Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Poor Internet Connection Or Infection?


  • This topic is locked This topic is locked
14 replies to this topic

#1 reggieboy

reggieboy

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 14 March 2008 - 01:46 AM

This may seem like a simple problem and it is annoying rather than being too serious but I wondered if it could be an indication of a more serious problem.

I have Vista and run McAfee Internet Security Suite as well as SUPERAntiSpyware. The problem is that if we visit any sites with any "live" chat - and to be fair the only sites are my partner's bingo sites then she can never connect to their chat rooms. When we operated XP she could and also when we first got Vista she could (although initially she could only connect to some of the chat rooms) but now all her sites fail to connect to the chat, but the actual connection to the site and playing bingo is fine.

And the end of the day, to me the less time she spends on bingo the better :thumbsup: , but I thought I would ask in case it suggests other connection problems. We have no other problems with internet connection.

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:24 PM

Posted 14 March 2008 - 07:04 AM

Hello, reggieboy.

It is likely being firewalled by McAfee. I doubt that suggests a malware problem, but we can check if you like.
If you want to check:
Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:24 AM

Posted 15 March 2008 - 12:36 AM

This may seem like a simple problem and it is annoying rather than being too serious but I wondered if it could be an indication of a more serious problem.

I have Vista and run McAfee Internet Security Suite as well as SUPERAntiSpyware. The problem is that if we visit any sites with any "live" chat - and to be fair the only sites are my partner's bingo sites then she can never connect to their chat rooms. When we operated XP she could and also when we first got Vista she could (although initially she could only connect to some of the chat rooms) but now all her sites fail to connect to the chat, but the actual connection to the site and playing bingo is fine.

And the end of the day, to me the less time she spends on bingo the better :thumbsup: , but I thought I would ask in case it suggests other connection problems. We have no other problems with internet connection.




McAfee Internet Security Suite might not like chat and bingo very much, that suite looks pretty powerful, I wonder if the chat rooms are using activex/scripts and they are being blocked? What does site advisor say?

Are your scans showing any malware/infections?
Chewy

No. Try not. Do... or do not. There is no try.

#4 reggieboy

reggieboy
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 15 March 2008 - 12:48 PM

Hi

Thanks for the replies

The result log is here if you or anyone else is able to confirm if this is a serious problem or it is just a firewall issue. I am waiting to hear from the bingo sites.

Thanks

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2949 (20080315)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=dc7620324bfe274b8b1560bd82a5c8d5
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-03-15 05:39:00
# local_time=2008-03-15 05:39:00 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=6.0.6000 NT
# scanned=301061
# found=1
# scan_time=3427
C:\Windows\System32\docqdyfbna.exe a variant of Win32/Adware.NaviPromo application (unable to clean - deleted) 00000000000000000000000000000000

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:24 AM

Posted 15 March 2008 - 01:15 PM

NAVIPROMO infection. This is a rootkit protected and very hidden malware infection.


when Bill Castner says this, I know when I am in way over my head

let's see if we can get an "expert" opinion
Chewy

No. Try not. Do... or do not. There is no try.

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,995 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:24 AM

Posted 15 March 2008 - 01:36 PM

Hello DaChew,

Can you please provide the source link for the quote?

Thank you,

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:24 AM

Posted 15 March 2008 - 01:51 PM

http://forum.aumha.org/viewtopic.php?t=319...0dfea816f1617f1

I guess I would rather err on the side of caution
Chewy

No. Try not. Do... or do not. There is no try.

#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,995 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:24 AM

Posted 15 March 2008 - 02:04 PM

Thanks DaChew. In reading that thread, I'm not convinced that reggieboy has the same infection. That thread mentions a certain kind of popup in connection with that rootkit. reggieboy is not experiencing those popups.

reggieboy,

I'd like you to navigate to C:\Windows\System32\docqdyfbna.exe

If you cannot see it, make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please scan the file here -->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.


Please do the same at Virustotal: http://www.virustotal.com/

Post the results of both scans indicating which is VirusTotal and which Jotti,

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#9 reggieboy

reggieboy
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 16 March 2008 - 02:50 PM

Hi Orange

I have changed the view so I can see hidden files but I cannot see the application you mention only docqdyfbna.dat. I am using Vista. Does that make a difference?

Also you say "When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time. " - What are the files below? you do not mention any others?

Thanks for your help.

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,995 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:24 AM

Posted 16 March 2008 - 02:59 PM

Hello reggieboy,

Gah, I was up too long and didn't see things as I should. Sorry about that.

C:\Windows\System32\docqdyfbna.exe a variant of Win32/Adware.NaviPromo application (unable to clean - deleted) 00000000000000000000000000000000


Just now saw the word deleted. That tells me that it is in the quarantine of the security program. Was it McAfee? So, please navigate to the McAfee, or the security program that deleted it, quarantine and find docqdyfbna.exe

- What are the files below? you do not mention any others?


The file "below" is this one: docqdyfbna.exe :thumbsup:

Add to that this file: docqdyfbna.dat which you found, so please post the scan results for both those files. :flowers:

Orange Blossom :trumpet:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#11 reggieboy

reggieboy
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 18 March 2008 - 01:27 PM

Thanks for the reply. I still cannot see the .exe file. The only items in the quarantine are cookies. I have done a search and cannot find it either. The Jotti results for the .dat file are "nothing found" against everything.

Is there any sort of "connection" issue I should be checking. Do you think that it is simply as DaChew is suggesting that my firewall is blocking it? I think this is strange as it has only recently (in the last couple of months) been stopping connection to chat. I don't use any other sites with "live" chat so I would not know if it is every one or just bingo.

Cheers

reggiebooy

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:24 AM

Posted 18 March 2008 - 01:36 PM

Eset online scanner must have deleted the file?

are the chat rooms java based?

Edited by DaChew, 18 March 2008 - 01:37 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#13 reggieboy

reggieboy
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 23 March 2008 - 02:00 AM

Well the sites do not seem to ansewr if the chat rooms are java based, they simply advise to change my firewall settings to allow all inbound/outbound connections. That can't be right, surely? There would be no point in having a firewall, right?

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:24 AM

Posted 23 March 2008 - 09:46 PM

the most serious problem you have is that Rookit infection. It may just as well be the cause of all your grief. Maybe,but the best thing to do is have the HiJack team look at it. A rootkit may want to be sending info out and causing havoc. Best to get it removed first so that you do not open avenues for data theft. Post a Hijack log. After that deal with the chat issue if it still exists.
Please folloow the instructons here. Preparation Guide for use before posting a HijackThis Log

then post that log here,NOT in this topic.
HijackThis Logs and Malware Removal

If you need assistance doing it or have other questions ask them in this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,995 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:24 AM

Posted 31 March 2008 - 01:40 AM

Hello reggieboy,

Now that your log is posted, DO NOT make any further changes to your computer: deleting files, editing the registry, using special fix tools, installing or uninstalling software etc. as this will make it more difficult for the HJT team to help you.

Please be patient as the HJT team is EXTREMELY busy. DO NOT bump your log as the team may think that someone is already helping you. If you have not had a response in ten days, add a response to the five days no response topic and paste in the link to your thread.

To avoid confusion, I am closing this thread. Once you have been cleared by the HJT team and if you are still experiencing the Chat room issues, send a PM to a moderator to reopen this thread. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users