Options
Spyware/virus and lost internet connection + hijack log
Hi people,
3 days ago I was happily surfing around the internet till suddenly the power goes out. When I turn the computer on again the internet connection is gone. The computer claims to be connected though and when I call the service number the say that I am connected too. We go through everything for a few hours but no reason can be found. Finally they claim that I must have some kind of virus. I have run just about everything I can think of - spybot, adaware, norton, spywareblaster, sasser,netsky, blaster removal tools and now hijack. So I am posting my hijack log and crossing my fingers hoping that you guys will please help me.
Thank you in advance.
Logfile of HijackThis v1.97.7
Scan saved at 10:06:18, on 20.06.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Programfiler\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lin\Mine dokumenter\Mine mottatte filer\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runner.mikespaid4email.com/scripts/runner.php?SP=ce431d3eknarken
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CIPVFMSZG] C:\WINDOWS\CIPVFMSZG.exe
O4 - HKLM\..\Run: [CMXEP] C:\WINDOWS\CMXEP.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ISDN Monitor] Linksts.exe W 1024
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programfiler\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [AHQInit] C:\Programfiler\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Programfiler\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [lslt] C:\WINDOWS\System32\lslt\jmjfbcnp.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5B27C20D-FFB6-4054-BA78-DE4A059BC75A} (Microsoft Office Template Downloader) - http://office.microsoft.com/norge/TemplateGallery/msotd.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version6/dlhelper.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://gamingclub.microgaming.com/gamingclub/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C850D54-94AE-4652-8015-1DF3F1AC4D70}: NameServer = 130.67.15.198 130.67.60.68
3 days ago I was happily surfing around the internet till suddenly the power goes out. When I turn the computer on again the internet connection is gone. The computer claims to be connected though and when I call the service number the say that I am connected too. We go through everything for a few hours but no reason can be found. Finally they claim that I must have some kind of virus. I have run just about everything I can think of - spybot, adaware, norton, spywareblaster, sasser,netsky, blaster removal tools and now hijack. So I am posting my hijack log and crossing my fingers hoping that you guys will please help me.
Thank you in advance.
Logfile of HijackThis v1.97.7
Scan saved at 10:06:18, on 20.06.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Programfiler\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lin\Mine dokumenter\Mine mottatte filer\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runner.mikespaid4email.com/scripts/runner.php?SP=ce431d3eknarken
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CIPVFMSZG] C:\WINDOWS\CIPVFMSZG.exe
O4 - HKLM\..\Run: [CMXEP] C:\WINDOWS\CMXEP.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ISDN Monitor] Linksts.exe W 1024
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programfiler\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [AHQInit] C:\Programfiler\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Programfiler\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [lslt] C:\WINDOWS\System32\lslt\jmjfbcnp.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5B27C20D-FFB6-4054-BA78-DE4A059BC75A} (Microsoft Office Template Downloader) - http://office.microsoft.com/norge/TemplateGallery/msotd.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version6/dlhelper.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://gamingclub.microgaming.com/gamingclub/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C850D54-94AE-4652-8015-1DF3F1AC4D70}: NameServer = 130.67.15.198 130.67.60.68
0
Comments
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE Not needed, resource waster
There are also a few lines that I can't find info about, but might be related to your problem. They are:
O4 - HKLM\..\Run: [CIPVFMSZG] C:\WINDOWS\CIPVFMSZG.exe
O4 - HKLM\..\Run: [CMXEP] C:\WINDOWS\CMXEP.exe
O4 - HKCU\..\Run: [lslt] C:\WINDOWS\System32\lslt\jmjfbcnp.exe
Also, this line that's checking for CloneCD updates won't do you any good any more, since they aren't developing or supporting CloneCD now. Just open CloneCD and turn off the auto check feature when CloneCD starts:
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programfiler\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
I also see that it looks like you are running both AVG and Norton AV; I'd dump one of them myself as you are just wasting extra resources for no real extra protection, IMO. One AV program should do just fine.
Finally, are you sure you don't have a hardware problem causing your lack of connectivity? It sounds awfully suspicious of a hardware problem to me with it quitting working right after a power failure. How is that machine connecting to the net, over an ethernet port or installed modem or what?
I did everything you said but I am sorry to say it did not get me back on line. The virus was the what my internet provider suggested, talking about a virus that got between me and my connection, but like you I am starting to think that there might be something else.
The computer seems ok as I now am using my old isdn line and it works (though slow and expensive). I did have doubt about the computer as it kept turning itself off/on constantly right when alll of this started but has not done so in days
My guess is now the modem. Somehow maybe the power outage damaged it in some way. Guess I won't know until I have someone have a look at it or change it.
Thank you so much for your help. I feel so much better having had someone look at the log.
E.
edited to add that the lost connection was - adsl connected by a zyxel modem(box) , if that helps.
Thanks again for your help.
Sometimes broadband modems get "stuck" and have two IPs at once-- failed DHCP update of IP. Or an ISP server manages to feed the wrong modem profile info to modem.
Fix???
Power down computer.
UNPLUG modem.
Let modem sit unplugged for about a minute.
Plug modem back in.
Let modem sync up (have an ISP rep on the phone if you do not know what to look for, while this is happening).
Start up computer.
If that fails, and this is a broadband modem, have ISP push a new modem def and management set file to modem, after checking that the ISP has the right modem recognized at their end.
This is the easiest way to cross-check common ISP-end things that can happen. I have had all these things happen to me, and having server\gateway push the wrong modem def set is a sure way to have a radically limping Internet connect-- with no software issues....
The only problem - he hardly checked the computer at all, cllaiming that was not his area of expertise. We did go through the whole ipconfig/renew thing which seems to be the only thing they tell me to do. Result of this is that the machine has big problems cojuring up a ip - (does after a while) but does not produce a gateway - whatever that means - it also comes up error when you try to cofigure a network. On a network scan on the other hand everything seems to be working - but still no gateway number.
The computer also seems to be sending packages out but not receiving and still claims to be connnected.
So new networkcard?? Or something with the settings?? No clue - but isdn still works so that is something I guess.
Once again thanks for all your help - I am following your advice religiously.
E.
just click fix after you run this program