nternet access problem after moving from AOL to Sky

waddler_8

I think the webreg tasks are HP printer related & I would try for a AV scan of some kind as there is a suspicion of Ramnit.

RussJK

You're probably right re: scheduled tasks http://startups.cesam-antimalware.com/En/Files/webreg%252020070905215901.job/

What makes you think Ramnit? C:\WINDOWS\imsins.BAK?

GunJack

plenty of carp running in that log, no wonder there's not much free RAM left.....AOL, Securina, stopzilla, bing, and one or two I didn't recognise OTTOMH....

GunJack

I'd also run mcrapee removal tool to get rid of remnants, if it hasn't been done already....usually twice to be sure

RussJK

GunJack wrote: »

plenty of carp running in that log, no wonder there's not much free RAM left.....AOL, Securina, stopzilla, bing, and one or two I didn't recognise OTTOMH....

also leftovers from AVG, McAfee, MSE...

That's not Secunia PSI though:
R2 ProtexisLicensing;ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [2006-11-02 174656]

RussJK

Hi OP.

First things first if you run Hijackthis again and TICK or CHECK each of the following, and then select 'Fix Checked':
R3 - URLSearchHook: agihelper.AGUtils - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - mscoree.dll (file missing)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Docum ents and Settings\Carole\Local Settings\Application Data\lesyyght\tkgahfkx.exe
O2 - BHO: agihelper.AGUtils - {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll (file missing)
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - (no file)
O2 - BHO: (no name) - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - c:\program files\stopzilla!\sziebho.dll (file missing)O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Program Files\SGPSA\BHO.dll
O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Program Files\SGPSA\BHO.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TkgAhfkx] C:\Documents and Settings\Carole\Local Settings\Application Data\lesyyght\tkgahfkx.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [TkgAhfkx] C:\Documents and Settings\Carole\Local Settings\Application Data\lesyyght\tkgahfkx.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

RussJK

Secondly could you download and run OTM:
http://www.geekstogo.com/forum/files/file/402-otm-oldtimers-move-it/

In the yellow box on the left, could you paste all of the following in bold (including :Files).

:Files
C:\Program Files\SGPSA\SearchAssistant.dll
C:\Program Files\SGPSA\BHO.dll
C:\Program Files\Search Guard PlusU\sgpUpdaters.exe
C:\Program Files\Search Guard PlusU\
C:\Program Files\SGPSA
C:\Documents and Settings\Carole\Local Settings\Application Data\lesyyght\tkgahfkx.exe
C:\Documents and Settings\Carole\Local Settings\Application Data\lesyyght\
C:\211a665fdd8dc5b1b300
C:\WINDOWS\imsins.BAK
C:\Documents and Settings\Carole\Local Settings\Temp\gAGP440p.sys
C:\Program Files\Kiwee Toolbar
C:\Documents and Settings\Carole\Local Settings\Temp\w.exe
:Commands
[RESETHOSTS]
[EMPTYTEMP]

Afterwards press MoveIt! The computer will restart, and afterwards a log will come up in notepad. Please copy/paste the log here.

GunJack

RussJK wrote: »

also leftovers from AVG, McAfee, MSE...

That's not Secunia PSI though:
R2 ProtexisLicensing;ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [2006-11-02 174656]

did only have a quick look Damn sneaky calling the file that, though ....

sitcom321

right i am going to get started with it now, thanks

sitcom321

right here we go

All processes killed
========== FILES ==========
C:\Program Files\SGPSA\SearchAssistant.dll moved successfully.
File/Folder C:\Program Files\SGPSA\BHO.dll not found.
C:\Program Files\Search Guard PlusU\sgpUpdaters.exe moved successfully.
C:\Program Files\SGPSA folder moved successfully.
File/Folder C:\Documents and Settings\Carole\Local Settings\Application Data\lesyyght\tkgahfkx.exe not found.
Folder move failed. C:\Documents and Settings\Carole\Local Settings\Application Data\lesyyght scheduled to be moved on reboot.
C:\211a665fdd8dc5b1b300\update folder moved successfully.
C:\211a665fdd8dc5b1b300\support folder moved successfully.
C:\211a665fdd8dc5b1b300 folder moved successfully.
C:\WINDOWS\imsins.BAK moved successfully.
File/Folder C:\Documents and Settings\Carole\Local Settings\Temp\gAGP440p.sys not found.
C:\Program Files\Kiwee Toolbar\3.2 folder moved successfully.
C:\Program Files\Kiwee Toolbar folder moved successfully.
File/Folder C:\Documents and Settings\Carole\Local Settings\Temp\w.exe not found.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 16384 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: All Users
->Flash cache emptied: 616 bytes

User: Carole
->Temp folder emptied: 1829840 bytes
->Temporary Internet Files folder emptied: 9149195 bytes
->Java cache emptied: 150849020 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 1530041 bytes

User: Default User
->Temp folder emptied: 16384 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 41 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 14087699 bytes
->Flash cache emptied: 466 bytes

User: NetworkService
->Temp folder emptied: 7078904 bytes
->Temporary Internet Files folder emptied: 99868274 bytes
->Flash cache emptied: 405 bytes

User: Olivia
->Temp folder emptied: 163602970 bytes
->Temporary Internet Files folder emptied: 138464679 bytes
->Java cache emptied: 52632366 bytes
->Flash cache emptied: 6878 bytes

%systemdrive% .tmp files removed: 12864 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 7024961 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1329068 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 237741117 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 2492251445 bytes

Total Files Cleaned = 3,221.00 mb


OTM by OldTimer - Version 3.1.18.0 log created on 08222011_205835

Files moved on Reboot...
Folder move failed. C:\Documents and Settings\Carole\Local Settings\Application Data\lesyyght scheduled to be moved on reboot.
File C:\Documents and Settings\Olivia\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5YF0HYF\adlink%7C517%7C1046193%7C0%7C1%7CAdId%3D1255936%3BBnId%3D1%3Bitime%3D748776428%3Blink%3Dhttp%3A%2F%2Far%2Eatwola%2Ecom%2Fredir%2FB0%2FP551AI3sryk6u0D3Uk7SpGsmTBM1JYyBA0zcf[1].htm not found!
File C:\Documents and Settings\Olivia\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5YF0HYF\dorothy-perkins-boots_Clothes-Shoes-Accessories_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfclZ3QQfromZR2QQfrtsZ100QQfsooZ1QQfsopZ1QQftrtZ1QQftrvZ1Q[1].htm not found!
File C:\Documents and Settings\Olivia\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5YF0HYF\dorothy-perkins-boots_Clothes-Shoes-Accessories_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfclZ3QQfromZR2QQfrtsZ50QQfsooZ1QQfsopZ1QQftrtZ1QQftrvZ1QQ[1].htm not found!
File C:\Documents and Settings\Olivia\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q9J2U4W6\dorothy-perkins-boots_Clothes-Shoes-Accessories_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfclZ3QQfgtpZQQfposZPostcodeQQfromZR2QQfsooZ1QQfsopZ1QQftr[1].htm not found!
File C:\Documents and Settings\Olivia\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q9J2U4W6\rock-republic_W0QQcatrefZC6QQfromZR10QQfsooZ1QQfsopZ1QQftrtZ1QQftrvZ1QQga10244Z10425QQsacatZQ2d1QQsatitleZrockQ20Q26Q20republicQQsifZ1QQsofpZ4QQssPageNameZWLRS[1].htm not found!
File C:\Documents and Settings\Olivia\Local Settings\Temp\Temporary Internet Files\Content.IE5\GFIL8T47\faith-boots-size-5_Clothes-Shoes-Accessories_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfclZ3QQfgtpZQQfposZPostcodeQQfromZR2QQfsooZ1QQfsopZ1QQftrtZ1[1].htm not found!
File C:\Documents and Settings\Olivia\Local Settings\Temp\Temporary Internet Files\Content.IE5\GFIL8T47\rock-cropped_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR10QQfsooZ1QQfsopZ1QQftrtZ1QQftrvZ1QQga10244Z10425QQsacatZQ2d1QQsaprchiZQQsaprcloZQQssP[1].htm not found!
File C:\Documents and Settings\Olivia\Local Settings\Temp\Temporary Internet Files\Content.IE5\D8AXZM96\adlink%7C517%7C1046584%7C37%7C225%7CAdId%3D1255429%3BBnId%3D2%3Bitime%3D664533046%3Bkey%3D%2bisMaster%2bSilver%2bf%2bbl4%2bbolton%2bgb%3Blink%3D;ord=664533046[2] not found!
File C:\Documents and Settings\Olivia\Local Settings\Temp\Temporary Internet Files\Content.IE5\D8AXZM96\faith-boots-size-5_Clothes-Shoes-Accessories_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfclZ3QQfromZR2QQfrtsZ50QQfsooZ1QQfsopZ1QQftrtZ1QQftrvZ1QQga1[1].htm not found!

Registry entries deleted on Reboot...