• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
mviker

Spyware is killing our VPN Connection

8 posts in this topic

Hello,

 

I am new to the discussions here. Recently my VPN users began experiencing connectivity issues when going through our VPN. At first I thought it was the VPN client, then maybe corrupt TCP/IP stack, but now feel confident the issue is with Spyware interfering with the connection.

 

We have run Adaware AND Spybot S&D with no visible results. Sure...a lot of stuff was caught, but nothing that helped restoring VPN connectivity. We get the tunnel established, but cannot ping or trace to our server when logged in as the user. When logging in as administrator, ping and traces work, so I suspect the user's profile has been infected.

 

We are running Win2k Pro and I have attached the users log from HijackThis to this message. I do see very suspicious entries, but would like a second opinion before taking action.

 

I certainly appreciate your help with this!

 

Thanks

hijackthis.log

Share this post


Link to post
Share on other sites

The double posting may be due to a forum glitch. Your other post has been deleted.

 

the Hijack this log is easier to deal with if posted, rather than attached. Here it is:-

 

Logfile of HijackThis v1.97.7

Scan saved at 6:10:35 PM, on 6/9/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINNT\system32\pctspk.exe

C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\MLQ\DemonA.exe

C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\HiJackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.natso.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NATSO, Inc.

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [qshrcqpf] C:\WINNT\system32\vjfcsfrlg.exe

O4 - HKLM\..\Run: [idkhvd] C:\WINNT\system32\xbkngaepv.exe

O4 - HKLM\..\Run: [jgfjsah] C:\WINNT\system32\ueujkrqgympnl.exe

O4 - HKLM\..\Run: [gvnaj] C:\WINNT\system32\eidj.exe

O4 - HKLM\..\Run: [ggbtabgv] C:\WINNT\system32\cxoee.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: MLQ Print to Fax Helper.lnk = C:\MLQ\DemonA.exe

O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe

O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/27dea88f90edb94abc05/...ip/RdxIE601.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7877.8499537037

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NATSO.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NATSO.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = NATSO.com

Share this post


Link to post
Share on other sites

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O4 - HKLM\..\Run: [qshrcqpf] C:\WINNT\system32\vjfcsfrlg.exe

O4 - HKLM\..\Run: [idkhvd] C:\WINNT\system32\xbkngaepv.exe

O4 - HKLM\..\Run: [jgfjsah] C:\WINNT\system32\ueujkrqgympnl.exe

O4 - HKLM\..\Run: [gvnaj] C:\WINNT\system32\eidj.exe

O4 - HKLM\..\Run: [ggbtabgv] C:\WINNT\system32\cxoee.exe

Reboot, and delete

 

files

C:\WINNT\system32\vjfcsfrlg.exe

C:\WINNT\system32\xbkngaepv.exe

C:\WINNT\system32\ueujkrqgympnl.exe

C:\WINNT\system32\eidj.exe

C:\WINNT\system32\cxoee.exe

 

These may be hidden files. See HERE for how to show hidden files.

 

Please post a followup Hijack this log, and say if your problems persist.

Share this post


Link to post
Share on other sites

Hi,

 

Thanks for taking a look. I suspected those same files as they appear to be randomly named. Thanks for your confirmation!

 

If you don't mind...

 

I have one more from another user. This is the last one, I swear!

 

I don't see similar files so this one may not have an issue or the files are hidden better. Once again, thank you for taking the time to help me out!

 

Logfile of HijackThis v1.97.7

Scan saved at 7:08:11 PM, on 6/9/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\Explorer.EXE

C:\WINNT\system32\pctspk.exe

C:\WINNT\system32\atiptaxx.exe

C:\WINNT\system32\PRPCUI.exe

C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe

C:\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.natso.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NATSO, Inc.

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe

O4 - HKLM\..\Run: [CPortPatch] C:\WINNT\DockQuickInstall\cppch.exe

O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"

O4 - HKLM\..\Run: [\\CI37763-A\EPSON] C:\WINNT\System32\spool\DRIVERS\W32X86\2\E_S0HIC1.EXE /P17 "\\CI37763-A\EPSON" /O17 "\\CI37763-A\EPSON" /M "Stylus C82"

O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://vapwfb.ops.placeware.com/etc/place/...quicksilver.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26252e72d71ca8671c15/...ip/RdxIE601.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...37881.255474537

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NATSO.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NATSO.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = NATSO.com

Share this post


Link to post
Share on other sites

I forgot to mention...Both of my users are finished for the evening. I will make the changes you advised in the morning and let you know the results!

 

Thank you again for your help

Share this post


Link to post
Share on other sites

Hi,

 

We ran HijackThis again on the first user and checked, rebooted, then deleted the suspicious files. Unfortunately, we are still having trouble. On this computer, logged in as administrator, we establish the VPN tunnel, and can ping and trace to the server as well as open shares, however, logged in as the user, the tunnel is established, but no pings or traces make it through and file shares obviously will not open. The hijckthis log does not show the suspicious files anymore, but the remainder is the same.

 

The second user is having the exact same issue, but I cannot tell from looking at the logs, what the trouble may be.

 

Thank you for your help...

Share this post


Link to post
Share on other sites

Well, the "other user" log you posted is clean, and if those files are gone, then the original user should be OK.

 

Sorry, I don't know enough about VPN or Win 2K to make any further suggestions.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0