the problem starts over - the cache seems to reach about 600kb before it becomes a problem.
This all started after I got CWS which I cleared by adaware, cwshredder and hijack this.
This is what I see;

HTTP/1.1 200 Ok Server: Microsoft-IIS/5.0 Date: Tue, 22 Jun 2004 19:55:12 GMT Content-Type: text/html Set-Cookie: ASPSESSIONIDSSDBTCRB=PBBHIHNDGCHEOICFPCFNAHJI; path=/ Cache-control: private X-TS: D4FA69CA~20282 Age: 25 Via: HTTP/1.1 loh-ab08 (Traffic-Server/5.3.3 [cMsSf ]), HTTP/1.1 Turboweb [loh-td041 8.0.9.4], HTTP/1.1 (Velocity/1.1.0 [uScMsSf pSeN:t cCMpSs ]) Content-Length: 20282 HTTP/1.1 200 Ok Server: Microsoft-IIS/5.0 Date: Tue, 22 Jun 2004 19:55:12 GMT Content-Type: text/html Set-Cookie: ASPSESSIONIDSSDBTCRB=PBBHIHNDGCHEOICFPCFNAHJI; path=/ Cache-control: private X-TS: D4FA69CA~20282 Age: 25 Via: HTTP/1.1 loh-ab08 (Traffic-Server/5.3.3 [cMsSf ]), HTTP/1.1 Turboweb [loh-td041 8.0.9.4], HTTP/1.1 (Velocity/1.1.0 [uScMsSf pSeN:t cCMpSs ]) Content-Length: 20282 149,232,132,233,122,228,124,200,139,185" href="http://www.roomcheck.co.uk/scripts/siteSummary.asp?dc=CU&wc=cu&tg=../cu/img/header_sector4.htm&bg=../cu/img/footer_stay.htm&bkgnd=
../cu/img/background.gif§orid=4&book=0&areaid=206&msg=Browsing$$property$properties$$in%20Ullswater%20and%20Eden%20Valley" alt= "Ullswater and the Eden Valley">
Bottom of Form 0
Stay <http://www.golakes.co.uk/stay> See & Do <http://www.golakes.co.uk/see> Map <http://www.golakes.co.uk/map/> Info <http://www.golakes.co.uk/info/> Contact <http://www.golakes.co.uk/contact/> Brochure <http://www.golakes.co.uk/brochure/> Find <http://www.golakes.co.uk/search/> Discover <http://www.golakes.co.uk/discover/>Home <http://www.golakes.co.uk>

We hope you can help.
Phil and Sue

 

Re: alexandra and cws

Hi there, allow me a question:
does this always start at the same page or no matter where you start surfing after connecting to internet?
Do you remember which URL this is, as it seems the source (?) of some webpage but some more too.
Was your system patchedf with all security patches from windows update?

 

Re: alexandra and cws

Hi,
It seems to start on whatever page I am viewing when my cache starts to fill up.
I cant get a windows up date - when I connect it stays at some thing like - checking pc for neccarsery updates 0% compleste - for ages and will not go past this point.
I will post its url in a minute.
Thanks

 

Re: alexandra and cws

More info - ( I had to swap screen names to get it!)


this is the address of a typical site:

http://www.roomcheck.co.uk/scripts/...=../cu/img/footer_stay.htm&areaid=&sectorid=4

This is what i see now on my screen :

HTTP/1.1 200 Ok Server: Microsoft-IIS/5.0 Date: Mon, 28 Jun 2004 22:02:53 GMT Content-Type: text/html Set-Cookie: ASPSESSIONIDQQCCSCQB=HMLBPLMDAEBADGKJLAABJONI; path=/ Cache-control: private X-TS: D4FA69CA~20418 Age: 34 Via: HTTP/1.1 loh-ab08 (Traffic-Server/5.3.3 [cMsSf ]), HTTP/1.1 Turboweb [loh-tb043 8.0.9.4], HTTP/1.1 (Velocity/1.1.0 [uScMsSf pSeN:t cCMpSs ]) Content-Length: 20418 ">
My browser cache was about 570k full

 

Re: alexandra and cws

Checking their server (with a little script i made myself for TDS)
WebServer is Server: Microsoft-IIS/5.0Date: Tue, 29 Jun 2004 06:04:28 GMTContent-Length: 20418Content-Type: text/htmlSet-Cookie: ASPSESSIONIDSQADTDRA=HKIBLEHAIIIDDJAODPADECDC; path=/Cache-control: private

Paste the javascript alert in the addressbar and look what you get
javascript:alert("The actual URL is:\t\t" + location.protocol + "//" + location.hostname + "/" + "\nThe address URL is:\t\t" + location.href + "\n" + "\nIf the server names do not match, this may be a spoof.");

Code:

http://www.roomcheck.co.uk/scripts/accomsearch.asp?dc=CU&wc=cu&tg=../cu/img/header_serv.htm&bg=   
../cu/img/footer_stay.htm&areaid=&sectorid=4

Is there anything in your browser settings giving you all that server info, including all the links in the page for the images etc?
Are you running any other monitoring program giving you all that?
Is your HD rather full so there is no proper swapping anymore and that kind of info which should not be seen in the first place should disappear automatically is all stored?
I think a good windows ME expert should join this conversation to look into your system settings and specifications, maybe settings in your browser, to make sure all that is ok.
If you have little disc space with windows ME with all those automatic system, restore points, it might serve you to disable system restore, reboot, enable system restore again and create manually a new system restore point. windows ME is so kind to help you step by step through such actions.
Unfortunately it doesn't allow you to say ok i want to keep my last 2 or 3 real restore points and the original when i first installed it and all between can go to save lots of space.
After that defragging the system (all scanners out, i prefer doing it in safe mode so nothing is running) might help too.
But before doing all this can you tell some more about your system, HD size and if there could be a problem of space indeed? RAM, etc.

I seeeyou have GOBACK together with the system restore? Could those two be fighting and filling your disc? Maybe some settings changed with the CWS cleansing?



I'm also wondering about your script settings,

If you write in notepad this:
msgbox "this is a messagebox"
save as test.vbs on your desktop
now you click that little testfile what exactly happens?
You should get a little grey messagebox popping up in the center of your screen with that text and an OK button.
You can safely click it, nothing happens.
If you would get an error message, it would mean your windows scripting host is not functioning and could be part of the problem with that page, as that has some scripting in it.
Could be the reason for in stead of displaying the page with footers and headers like said in the exact page settings (see my code reply above) you get the text in stead.

 

Re: alexandra and cws

I have about 20 mb hard disc space. RAM 512. Athlon 1700.
This happens with loads of sites, if not all when mt cache is full, I am not aware of any other monitoring programs running.
Go - Back is supposed to disable system restore to avoid any conflict I believe.
However - I just had a thought - I have System Suite 5 as my virus checker and utilities suite and this has a restore feature, could that be a conflict, should I disable it? How would this affect my browser?

"Is there anything in your browser settings giving you all that server info, including all the links in the page for the images etc?" -- How do I check this?

I tried your note pad test and got the following message box:
Script: C\Windows\desctop\tes.vbs
Line; 1
Char: 6
Error :Syntax Error
Code :800A03EA
Source: Microsoft vbscript complication error

I am not sure I undersatnd what you want me to do about the java script info
you gave me.

Thanks.

 

Re: alexandra and cws

The javascript was just a thing i past occasionally in the browser addressbar to see where i really am on a site. Like your site tells you you are on that roomsearch page, but you see it adds all scripts with headers and footers how they want to display it for you.
Now my guess is 99% certainly right you disabled the Windows Scripting Host so you get those errors shown in stead of the images and info those sites want to show you.
You most probably get an error too if you would copy this little script and paste it in the addressbar, no mater on which site, even in this forum
javascript:alert(document.cookie)
It should make a popup in the middle of your screen if you paste that line in the addressbar in the browser and show which cookie this forum sets for you or wherever you try that.

Sooooooooooooooooooooo maybe either the scripting host and probably java are completely closed and disabled or the WSH is not there at all.
At this point it is to decide if there is enough protection to enable it again.
It does also mean it might work with lowering the security level a little bit in the browser.
Are you using Internet Explorer or another one?
In Internet Explorer > Tools > Internet Options > Security,
you see a globe for Internet, a green ball for trusted sites and a red ball for restricted sites.
At this point it would be best for security experts on Internet Explorer settings to jump in, to set and finetune this part exactly with you for all those three locations.
Normal internet might be medium or high security, trusted zone might be low, restricted high and inside everything disabled what is possible to disable.
I hope in fact with looking exactly at the settings there the scripting part will be OK again too. and with that the little testfile you just made will show up properly. (you did make it exactly with the " " around the text did you?)

I think your HD is rather full and there is not much space left.
Now i hope there are specialists who know about Goback and the other restore settings, i don't think of conflict but of a full HD with too little space for proper swapping -- guess the system is rather slow as well?
While with 512 MB RAM you should be very fast!

EDIT:
I supposed you use the Internet Explorer, but i forgot you might be using the AOL browser, is that so?
Some settings might be too tight in the firewall, like header referral and privacy settings, those things.

 

Re: alexandra and cws

Hi,
Sorry - I meant 20 GB hard disc space - oops!
No I didnt include the ".
Now I have and the error reads:
Char:1
Error: expected state ment
Code: 800A0400

javascript:alert(document.cookie)

This does make a M/S IE box appear
I am using AOL

 

Re: alexandra and cws

OK, 20 GB is very different from 20 MB indeed

Now If you're using Internet Explorer, Tools > Internet Options > General tab, in the middle besides the button to clean caches is a button for "settings" (not sure if that's the name for you as i just translate my dutch version)
Behind that button is a slider for the size of your caches. If you can have it at around 5 GB that would work much more comfortable.

If you're using another browser (AOL's own browser?)
I hope it has such an equal option to change the size of your caches to something nice like that.
In between you should be able to press a button to clean caches occasionally.

Hope that part helps for the full caches problem. If you think 5 GB is to many, make it 1 GB, whatever, but over 500 MB at least! The browser will try to clean the caches automatically when it is filled and now we know you have that much space on your HD that should not be a problem in any way.


OK, as you got that messagebox with that javascript working, now we're coming closer.
Make sure your testfile really has the line exactly like this
msgbox "this is my new messagebox"
(the text between the " " is not important, as long as there is that
msgbox[space]<quote><sometext><quote>)
As you save it as test.vbs that is VBScript, used a lot in all kinds of programs.
iI you now get that working from the desktop, we know at least your scripting host part is OK, and that's a relief, so it might be we just and only need to concentrate on the firewall settings.


The privacy settings in the firewall and referer suppression, cookies, those things. I don't run the mcafee firewall nor does anybody in my environment.
In my firewall those privacy settings suppressuion etc are in a privacy area where i set cookies and header referer / privacy suppression etc. It might be on sites you need to allow that. Guess you can set that per site you visit more frequently. Sites you might add to your trusted zone like this forum for instance you can allow (and need to allow) the referer information. And for this forum you see to have that ok, since you seem to have normal access to this forum.
There are no scripts used nowhere in the pages here, so that part can't bother you either.
You have a good test with the checkroom page you posted to get that fine if you change some settings in the firewall.
In my firewall for instance i look for the site and if needed set for that one some individual options; maybe i allow persistent cookies, or i let them expire immediately, might allow advertisement or block all that, for the forum here i allow popups as the only ones possible here are the private messages popups, etc etc.

Standard in my browser i have in the normal internet sites ActiveX set to prompt me for granting, javascript allowed but with extra security settings, etc.
In the trusted zone more is allowed although again ActiveX prompt me before allowing it, and in the restricted zone everything is blocked, disabled, not allowed, not even prompting, nothing.


Now looking forward to your next experiences!
Looking for a mcafee firewall user to jump in for your firewall settings too!

Edit:
http://ts.mcafeehelp.com/?rurl=http....asp&rqs=frames=1&docid=126749&CategoryId=243
Did you look at this page for settings in the Mcafee firewall for AOL ?

 

Re: alexandra and cws

Are you still there? any news with the mcafee firewall settings?

 

Re: alexandra and cws

Hi, sorry - been away

"Behind that button is a slider for the size of your caches. If you can have it at around 5 GB that would work much more comfortable"
Now have done this.
5182464 KB is the maximun AOL cache size -seems as though it should be plenty.

msgbox "this is my new messagebox"
Now i see- I do get a little window saying this is a message box - its so cool im going to keep it!
Is this the genuine microsoft update site?
http://v4.windowsupdate.microsoft.com/en/default.asp
I ask as I have been informed that a way of hackers getting in is hijacking this. I cannot get an update - it
just tells me "searching system etc 0% complete and never moves on!

I wonder if Im still infected but cant find it.
Ihave done a thougher Trend virus scan in safe mode which also scans dos and it came up clean.
I am going to try my firewall settings.

 

Re: alexandra and cws

Problem still there;
Would you mind having a look at this latest log to see if any thing is there now?
Thanks

Logfile of HijackThis v1.97.7
Scan saved at 16:31:52, on 01/07/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ROXIO\GOBACK\GBPOLL.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\GENERIC\USB CARD READER DRIVER V1.7\DISK_MONITOR.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\PROGRAM FILES\VOYAGERTEST\FTS.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\PROGRAM FILES\ROXIO\GOBACK\GBTRAY.EXE
C:\PROGRAM FILES\VCOM\SYSTEMSUITE\MXTASK.EXE
C:\PROGRAM FILES\AOL 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\KBDTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\AOL 9.0\WAOL.EXE
C:\PROGRAM FILES\AOL 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\SYSTEM\IETie.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\USB Card Reader Driver v1.7\Disk_Monitor.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [RCScheduleCheck] C:\PROGRAM FILES\VCOM\RECOVERY COMMANDER\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MEMCHECK.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Roxio\GoBack\GBPoll.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - Startup: SystemSuite.lnk = C:\Program Files\VCOM\SystemSuite\MXTask.exe
O4 - Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Startup: TCLOCKEX.lnk = C:\Program Files\TCLOCKEX.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

 

Re: alexandra and cws

Hello,

I am not seeing anything in your log that needs fixing. I don't think you have a virus either. You can do a double check with that at an online virus scan such as this one:

http://housecall.trendmicro.com/housecall/start_corp.asp

As far as the error you are getting, I can't help. I am not sure what the problem is. I am not sure why you can't do the updates either.

Have you checked the site that Jooske gave you?

My other suggestion would be, call AOL and see if they can assist with the firewall.

Your log looks clean.

 

philandsuehshop

your pc looks just like mine when i started off with windows me as a matter of fact you have all the same software we could be twins lol


all that aol stuff is normal and a ram hog

are you haveing problem loading pages i know i did espechialy on 56k modem

your aol cache might be full

on my start up i looked for the AOL system Info icon then hit the utlitys button like in the pic bellow

under current cache size is it maxed out

if so just hit the clear browser cache button

if your cach limit is to small you might have to change it

best person with aol hell junk is Lowatter the admin here

ask him if theres a way to increase the aol cach limit i know there is just i dont use aol so im not up to speed on it

 

Re: philandsuehshop

you alsio might try this littile utlity at wilders called Internet Sweeper its in the free tool section just make it look like mine run that once a week

 

well i belive it might have something to do with his browser cach limit

he might get page does not display cant find server when loading web pages

this is usealy the cause of 3 things your cach limit is to sall

your behind a firewall that isnt configured right

or your aol acess number on your modem is craped out

 

I also posted about this exact problem in the Other Firewalls Forum, and got Peter's reaction, which could be very instructive too:
https://www.wilderssecurity.com/showthread.php?p=209784

 

Thanks for your responces,
It does seem to be related to my browser cache as it goes away when I clear it - however 5182464 KB is the maximun AOL cache size -seems as though it should be plenty.
I get a problem when my cache reaches 600 kb approx!
I am also finding that I am getting arror messages - cant connect to site etc.
If I have no spyware any more I am sure it may have done something to mess some settings.
I am offline for a while now for one reason and another so I wont be here for a week - but any help in the mean time will still be appriciated.
Thanks for all your afforts.
See you soon

 

Hi,
Back off hols!
And back to this!!!!!
I have done nothing except instaled windows update cd feb 04
I have caught and hopefully removed "alexa" with adaware and spy bot.
This next bit is wierd - the problem is still there but only kicks in when the cache is much more full - eg 10,000 kb!
I will address the other advise you gave before we went away !