I have the MSITStore virus!!! Please help a newbie...

Discussion in 'adware, spyware & hijack cleaning' started by Phatty Phonzerelli, Apr 23, 2004.

Thread Status:
Not open for further replies.
  1. Phatty Phonzerelli

    Phatty Phonzerelli Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    26
    I'm running XP pro and I have tried runnig spybot and ad-aware a 100 times each! I have just also downloaded spygaurd and spywaregaurd. I also downloaded and ran CWSshredder as well. I just ran highjack this and will put the log below. This also seems to be affecting my connectivity to the net as well. sometimes upon boot up it seems that if I try to connect sometimes it takes aprox 1-2 mins and then it will finally come up or it will lock up and I'll have to hard boot.

    Here is my highjack this log:

    Logfile of HijackThis v1.97.7
    Scan saved at 8:39:06 PM, on 4/23/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINDOWS\System32\explore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\System32\ZoneLabs\vsmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Wife\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [Window] explore.exe
    O4 - HKLM\..\Run: [soundman] soundman.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\RunServices: [Window] explore.exe
    O4 - HKLM\..\RunServices: [soundman] soundman.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Reset.lnk = C:\WINDOWS\repair\reset.bat
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38077.8569097222
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://download.yahoo.com/dl/installs/yab_af.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{44E95D59-0C16-460A-A661-84834D44453B}: NameServer = 151.164.1.8 151.164.11.201

    Thanks to anyone can help me out till they find a solution. Did I understand correctly that there is no permant fix just yet?

    Thanks Again,

    Jason
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Phatty Phonzerelli,

    Welcome to Wilders.

    Before you start, please unzip or move HijackThis to a separate folder of its own. The program will make backups in the folder it's in. These easily get lost in a temporary folder or a folder with other programs.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

    O4 - HKLM\..\Run: [Window] explore.exe

    O4 - HKLM\..\RunServices: [Window] explore.exe

    Download CWShredder and run. Be sure ALL other windows are closed and use the Fix button and follow the instructions you will receive.

    There also may be hidden files. See HERE for how to show hidden files.

    Then reboot into safe mode and delete:

    C:\WINDOWS\start.chm
    C:\WINDOWS\start.html
    explore.exe <-- you may have to do a search for this file. Be sure it is explore.exe, NOT explorer.exe or iexplore.exe.

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
  3. Phatty Phonzerelli

    Phatty Phonzerelli Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    26
    Kent,

    (new HJT log below post)

    Thank you for the assistance, and please forgive my lack of PC experience. I don't know that I was able to get highjack this into its own folder. I have an icon for it on the desktop now and I'm noticing new icons saying backup2004.

    Anyway after runing HJT, I took out the links you suggested and ran CWSshreddar. I also set up to display hidden folders and operating systems. Then when I went to safe mode I could not find any of these:

    C:\WINDOWS\start.chm
    C:\WINDOWS\start.html
    explore.exe

    The closest thing to any of them was an explore.exe.poly but I just left it there since I was unsure. When I booted back into un-safe mode and tried to get on-line SpywareGaurd came up telling me my home page had been changed from MSITStore... to Aboutblank... then to nothing...

    Now it seems that when I start my PC that I get a windows pop-up telling me that I've changed something in msconfig and and I need to select Normal on the General tab, but when I do that and try to re-boot the PC locks up and then you have to kill it and start up again to the same thing. Also when I click the start tab if you go to connections sometimes they have been completly gone other times it takes a while brfore they will display and sometimes it makes the PC lockup. I'm beginning to think I'm in waaaaay over my head here. Please help!!

    Logfile of HijackThis v1.97.7
    Scan saved at 9:12:10 AM, on 4/24/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINDOWS\System32\explore.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\imapi.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    C:\PROGRA~1\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Wife\My Documents\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [soundman] soundman.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [Window] explore.exe
    O4 - HKLM\..\RunServices: [soundman] soundman.exe
    O4 - HKLM\..\RunServices: [Window] explore.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Reset.lnk = C:\WINDOWS\repair\reset.bat
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38077.8569097222
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://download.yahoo.com/dl/installs/yab_af.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{44E95D59-0C16-460A-A661-84834D44453B}: NameServer = 151.164.1.8 151.164.11.201

    I'm at least on-line now and seem to keep getting msn.com for my home page for the time being but, these other problems are with the PC locking up and I guess me getting it stuck in "selective start" are worse now. This PC was upgraded from Windows ME to XP pro and had problems before that but not nearly this bad. We did a clean install fo XP. Would replacing the hard drive fix the problem? It seems all my attempts are just "pissing into the wind"!!! Thanks in advance for any suggestions for solutions to my problem.

    The Newbie,

    Jason

     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O4 - HKLM\..\Run: [soundman] soundman.exe

    O4 - HKLM\..\Run: [Window] explore.exe
    O4 - HKLM\..\RunServices: [soundman] soundman.exe
    O4 - HKLM\..\RunServices: [Window] explore.exe

    O4 - Global Startup: Reset.lnk = C:\WINDOWS\repair\reset.bat


    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files
    C:\WINDOWS\System32\explore.exe

    then
    Reboot normally &

    download http://members.aol.com/toadbee/hoster.zip

    unzip it and run it and select the copy hosts file to clipboard and paste the results back here in a reply

    then reselect normal start up in msconfig
     
  5. Phatty Phonzerelli

    Phatty Phonzerelli Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    26
    Derek the spykiller.. You out there? I ran HJT again...

    I had a busy weekend and just got a chance to follow up on this. Thanks for your help. As you instructed I ran HJT again and fixed the pronlems specfied below. When I started in safe mode I right clicked the start and then clicked search and cut/paste C:\WINDOWS\System32\explore.exe and searched. It did not find this file. Then I restarted the PC and ZoneAlarm ask me if I wanted to allow soundman.exe to access the internet. I told ZA "NO". I didn't realize you wanted me to run the aol toadbee before I restarted in "normal" mode but, I have already run it and wanted to post the log you asked me too.




    # Copyright (c) 1993-1999 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a # symbol.
    #
    # For example:
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    127.0.0.1 localhost

    127.0.0.1 www.sophos.com
    127.0.0.1 sophos.com
    127.0.0.1 www.mcafee.com
    127.0.0.1 mcafee.com
    127.0.0.1 liveupdate.symantecliveupdate.com
    127.0.0.1 www.viruslist.com
    127.0.0.1 viruslist.com
    127.0.0.1 viruslist.com
    127.0.0.1 f-secure.com
    127.0.0.1 www.f-secure.com
    127.0.0.1 kaspersky.com
    127.0.0.1 www.avp.com
    127.0.0.1 www.kaspersky.com
    127.0.0.1 avp.com
    127.0.0.1 www.networkassociates.com
    127.0.0.1 networkassociates.com
    127.0.0.1 www.ca.com
    127.0.0.1 ca.com
    127.0.0.1 mast.mcafee.com
    127.0.0.1 my-etrust.com
    127.0.0.1 www.my-etrust.com
    127.0.0.1 download.mcafee.com
    127.0.0.1 dispatch.mcafee.com
    127.0.0.1 secure.nai.com
    127.0.0.1 nai.com
    127.0.0.1 www.nai.com
    127.0.0.1 us.mcafee.com
    127.0.0.1 rads.mcafee.com
    127.0.0.1 trendmicro.com
    127.0.0.1 www.trendmicro.com
    127.0.0.1 www.grisoft.com
    # Start of entries inserted by Spybot - Search & Destroy
    # End of entries inserted by Spybot - Search & Destroy


    Let me know if I need to do anything else? I have been able to clean up my machine with all of the help I have revieved from you and kent. It is still a little jerky and having a little trouble connecting to internet at times but, my homepage hasn't been highjacked since Fiday night. I hope they (whom ever they is?) will find a fix all for it soon! I've also run updates again on ad-aware and spybot and come back clean on those as well. Let me know if you need another HJT log.

    Again, thanks so much for being so helpfull in getting someone new to your foroum back up and running again! This site rocks!!!

    Regards,

    Jason


    (You posted)

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O4 - HKLM\..\Run: [soundman] soundman.exe

    O4 - HKLM\..\Run: [Window] explore.exe
    O4 - HKLM\..\RunServices: [soundman] soundman.exe
    O4 - HKLM\..\RunServices: [Window] explore.exe

    O4 - Global Startup: Reset.lnk = C:\WINDOWS\repair\reset.bat


    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPOR...001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files
    C:\WINDOWS\System32\explore.exe

    then
    Reboot normally &

    download http://members.aol.com/toadbee/hoster.zip

    unzip it and run it and select the copy hosts file to clipboard and paste the results back here in a reply

    then reselect normal start up in msconfig
    __________________
    Derek
    My website http://www.thespykiller.co.uk contains Hijackthis & cwshredder and other useful downloads
     
  6. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi Phatty Phonzerelli,

    As they are related i moved your post over here into your original thread just to keep things neat and tidy. ;)


    snowbound
     
  7. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Phatty Phonzerelli,

    Run Hoster again, check the following items and then click "Remove checked from hosts file".

    127.0.0.1 www.sophos.com
    127.0.0.1 sophos.com
    127.0.0.1 www.mcafee.com
    127.0.0.1 mcafee.com
    127.0.0.1 liveupdate.symantecliveupdate.com
    127.0.0.1 www.viruslist.com
    127.0.0.1 viruslist.com
    127.0.0.1 viruslist.com
    127.0.0.1 f-secure.com
    127.0.0.1 www.f-secure.com
    127.0.0.1 kaspersky.com
    127.0.0.1 www.avp.com
    127.0.0.1 www.kaspersky.com
    127.0.0.1 avp.com
    127.0.0.1 www.networkassociates.com
    127.0.0.1 networkassociates.com
    127.0.0.1 www.ca.com
    127.0.0.1 ca.com
    127.0.0.1 mast.mcafee.com
    127.0.0.1 my-etrust.com
    127.0.0.1 www.my-etrust.com
    127.0.0.1 download.mcafee.com
    127.0.0.1 dispatch.mcafee.com
    127.0.0.1 secure.nai.com
    127.0.0.1 nai.com
    127.0.0.1 www.nai.com
    127.0.0.1 us.mcafee.com
    127.0.0.1 rads.mcafee.com
    127.0.0.1 trendmicro.com
    127.0.0.1 www.trendmicro.com
    127.0.0.1 www.grisoft.com

    Reboot and run Hoster again, click "Copy Hosts file to clipboard" and paste here to be sure it stayed fixed.

    Regards,
    Kent
     
  8. Phatty Phonzerelli

    Phatty Phonzerelli Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    26
    Kent,

    You are a freagin' miracale worker man!! I'm not sure that everything is fixed but, I think so. My machine seems to be operating better now than in months. I do have 2 questions for you though if i may. (1) I read a few of the oter posts about this MSITStore and understood it that there was still no way to remove it completly yet? (2) You or someone else may or maynot be able to help me out on this one, I have sbc as my DSL provider. I have it set so that when I click Internet Explorer that it automatically fills in user/password and connects. The thing is that I have noticed that when it does its thing that the password dots come up with many more than what my password is. Could tis just be a security thing or is it using a different password to sign me in?

    Here is my latest aol toadbee log:

    # Copyright (c) 1993-1999 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a # symbol.
    #
    # For example:
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    127.0.0.1 localhost

    # Start of entries inserted by Spybot - Search & Destroy
    # End of entries inserted by Spybot - Search & Destroy



    Looks like they are gone? Man, I really can not thank you and everyone else for all the help! If you ever take up scuba diving come visit the board I stay at, it is http://dive.scubadiving.com/talk/list.php?f=1 and it's a lot like this board but about scuba. Please let me know if I'm not done yet. I'm sure I will run ad-aware (deep scan) , CWShreddar, and spybot again, to be sure there is nothing there. I think I also need to re-install ZoneAlarm because it seems not to want to start up everytime the PC starts up?

    Regards,

    Jason
     
  9. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Jason,

    Your log is clean. The problem is there is no permanent solution for this yet. It is an exploit that is able to work thru a vulnerability in Windows that Microsoft has not patched yet. There is an article describing this exploit and the workaround for it until a patch is released. You can find both the article and the workaround HERE.

    As far as your automatic logon, I will leave that for someone else to answer.

    I would wait to see if You have any more problems with Zone Alarm. If you do you can always try a reinstall and see if that works, but hopefully the problem left with the spyware.

    Regards,
    Kent
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    when you use XP it uses a random number of extra dots regardless of how many letters in your password

    it's supposed to be a security measure to help stop people guessing your password so it's quite normal for autologin to have a different number of dots than those you manually type in
     
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    just one more thing search for & delete soundman.exe

    you might have to go into safemode to do that

    when I fixed the entries above I wasn't 100% sure whether it was the virus version or the soundcard driver as it wants to acccess the net it's definitely the virus

    It's this pest here
    http://www.sophos.com/virusinfo/analyses/w32agobotjs.html
     
    Last edited: Apr 26, 2004
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Agobot gets on to the computer via exploits in the rpcdom set up there are a multitude of updates to cure the exploits

    it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.
     
  13. Phatty Phonzerelli

    Phatty Phonzerelli Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    26
    Just a few more questions guys... I ran toadbee and HJT again and will post logs. When I go to microsoft and download the updates, in particular the express service pak1 it downloads the file then start to install and then about 1/4th way in to that the wizard pops up but before you can do anything it goes away and the instilation completes. Then if I navigate away from microsoft and come back and scan again it still shows that I need service pak1? I looked in the download history and it shows that I "succesfully" downloaded it so I'm a little confused, do I have it or not?

    Ok here are my logs:

    toadbee
    # Copyright (c) 1993-1999 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a # symbol.
    #
    # For example:
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    127.0.0.1 localhost

    # Start of entries inserted by Spybot - Search & Destroy
    # End of entries inserted by Spybot - Search & Destroy


    and here is HJT:

    Logfile of HijackThis v1.97.7
    Scan saved at 6:08:54 PM, on 4/26/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    C:\PROGRA~1\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Wife\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [soundman] soundman.exe
    O4 - HKLM\..\RunServices: [soundman] soundman.exe
    O4 - HKCU\..\RunOnce: [FinishSetup] rundll32 "C:\Documents and Settings\Wife\Local Settings\Temporary Internet Files\Content.IE5\K9QJO96Z\access[1].exe",Check
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38077.8569097222
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://download.yahoo.com/dl/installs/yab_af.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{44E95D59-0C16-460A-A661-84834D44453B}: NameServer = 151.164.1.8 151.164.11.201

    I'm guessing that I will need to "fix" the soundsman.exe still but wanted to get your instructions before attempting that one. Thanks again for all of your help, I'm almost to the other side of this thing, I at least have control over my PC once again!

    Regards,

    Jason
     
  14. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    to see if we can prevent the cws hijacker reinfecting you try this
    a workaround seems to be install a good firewall, lists here http://www.wilders.org/firewalls.htm if you haven't already got one and block these ranges of ports, both incoming and outgoing 209.66.114.0-209.66.115.255 and 81.211.105.0-81.211.105.255
    that stops the known cws servers responding or the hidden files on your computer updating. This works sometimes but not always, but it's a help. The problem with this approach is that some good sites might also be blocked
    then when we have a guaranteed working cure for it we can advise how to fully remove it.

    Now
    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O4 - HKLM\..\Run: [soundman] soundman.exe
    O4 - HKLM\..\RunServices: [soundman] soundman.exe
    O4 - HKCU\..\RunOnce: [FinishSetup] rundll32 "C:\Documents and Settings\Wife\Local Settings\Temporary Internet Files\Content.IE5\K9QJO96Z\access[1].exe",Check



    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files

    C:\WINDOWS\System32\soundman.exe

    then empty temporary internet files folder from IE/tools/options/general, press delete files
    then
    Reboot normally & run a full antivirus check
     
  15. Phatty Phonzerelli

    Phatty Phonzerelli Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    26
    Good evening dvk01, I ran HJT again but only found 2 of the 3 problems and fixed them. I however was not able to find this one on HJT:

    O4 - HKCU\..\RunOnce: [FinishSetup] rundll32 "C:\Documents and Settings\Wife\Local Settings\Temporary Internet Files\Content.IE5\K9QJO96Z\access[1].exe",Check

    After I fixed the problems I safe booted and did a search for C:\WINDOWS\System32\soundman.exe and again came up empty. The closest thing I found was

    soundman C:\WINDOWS\system32 308KB APPLICATION

    Should I have deleted that?

    Anyway, so I didn't delete anything except my temp internet files while in safe mode and then rebooted and 1st thing ran HJT to find this:

    Logfile of HijackThis v1.97.7
    Scan saved at 6:34:17 PM, on 4/28/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    C:\PROGRA~1\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Documents and Settings\Wife\Desktop\HijackThis.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Network Associates\VirusScan\SCAN32.EXE
    C:\WINDOWS\System32\imapi.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [soundman] soundman.exe
    O4 - HKLM\..\RunServices: [soundman] soundman.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38077.8569097222
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://download.yahoo.com/dl/installs/yab_af.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

    If I would have deleted the program in safe mode would that get rid of it for now or do I need to just deal with this untill there is a finall fix. My home page hasn't been jacked in almost a week and my machine is working better than ever. If you think I need to do more I'm more than willing to continue working on it but if I'm just trying to tweek it I can wait till theres a perminant fix. Thank again for all the much needed help.

    Regards,

    Jason
     
  16. Phatty Phonzerelli

    Phatty Phonzerelli Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    26
    Also I coult not figure out how to block port access for the IP address.

    Jason
     
  17. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    let's try it this way

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked
    O4 - HKLM\..\Run: [soundman] soundman.exe
    O4 - HKLM\..\RunServices: [soundman] soundman.exe
    close hijack this


    then rightclick on the taskbar and select task manager, look on the applications tab and see if soundma.exe is running, I don't think it will shopw there, but if it does select it and press end task, then go to processes tab, scroll down to soundman.exe and slect it and press end process, ignore any messages about losing unsaved work etc and then

    go to start/run type cmd and press ok

    a black screen will come up now copy & paste this line onto the end of what's written there and press return

    del "C:\WINDOWS\System32\soundman.exe"

    it needs the space between del & "C

    then type exit

    reboot and post a new log
     
  18. Phatty Phonzerelli

    Phatty Phonzerelli Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    26
    Derek,

    I have tried and tried and I can not find what your looking for. I have run HJT numerous times now and determined that I can get the soundman files off and re-start the PC and it will still be gone. It's not until I access the internet that the soundman comes back.

    I also went in th the cmd screen and looked for:

    del "C:\WINDOWS\System32\soundman.exe"

    and it told me it wasn't found. I also struck out with the task manager options? I've updated ad-aware, spybot, CWShreddar, Spyware Blaster, and Spyware Gaurd. I never figured out how to block port access to those IP addy's if that would help any? I'am at a total loss here. I still can't believe my macine is operating as good as it is. Any more help greatly appreicated.

    I've learned things here my IT guys at the office know nothing about, and they are some smart guys. You guys are priceless! This site has made it my "covetated" (sp) favorites list.


    P.S. - Let me know if you need any more logs or any thing, it's just those two soundman files that keep showing back up.

    Thanks,

    J
     
  19. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    the 2 soundman entries indicate a new agobot worm infection

    why the start ups keep coming back is because you get reinfected everytime you access the net

    Agobot ghets on via the RPCdom exploits in the same way as blaster did so it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

    Have you got separate accounts on this computer if so run hjt under every account and fix the soundman entries
     
  20. Phatty Phonzerelli

    Phatty Phonzerelli Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    26
    OK... Heres the deal. I went to the microsoft website and scaned for updates again. There were like 28 items. I can sucessfully download all but, the Service Pack 1. I have tried about 10-15 times and get the same results....

    When I click "install now" it goes thru the download meter then start on the install meter below, about 3 bars into it, a pop up that says "extracting files" does it's thing and then the instilation wizard pops up. If you try to get thru it you can go all the way to the page where it says checking configuration or something like that but, it doesn't do anything and then it just goes away and the install meter goes up to 4 bars and then I get another pop-up advising that Service Pack 1 couldn't be installed do oto an error.

    Is there any reason I can download all but this one pack?

    I can probably get one of the buddies at the office to burn a copy for me to cd rom if that would work? My machine is definatly functioning better now than ever before if I could just get rid of those pesky soundman files. I also noticed that they are trying like crazy to access the internet and tring to get in like crazy but, ZoneAlarm is blocking all attempts shown thus far.

    Let me know what I need to do. Is there anywhere else on-line besides the actuall microsoft site to get the SP1a?

    Any help greatly appreciated!

    Thanks,

    J
     
  21. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    i've seen this a few times with zone alarm and high settings

    also za has privacy settings and that blocks windows updates

    SP1 uses a web downloader and needs to stay connected as it only downloads and installs what it needs and za has a habit of blocking sp1 as it doesn't recognize that a program you allowed access to is the same program

    either put windows update in za safe zones or while updating set za to low

    or get a mate to download the full sp1 install rather than the web based install burn to cd and try that way

    that eliminates the za problem
     
  22. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    otherwise if you have a fast connection go here
    http://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1/default.asp
    and download the network install which is the full 134 mb install and will stop the problem you are having

    anytime you try then express install I think you wil have the same problem because of the firewall blocking it

    the other reason for sp1 or sp1a install errors is if you have a dodgy copy of windows with a serian number on the blocked list , but you normally get a warning avbout that when you first try to install sp1 or sp1a
     
  23. Phatty Phonzerelli

    Phatty Phonzerelli Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    26
    Good evening, I guess I've been dodging posting as well as I've been very busy.

    Ok, I found out that I do indeed have a... as dvk01 put it a "dodgy" copy of XP, or free copy, however you want to say it. Now what do I do? If I go to add/remove programs in says I have Window XP hotfix - KB835732. But, I continue to get an auto update for it and if I download it, it says it completes the install. I think that 835732 is either sp1 or the java thing I need installed to keep from getting viruses?

    1. Do I just keep waiting for the guy (co-worker)to get me sp1 on disc to install? And will that even fix it?

    2. Can I contact Microsoft and pay them to register it or can you do such a thing, and would I get in any trouble?

    3. Do I just suck it up and go buy a copy of XP, and if so can I buy the "upgrade" instead of the whole bundle of XP home or pro just for the regerstration #?

    Help me out here please, I need to figure out the best way to get my PC back to normal, we (my wife and I) us it daily for everything from banking to shopping. As far as the virsus go, after all this time finally, the McaFee got the soundman.exe crap of of my machine but now I have this new spad or myexe. something or another. I've read that it's bad and I can tell you 1st hand I thought that MSIT was the worst... This spad thing is just unbelievable!!! I've cursed more in the past few days than I care too, and I cuss like a sailor! Do I need to buy a new hard drive or what? All and all I've been having hurendos problems with my PC for the better part of 1 year.

    The Machine is a nice Compaq 5012US, about 2years old this month I believe.

    Processor Speed: 1000MHz
    Processor Type: Intel Pentium III
    RAM: 128MB
    RAM Technology: SDRAM
    Hard Drive Capacity: 40.0GB
    Chassis Style: Mid-Tower, Mini-Tower
    Operating System: Microsoft Windows, Microsoft Windows ME
    Cache Size: 256kb
    Modem Speed: 56.0kbps
    Included Drives: DVD/CD-RW Combo
    CD / DVD Drive Type: DVD-ROM
    Floppy Drive Type: 3.5" HD
    Removable Drive Type: None
    CD-ROM Read Speed: 8X
    Bus Speed: 133 MHz
    Input Devices: Keyboard, Mouse
    Height: 16.5in
    Width: 8.7in
    Depth: 17.3in
    Weight: 25.3lbs
    Max. Memory: 512 MB


    I recently added 128 more meg of RAM
    It has a brand new DVD rom drive/burner (TDK)
    and a brand new CD rom drive/burner (samsung)

    I really need some advice on where to go from here. Any solutions to get me permantly repaired are greatly appreicated. Thanks!

    Jason
     
  24. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    If you have a valid Windows ME license, you ought to be able to buy an upgrade license for that to bring you to XP Home, I'd think, but check the Microsoft site regarding upgrades and costs. And, you ought to buy it. We don't condone the use of unlicensed software here, and besides it's the right thing to do, isn't it?
     
  25. Phatty Phonzerelli

    Phatty Phonzerelli Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    26
    I'm not disagreeing with you... But, I don't know that I can get my set back to ME to upgrade. Does anyone know if I buy the upgrade even to pro (since that is what is operation now) if I can just install that and be "fixed" other than removing all the spyware and getting the microsoft updates? I want to do the right thing but, also what to know what options I have, and I mean legal "right thing to do" suggestions. Again, any suggestions would be helpfull, I'm at a loss.

    Thanks,

    Jason
     
Thread Status:
Not open for further replies.