something in XP hangs me up from logging in to my bank! HELP!

[richsgirl]

I've never had any problems logging in to my bank account until a few days ago. Now when I log in with my user name and password, I get a new screen that says "time is out, you must log in again or return home." I called the bank, and their tech support guy says he's heard of this with Windows XP and there is something in the settings or firewall that is hanging it up. He suggested I clear my cookies, which I did, but he didn't offer any other help with looking at my settings or firewall. I would greatly appreciate any help anyone could offer. I am a beginner with computers. I know the basics, but not real savy...so be easy on me with any instructions.

 

[EvileYe]

Try turning off your firewall, and logging in. If you can then log in successfully then you know that there is a setting in your firewall that needs changing.

What firewall (If any) are you using ?

 

[richsgirl]

OK, maybe after all I should have listed myself as "not even close to beginner." I have no idea what kind of firewall I'm using. I had someone set my computer up for me. How would I look to know what I have and how would I turn it off? Thanks for your patience.

 

[EvileYe]

Okay,

Down in the bottom right next to the time, do you have any icons showing ?
If so, hover over each one and see what it says, for example you might be running Nortons Internet Security, or Zone Alarm or Sygate etc.

You may also just be using the firewall that comes with XP when you have installed SP2 (Service pack 2)

It might be best to Download a program called "Hijack This" from here http://www.spywareinfo.com/~merijn/downloads.html Scroll down a bit to see it.

Save it into a folder of it's own and do a scan with it, but dont have it fix anything.

Click on save log and save the log, then a window in notepad should open up and you can copy and paste the entire contents of that window back into a reply here.

This will allow me to see what you have running on your computer.

 

[richsgirl]

I have Zone Alarm. I see the icon next to the time. Do I still need to download spyware? Thank you for taking your time to help me.

 

[EvileYe]

Ok if you right click the zone alarm icon, you should be able to switch it off. Then try getting into your site, try it and post back with the results.

 

[richsgirl]

I shut it down, but I still cannot get past the log in stage. It shows that my log in session has timed out, but I'm only in it for a few seconds. I can't imagine what would make it do that. Very frustrating. Now should I download the spyware site?

 

[EvileYe]

Yes, Download Hijack This and copy and paste the log in here.

 

[richsgirl]

Logfile of HijackThis v1.99.0
Scan saved at 7:06:53 AM, on 2/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\mfclf.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\lsrv.exe
C:\WINDOWS\system32\msyc.exe
C:\WINDOWS\System32\cmsssr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\System32\ws2_32s.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\System32\svcxnv32.exe
C:\WINDOWS\System32\VRWBWZBWRMDKWLS.EXE
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\Firewall.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Tina Reynolds\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\SYSTEM32\wpconfigs.exe
C:\WINDOWS\SYSTEM32\wpconfigs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nnpzj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nnpzj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nnpzj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nnpzj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nnpzj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nnpzj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nnpzj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {C75AEB7B-18DF-27AF-DBA3-059058EDCC2F} - C:\WINDOWS\system32\ntve.dll
O2 - BHO: (no name) - {CE678389-B1E9-4F6F-091A-C8A48544D7B4} - C:\WINDOWS\appqy32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [msyc.exe] C:\WINDOWS\system32\msyc.exe
O4 - HKLM\..\Run: [Microsoft Firewall] Firewall.exe
O4 - HKLM\..\Run: [Microsofts Updatez] cmsssr.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Microsoft Winsock Wrapper] C:\WINDOWS\System32\ws2_32s.exe
O4 - HKLM\..\Run: [apifi32.exe] C:\WINDOWS\system32\apifi32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [apvxdwin.exe] apvxdwin.exe
O4 - HKLM\..\Run: [Microsoft Diagnostic Tool] msdiag.exe
O4 - HKLM\..\Run: [winconfigs] C:\WINDOWS\SYSTEM32\wpconfigs.exe
O4 - HKLM\..\Run: [apixo.exe] C:\WINDOWS\system32\apixo.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IPConfig] svcxnv32.exe
O4 - HKLM\..\Run: [atltw32.exe] C:\WINDOWS\system32\atltw32.exe
O4 - HKLM\..\Run: [d3hs.exe] C:\WINDOWS\system32\d3hs.exe
O4 - HKLM\..\Run: [iptp32.exe] C:\WINDOWS\system32\iptp32.exe
O4 - HKLM\..\Run: [crcy32.exe] C:\WINDOWS\system32\crcy32.exe
O4 - HKLM\..\Run: [mshv.exe] C:\WINDOWS\system32\mshv.exe
O4 - HKLM\..\Run: [sdkwo32.exe] C:\WINDOWS\system32\sdkwo32.exe
O4 - HKLM\..\Run: [Winsock2 driver] VRWBWZBWRMDKWLS.EXE
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [Microsoft Firewall] Firewall.exe
O4 - HKLM\..\RunServices: [Microsofts Updatez] cmsssr.exe
O4 - HKLM\..\RunOnce: [wingz.exe] C:\WINDOWS\system32\wingz.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [Microsoft Firewall] Firewall.exe
O4 - HKCU\..\Run: [Microsofts Updatez] cmsssr.exe
O4 - HKCU\..\Run: [apvxdwin.exe] apvxdwin.exe
O4 - HKCU\..\Run: [IPConfig] svcxnv32.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\RunOnce: [Winsock2 driver] VRWBWZBWRMDKWLS.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\gdioqvlp.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/20751e4fa54b4491c321/netzip/RdxIE601.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4019/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: ScsiAccess - Unknown - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\mfclf.exe

 

[EvileYe]

Firstly, please move Hijack this into a folder of it's own, you are currently running it from a temp file.

You have several nasty Virus's and trojans in that log.

Go to this site and do a full online scan http://www.pandasoftware.com/activescan/com/activescan_principal.htm

This will take some time to do, After the scan has completed Download Adaware Se personal from here http://www.lavasoftusa.com/software/adaware/ (it is the free version) Make sure you update it and run a scan with it, and fix everything it finds.

Then go here and download Spybot search & destroy http://www.safer-networking.org/en/download/index.html (it is also free)
Update it and run a scan, fix everything it finds.

Then post back with another Log. (Remember to move your Hijack program to it's own folder)

This is a lengthy process I know, but it is the only way to clean up your system.

I will ask a Moderator to move this post to the security forum, as the folks in there have more experience with the logs.

 

[richsgirl]

I'm running the Panda now, but I already have adaware and spybot. Adaware automatically runs when I log on and I run spybot at least once a week. Maybe I just need to check and see if I need an updated version of these 2?? Viruses may explain why I can't hold on to my homepage and why my letters are huge on all the websites I go to!!

 

[EvileYe]

You will need to make sure you have the latest defintions for both programs, Is your adaware the SE version ? If not download a new one, Your Spybot should also be version 1.3, if it's not then get the new one and update it.

Even though you are downloading new versions of the above program, you still need to run their updates, as they constantly add new nasties to their definitions list.

 

[dvk01]

Once you put Hijackthis into it's own folder we will soon clear you up

 

[EvileYe]

Thanks Derek, I'll leave richsgirl in your capable hands

 

[bobol]

Further to the above, you can use my links for spybot and adaware to their home sites/and updates.... Also below there are links for tutorials on their setup.