Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Connection Trouble Hijack This Analysis Please Help Analyze


  • Please log in to reply
4 replies to this topic

#1 Midgar06

Midgar06

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 22 June 2006 - 11:55 AM

I have been having a problem with my home network (2 pcs running WinXP w/ SP2) losing its internet connection. The connection only lasts about 5 min sometimes longer and then i have to reboot my computer to get the connection back. I have run adaware and spybot to clean up all the spyware. The connection is a DSL connection via verizon and i am running cat 5 cable through a hub to each computer. Any help would be great!

Logfile of HijackThis v1.99.1
Scan saved at 12:46:37 PM, on 6/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\dnssvc.exe
C:\Program Files\SVRemote\USB20Remote.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Richard Standish\My Documents\greg\limewire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Richard Standish\My Documents\greg\AIM\aim.exe
C:\Documents and Settings\Richard Standish\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Spyware Doctor\swdoctor.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /4.3.10
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /4.3.10
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = /4.3.10
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = /4.3.10
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = /4.3.10
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: (no name) - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SiS Dns] C:\WINDOWS\system32\dnssvc.exe
O4 - HKLM\..\Run: [CheckRegDefragOnce] regopt.exe -checkdefrag
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SVRemote] c:\Program Files\SVRemote\USB20Remote.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [Systweak Ad and Popup Blocker] "C:\Program Files\Advanced System Optimizer\adblock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Richard Standish\My Documents\greg\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: avpe32 - avpe32.dll (file missing)
O20 - Winlogon Notify: chk - chke.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: winghy32 - C:\WINDOWS\SYSTEM32\winghy32.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NMSAccess - Unknown owner - C:\Documents and Settings\Richard Standish\My Documents\greg\alcohol burn\NMSAccess.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 Deckard

Deckard

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:Oregon
  • Local time:09:09 PM

Posted 23 June 2006 - 06:52 PM

Hi and welcome to Bleeping Computer!

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to Track this topic under (Options) so that you are notified when you receive a reply.

Please be patient with me during this time.
The chance to begin again in a golden land of opportunity and adventure.


UNITE/ASAP: Proud member since 2006


#3 Deckard

Deckard

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:Oregon
  • Local time:09:09 PM

Posted 23 June 2006 - 11:51 PM

Hello Midgar06,

It looks like you might have a few trojans. Let's get started.

Do you recognize /4.3.10 as a homepage you set? What about the localhost:2323 proxy?

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any.

Download HaxFix
Download HaxFix and save it to your Desktop.
  • Double click on haxfix.exe to install HaxFix. (standard installation path is C:\Program Files\haxfix)
  • Check Create a desktop icon and click Next.
  • When the installation is complete, check Launch HaxFix and click Finish.
  • A red "DOS window" (DOS box) will open with options:
    1. Make logfile
    2. Run auto fix
    3. Run manual fix
    4. Exit Haxfix
  • Select option Make logfile by typing 1 and then pressing Enter.
  • Haxfix will start scanning the computer.
  • When it is finished a logfile will open. This file is located at C:\haxfix.txt.
Please paste the contents of this file with your next reply.
The chance to begin again in a golden land of opportunity and adventure.


UNITE/ASAP: Proud member since 2006


#4 Midgar06

Midgar06
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 24 June 2006 - 12:03 PM

Here is my log that i got after running haxfix. thanks so much for helping me out.

HAXFIX logfile - by Marckie
______________
version 3.01
Sat 06/24/2006 13:01:17.68

checking for haxdoor
--------------------
checking for a3d files....
a3d files found
in.a3d
ps.a3d
redir2.a3d

checking for matching notify keys....
matching notify keys found
avpe

checking for matching services....
no matching services found

checking for matching safeboot services....
matching safeboot services found
avpe32.sys
avpe64.sys


Checking for goldun
-------------------
checking for notify keys....
no notify keys found

checking for services....
no services found


Finished

#5 Deckard

Deckard

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:Oregon
  • Local time:09:09 PM

Posted 24 June 2006 - 03:32 PM

Okay, let's get rid of it. Also, can you tell me if you set /4.3.10 as your homepage, and localhost:2323 as your browser proxy?

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any.
  • Open HaxFix.
  • Close all other open windows since this step requires a reboot.
  • Select option Run auto fix by typing 2 and then pressing Enter.
  • If an infection is found (it should be), you'll get a message to close all other open windows. Close all open windows except the red DOS window from HaxFix and then press Enter.
  • The computer will reboot.
  • After reboot a logfile will open (located in C:\haxfix.txt).
Please post the contents of that file along with a new HijackThis log and please let me know the answer regarding your homepage and proxy.

Thanks.
The chance to begin again in a golden land of opportunity and adventure.


UNITE/ASAP: Proud member since 2006





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users