1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

(Solved) Repeated access request from computer

Discussion in 'All Other Software' started by ahhoe, Jan 11, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. ahhoe

    ahhoe Thread Starter

    Joined:
    Dec 30, 2001
    Messages:
    344
    For the past 3 weeks, i keep getting access request to the internet from a funny program that keeps asking for internet access. I am using norton firewall and antivirus 2003. I tried updating my virus definitions files and scan the whole computer but could not find any virus. Where's always a medium risk warning from norton internet security about a program called hjl1.exe trying to access the internet. I checked on the "Always use this option" box and block its access to the net. The next time i reboot my system, it will come out with another different program name like njl3.exe, ksy3.exe.....all those funny file name that i could not find on my computer. So as recommended, i checked the"Always use this option" box and block its access. Then everything workd fine.When i go to internet explorer, my default url which is "www.yahoo.com" keeps changing to "http://sbnt.com/passthrough/index.html?http://www.yahoo.com/". But everytime i changed it back to "www.yahoo.com" as the default home page and restarted my system, the funny homepage which is "http://sbnt.com/passthrough/index.html?http://www.yahoo.com/" comes back again. What happening to my system? I am so fed-up for the pass few days.

    Can someone help me on this?
    Thank i advance:) :( :(
     
  2. monted

    monted

    Joined:
    Jun 22, 2002
    Messages:
    860
  3. ahhoe

    ahhoe Thread Starter

    Joined:
    Dec 30, 2001
    Messages:
    344
    i tried installing spybot and adware. Both latest version. Scan through my system and delete all the spy ware. Restarted system. The problem still come back:(
     
  4. jm100dm

    jm100dm

    Joined:
    May 26, 1999
    Messages:
    994
    Were you able to run both? You stated that you tried.
    Also is your antivirus program up to date. If not you can do an online scan for free that is up to date. Check the link below. I would try the housecall link first. I believe that you have a virus trojan or spyware causing your problems.


    Keep us updated please. Thanks
    jm100dm

    http://forums.techguy.org/t110854/s78342281b84587c3b305b6661e20c6f7.html
     
  5. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Sure sounds like a worm or trojan.

    Please do this:

    Go to http://www.spywareinfo.com/downloads.php#startup , and download 'Startuplist'.

    Unzip, doubleclick it, and it will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

    Go to Edit > select all, copy it and post the contents here.
     
  6. ahhoe

    ahhoe Thread Starter

    Joined:
    Dec 30, 2001
    Messages:
    344
    I tried using housecall from the link given. No virus was found. So tried the "startuplist" program and below are the results. Hope it helps



    StartupList report, 1/12/2003, 8:48:05 PM
    StartupList version: 1.50
    Started from : C:\DOCUME~1\Oaz\LOCALS~1\Temp\Rar$EX00.806\StartupList.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
    C:\Program Files\Kazaa\kazaa.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\TV Capture Card\RecSche.exe
    C:\Program Files\FarStone\VirtualDrive\VDTask.exe
    C:\WINDOWS\vcdplayx.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\DOCUME~1\Oaz\APPLIC~1\qutsnieo.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\DOCUME~1\Oaz\LOCALS~1\Temp\src1.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\Oaz\LOCALS~1\Temp\Rar$EX00.806\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Oaz\Start Menu\Programs\Startup]
    Scanner Utility.lnk = C:\WINDOWS\twain_32\Intrsca\636p\SCANER32.EXE

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    Forget Me Not.lnk = ?
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    KAZAA = C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
    NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    nwiz = nwiz.exe /install
    NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    RecSche = C:\TV Capture Card\RecSche.exe
    VirtualDrive = "C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
    vcdplayx = "C:\WINDOWS\vcdplayx.exe"
    ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    Fix-It AV = C:\PROGRA~1\Ontrack\Fix-It\MemCheck.exe
    TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    iecdrbr = C:\DOCUME~1\Oaz\APPLIC~1\qutsnieo.exe -QuieT
    Mirabilis ICQ = C:\Program Files\ICQ\NDetect.exe
    InCD = C:\Program Files\ahead\InCD\InCD.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
    StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=
    run=

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=
    HKLM\..\Windows\CurrentVersion\WinLogon: load=
    HKLM\..\Windows\CurrentVersion\WinLogon: run=
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=
    HKCU\..\Windows\CurrentVersion\WinLogon: load=
    HKCU\..\Windows\CurrentVersion\WinLogon: run=
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=
    HKLM\..\Windows NT\CurrentVersion\Windows: load=
    HKLM\..\Windows NT\CurrentVersion\Windows: run=
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    *INI section not found*
    *INI section not found*
    *INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    *Registry value not found*
    *Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: *Registry key not found*
    HKLM\..\Policies: *Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\Program Files\E-Book Systems\FlipAlbum 5 Pro\FpLaunch.dll - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25}
    NAV Helper - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Norton AntiVirus - Scan my computer.job
    Norton SystemWorks One Button Checkup.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2002121801/housecall.antivirus.com/housecall/xscan53.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------
    End of report, 9,193 bytes
    Report generated in 0.501 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  7. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    You have this one, which points to LOP, as does your Homepage hijack:

    iecdrbr = C:\DOCUME~1\Oaz\APPLIC~1\qutsnieo.exe -QuieT

    Lop does use random and different file names.

    Go to Start > Run > Msconfig, and uncheck that one on the Startup tab.

    You also have this one:

    vcdplayx = "C:\WINDOWS\vcdplayx.exe"

    If you're not 200% certain of what it is and what it does, uncheck it as well.

    Now click OK, close Msconfig, reboot, go to C:\Documents and Settings\Oaz\Appliocation Data, and delete qutsnieo.exe

    Next, do this:

    Download Spybot - Search & Destroy

    It looks for spyware, but also targets dialers, keyloggers, and other nasties, and it's freeware.

    After installing, press Online, and search for, put a check mark at, and install all updates.

    Next, go to the Settings tab > File Sets, and uncheck 'System Internals' and 'Tracks' .
    These aren't needed for our present purpose, and you can always experiment with them later on.

    Finally, after closing down Internet Explorer, hit 'Check for Problems', and have SpyBot remove all it finds.

    Good luck,
     
  8. ahhoe

    ahhoe Thread Starter

    Joined:
    Dec 30, 2001
    Messages:
    344
    thank you guys!! My problem is solved:p
    I am so happy now:)
     
  9. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    You're welcome! :)
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/112724

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice