Jump to content


Photo

My internet connection is looking suspicious.


  • This topic is locked This topic is locked
11 replies to this topic

#1 drumstickz

drumstickz

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 28 July 2004 - 02:27 PM

Hey everyone. I'm getting a little suspicious about my internet connection. When I log on to the internet (dial-up) it seems to be continuously sendind/recieving information. The two little moniters in the taskbar are lit up constantly for about 5-10 minutes. It eventually stops. This hasn't happened before so I'm just going to make sure everything's ok. First I ran a virus scanner and a trojan scanner in safe mode and it identified nothing. Then I ran Ad-Aware and it found 20 objects. I removed those objects. Then I deleted everything in my temp file in C:\Documents and Settings etc.. After that I deleted all my temporary internet files and cookies and I finally emptied the recycle bin. The suspicious behavior still happens once in a while so I'm going to post a hijack this log so you guys can check if there might be anything else wrong.

If there is something wrong with the logfile please tell me how I can fix it. I appreciate all the help and support. Thanks. :-)

Logfile of HijackThis v1.97.7
Scan saved at 12:12:52 PM, on 7/28/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN\MSNIA\msniasvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Downloads\hijackthisfolder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [IDMan] C:\PROGRA~1\INTERN~2\IDMAN.EXE /onboot
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\default\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: View Original Image - C:\program files\msn\msnia\wa\getoriginal.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: DigiChat Applet - http://albany.digi-n...s/Client_IE.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...director/sw.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8022.8219560185
O16 - DPF: {B5CC0E52-9CE2-4BF2-8365-A0E4E2C528A2} (EGameWebCrypt Class) - https://www.e-games....ameWebCrypt.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7B6C08A-9B2B-410F-85CD-5D1DBBD356DA}: NameServer = 205.171.3.65 205.171.2.65

I see a few things that look suspicious here, but I'm no expert so I'm not sure. I'll leave this job to the experts!

#2 drumstickz

drumstickz

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 29 July 2004 - 11:13 AM

7 hour bump. :-)

#3 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 29 July 2004 - 03:59 PM

Hi,
Your log looks clean ...

I see a few things that look suspicious here

Such as?

Posted ImageImportant! Your system is severly out of date!
Visit Posted Image Windows Update and install all the "Critical Updates"
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#4 drumstickz

drumstickz

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 30 July 2004 - 12:23 PM

O4 - HKCU\..\Run: [IDMan] C:\PROGRA~1\INTERN~2\IDMAN.EXE /onboot

I've never seen this before and I don't know what program it's related to.

O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\default\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"

It's seems that I may be surpassing the experts! Jk. But anyway I did my research and searched this registry entry on google. I found out that this entry above is related to the navexcel pest. I guess it's easy to overlook because it looks like a component of the Mcafee Virus Scanner when it's actually a pest in a clever disguise! Those tricky malware programmers... :hmmm: It seems that I don't have all of the pest because this is the only symptom of it on my PC.

You can see this site for the info. http://research.pest...2-05_204330.asp

If you look towards the bottom of the list of related registry entries, you'll see the one that I have. The obvious thing to do is have it fixed, but I don't know if there are other files I needed to manually delete.

Thanks WinHelp2002 but even experts can overlook something! I did what you told me to do and downloaded ALL critical updates. Please advise me on what to do next! I greatly appreciate your help. :-)

Edited by drumstickz, 30 July 2004 - 02:38 PM.


#5 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 30 July 2004 - 04:34 PM

Hi,
First let me say I didn't overlook those 2 entries ...

1) IDMAN.EXE = Internet Download Manager
http://www.internetdownloadmanager.com
http://www.internetd...mmand_line.html

2) Most likely the DelDir0 is from running a McAfee app or scan at one time. I would say that "DelDir0" = Delete Directory
http://forums.mcafee...opic.php?t=4334
http://forums.mcafee...pic.php?t=21491

Note: the PestPatrol article does not show that to be from navexcel. If you look again the affected files are listed in the "Pest" column, the entry you see is just "running processes" not everything there is bad ...

Anyway ...

Is IDM listed in Add Remove?, if so uninstall it that way. Otherwise remove the entry:

O4 - HKCU\..\Run: [IDMan] C:\PROGRA~1\INTERN~2\IDMAN.EXE /onboot

Then restart in Safe Mode and delete IDMAN.EXE

If you want to remove the McAfee entry, do the same thing:

O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\default\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"

Then reboot, on restart, restart in Safe Mode [required step - see "How To" below]
Note: Restart in Safe Mode using the "default" user profile ...

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Restart normally ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#6 drumstickz

drumstickz

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 31 July 2004 - 12:37 AM

Oh no! It seems that I was the stupid one after all. >_< I apologize for thinking you were wrong. Anyways I did all you told me to do and it seems like everything is normal.

There is only one abnormal thing:

Whenever I double click MSN (my internet service provider) to connect to the internet, I recieve a dialog box saying "You (or a program) have requested a connection from textreg2.msn.com" I'm saying this from memory so it might not be exactly what it was.

This has never happened before. I've seen these dialog boxes when a spyware or malware site wanted to connect to my computer (got it fixed of course) but why would msn want to connect to my computer? Normally when I double click MSN I don't get this dialog box but now I've been getting it.

The reason why this is worrying me is because the same thing happened to me with outlook express. It requested a connection from "mx3.hotmail.com". I found out it was an Outlook Express trojan and had it removed. I'm concerned that there might be some trojan causing this, but when I ran my trojan/virus scanner nothing came up.

WinHelp2002 you have been very helpful and you are also very kind for not getting mad at me when I wrongly accused you of overlooking something. If you can help me with this one last problem I would be very pleased. Thank you so much for your help!

#7 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 31 July 2004 - 01:42 AM

Hi,
There's no need to apologize ... no harm ... no foul.

You (or a program) have requested a connection from textreg2.msn.com

I don't use MSN so it's hard to say, but do you allow this connection after the prompt? What program is giving you this dialog box prompt?

Whenever I double click MSN (my internet service provider)

hmm ... according to your log qwest.net is your ISP
[205.171.3.65 = resolver.qwest.net]

O17 - HKLM\System\CCS\Services\Tcpip\..\{F7B6C08A-9B2B-410F-85CD-5D1DBBD356DA}: NameServer = 205.171.3.65 205.171.2.65

When I log on to the internet (dial-up) it seems to be continuously sendind/recieving information.

Try this and it will let you view the "traffic"

AnalogX has a pretty good packet sniffer [freeware] that runs in XP.
http://www.analogx.c...etwork/pmon.htm

Tip: Start PacketMon before you make your connection, then start your connection and after the traffic slows down, stop PacketMon then view the log output. It will show you every connection and what is actually exchanged between your machine and whoever you are connecting with.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#8 drumstickz

drumstickz

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 31 July 2004 - 10:40 AM

When I double click the MSN program i get the dialog box prompt. I close the prompt when I see it (click the "x".)

Qwest.net? That's not my internet service provider and I've never heard of it until now. :-/ I use MSN. Should I have that entry fixed? Oh btw the sending and recieving information has seemed to stop and that is back to normal now. I did what you told me to do and I didn't see any suspicous things.

But I DID see some connections from.

205.171.3.65

and


205.171.2.65

but they were not continuously sending data.

I don't have any affiliation with qwest.net so I don't know how this happened.

What course of action should I take next?

Edited by drumstickz, 31 July 2004 - 10:42 AM.


#9 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 31 July 2004 - 12:22 PM

Hi,
Open HijackThis and make sure "backups" are enabled:
Click Config, click Backups, select: "make backups before fixing items"

Rescan with HijackThis and select the following: (and reboot)

O17 - HKLM\System\CCS\Services\Tcpip\..\{F7B6C08A-9B2B-410F-85CD-5D1DBBD356DA}: NameServer = 205.171.3.65 205.171.2.65

On restart make sure your Internet connection works, if not restore from the backups in HijackThis the above entry and reboot.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#10 drumstickz

drumstickz

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 31 July 2004 - 04:08 PM

I did your instructions. Theres pretty much no difference and the dialog box is still there. Do you think it could be harmful or should I just not worry about it?

#11 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 31 July 2004 - 04:19 PM

Hi,
As long as you are sure that the connection is to a ".msn.com" site you should be Ok. I imagine if you viewed the "traffic" to the msn site it connects to more than one site anyway ... right? I don't use MSN so I can't really advise on what it connects to, but it may be set to check for updates, etc. (guessing)
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#12 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 01 October 2004 - 04:42 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button