Jump to content


Photo

Spyware is killing our VPN Connection


  • Please log in to reply
7 replies to this topic

#1 mviker

mviker

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 09 June 2004 - 05:40 PM

Hello,

I am new to the discussions here. Recently my VPN users began experiencing connectivity issues when going through our VPN. At first I thought it was the VPN client, then maybe corrupt TCP/IP stack, but now feel confident the issue is with Spyware interfering with the connection.

We have run Adaware AND Spybot S&D with no visible results. Sure...a lot of stuff was caught, but nothing that helped restoring VPN connectivity. We get the tunnel established, but cannot ping or trace to our server when logged in as the user. When logging in as administrator, ping and traces work, so I suspect the user's profile has been infected.

We are running Win2k Pro and I have attached the users log from HijackThis to this message. I do see very suspicious entries, but would like a second opinion before taking action.

I certainly appreciate your help with this!

Thanks

Attached Files



#2 mviker

mviker

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 09 June 2004 - 05:44 PM

I apologize for double posting.

#3 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 09 June 2004 - 06:07 PM

The double posting may be due to a forum glitch. Your other post has been deleted.

the Hijack this log is easier to deal with if posted, rather than attached. Here it is:-

Logfile of HijackThis v1.97.7
Scan saved at 6:10:35 PM, on 6/9/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\MLQ\DemonA.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.natso.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NATSO, Inc.
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [qshrcqpf] C:\WINNT\system32\vjfcsfrlg.exe
O4 - HKLM\..\Run: [idkhvd] C:\WINNT\system32\xbkngaepv.exe
O4 - HKLM\..\Run: [jgfjsah] C:\WINNT\system32\ueujkrqgympnl.exe
O4 - HKLM\..\Run: [gvnaj] C:\WINNT\system32\eidj.exe
O4 - HKLM\..\Run: [ggbtabgv] C:\WINNT\system32\cxoee.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MLQ Print to Fax Helper.lnk = C:\MLQ\DemonA.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.co...laxoInstall.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181...s/ccpm_0237.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7877.8499537037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NATSO.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NATSO.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = NATSO.com
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#4 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 09 June 2004 - 06:10 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O4 - HKLM\..\Run: [qshrcqpf] C:\WINNT\system32\vjfcsfrlg.exe
O4 - HKLM\..\Run: [idkhvd] C:\WINNT\system32\xbkngaepv.exe
O4 - HKLM\..\Run: [jgfjsah] C:\WINNT\system32\ueujkrqgympnl.exe
O4 - HKLM\..\Run: [gvnaj] C:\WINNT\system32\eidj.exe
O4 - HKLM\..\Run: [ggbtabgv] C:\WINNT\system32\cxoee.exe

Reboot, and delete

files
C:\WINNT\system32\vjfcsfrlg.exe
C:\WINNT\system32\xbkngaepv.exe
C:\WINNT\system32\ueujkrqgympnl.exe
C:\WINNT\system32\eidj.exe
C:\WINNT\system32\cxoee.exe

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#5 mviker

mviker

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 09 June 2004 - 06:28 PM

Hi,

Thanks for taking a look. I suspected those same files as they appear to be randomly named. Thanks for your confirmation!

If you don't mind...

I have one more from another user. This is the last one, I swear!

I don't see similar files so this one may not have an issue or the files are hidden better. Once again, thank you for taking the time to help me out!

Logfile of HijackThis v1.97.7
Scan saved at 7:08:11 PM, on 6/9/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.natso.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NATSO, Inc.
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CPortPatch] C:\WINNT\DockQuickInstall\cppch.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [\\CI37763-A\EPSON] C:\WINNT\System32\spool\DRIVERS\W32X86\2\E_S0HIC1.EXE /P17 "\\CI37763-A\EPSON" /O17 "\\CI37763-A\EPSON" /M "Stylus C82"
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://vapwfb.ops.pl...quicksilver.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37881.255474537
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NATSO.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NATSO.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = NATSO.com

#6 mviker

mviker

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 09 June 2004 - 06:54 PM

I forgot to mention...Both of my users are finished for the evening. I will make the changes you advised in the morning and let you know the results!

Thank you again for your help

#7 mviker

mviker

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 10 June 2004 - 09:13 AM

Hi,

We ran HijackThis again on the first user and checked, rebooted, then deleted the suspicious files. Unfortunately, we are still having trouble. On this computer, logged in as administrator, we establish the VPN tunnel, and can ping and trace to the server as well as open shares, however, logged in as the user, the tunnel is established, but no pings or traces make it through and file shares obviously will not open. The hijckthis log does not show the suspicious files anymore, but the remainder is the same.

The second user is having the exact same issue, but I cannot tell from looking at the logs, what the trouble may be.

Thank you for your help...

#8 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 10 June 2004 - 02:33 PM

Well, the "other user" log you posted is clean, and if those files are gone, then the original user should be OK.

Sorry, I don't know enough about VPN or Win 2K to make any further suggestions.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button