« previous next »
Pages: [1] 2   Go Down

Author Topic: router issues and win32 trojan-gen  (Read 5413 times)

0 Members and 1 Guest are viewing this topic.

Offline live4me

  • Newbie
  • *
  • Posts: 15
router issues and win32 trojan-gen
« on: September 27, 2006, 04:57:51 PM »
I have re installed win xp from recovery console and lost all user data (*gripe; grumble against my sons best wishes) he lost internet connection the other day
Avast found win32 trojan-gen infected svchost and also 2 in the restore folder they had to be deleted ...did a recovery after this and still no internet connection only diectly through the modem will not connect through the router any longer signal comes in but does not recognize the connection as being valid keep pulling "page can not be displayed."

avast vault shows this:
kernel32.dll     c:\windows\system32   8/4/2004 8:00:00 am   9/26/2006  4:31:14  am   
kernel32.dll     c:\windows\system32   7/5/2006 6:55:01 am   9/26/2006  5:05:58  am
winsock.dll      c:\windows\system32   8/4/2004 8:00:00 am   9/26/2006  4:31:14  am
wsock32.dll     c:\windows\system32   8/4/2004 8:00:00 am   9/26/2006  4:31:14  am

hijackthis shows this:
Logfile of HijackThis v1.97.7
Scan saved at 1:25:42 PM, on 9/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\HP_Owner.YOUR-27E1513D96\Desktop\APPLICATIONS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Connection Help (HKLM)
O9 - Extra 'Tools' menuitem: Connection Help (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159254315903

I'm not clear on this but it looks like 3 of those results on hijackthis (04) may be a concern.. I can not find anything on them to validate them being accurate...  but the  whole problem is that I can no longer get online with the computer ..

well I can but not with the router anymore, only direct connect via the modem...4 people in the house need the connection up !!!
I have also disabled restore and then restarted and re-enabled restore after cleaning out the temp and cache folders but I can not get the internet connection via hterouter to open again
 
the thing was working fine before this infection appeared so what do we need to fix to get the router to see the computer connection again ( or vise versa) according the the status there is a connection and all but when you try to open a bowser it "can not find" .....tried a winsock fix NG!!
 tried to unistall and reinstall card and driver NG!
 tried to release and renew ip address.. NG !
 tried to ping .. all lost!
so frustrating and probably the answer is right under my nose but I am so disgusted after this one..
I have run ATF-cleaner
CCsetup 133
Drweb cureit
kasperskylab
superantispyware
vundofixit
winsockxpfix
killbox
drtcp021
Still not able to get online.... plz HELP!!!! unless directly connected via modem.. router will not open to computer or computer does not recognize connection
thank you Linda
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11539
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: router issues and win32 trojan-gen
« Reply #1 on: September 27, 2006, 05:12:27 PM »
Hi, live4me.  Welcome to LandzDown Forum.

I don't have a router -- on dialup, but I have a couple suggestions.  Let's see if we can get a better idea of where things stand. 

First, you have an old version of HijackThis.  Please uninstall the copy you have and download HijackThis© from:  http://www.thespykiller.co.uk/files/HJTsetup.exe

Note:  This is a complete installer that installs HijackThis to your computer to at C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut.

At the download prompt, choose "Save".  After the download is complete, navigate to the C:\Program Files\HijackThis folder and double-click it.  When the installation is complete, double-click the HijackThis icon on your desktop.  Select "Do a system scan and save logfile".  Select a name for this first logfile. and a text file will be produced. Copy the text file and paste it here as a reply.

Second, let's get SunJava updated as the old versions are vulnerable to the Vundo/Winfixer infections.  The following procedure is strongly encouraged to remove older version Java components: 
  •    Close any open programs you may have running, especially your web browser
  •    Click Start > Control Panel (Depending on your OS or configuration, you may have to click Start > Settings > Control Panel)
  •    Open Add or Remove Programs (If you have Windows 98 or Windows 2000, open Add/Remove Programs)
  •    Click once on any item listing J2SE or Java Runtime Environment in the name.  (Not every version of Java will begin with "Java" so be sure to read each entry in the list)

  •    Click the Remove or Change/Remove button
  •    Follow steps 4 and 5 as many times as necessary to remove all versions of Java
  •    Search 'Programs' and 'Application Data' and remove old version files manually.
    • C:\Program Files\
    • C:\Documents and Settings\USERNAME\Application Data\
    Quote
    Java Runtime Environment (JRE) 5.0 Update 8
    The J2SE Runtime Environment (JRE) allows end-users to run Java applications.   
    Installation Instructions | ReadMe  | ReleaseNotes | Sun License | Third Party Licenses

    •   Accept the agreement at the page that opens:
    Quote
    Required: You must accept the license agreement to download the product.
    • Click:  Accept License Agreement   
    • The page will refresh to Windows Platform - J2SE(TM) Runtime Environment 5.0 Update 8
    • It is recommended that you select:
    Quote
    Windows Offline Installation, Multi-language    jre-1_5_0_08-windows-i586-p.exe    15.74 MB
    •   After installing the downloaded file, restart your system again to finalize the process.
    Third, since I see you have already run Winsock fix, please try this: 

    1. Turn off the computer(s)
    2. Turn off the router
    3. Turn off the cable modem.
    5. Wait for about 1 to 2 minutes and then turn on the modem.
    6. When the lights stop flashing (except for activity) turn on the router
    7. After the router lights are not all flashing, turn on the computer

    If no joy, you could try flushing your DNS cache.  You need to do this from the command prompt:
    -- Click Start > Run > type:  ipconfig /flushdns

    After it is flushed, you need to reregister it again.
    -- Click Start > Run > type:  ipconfig /registerdns

    That should clear out the cache.

    If that doesn't work ...
    MS KB299357: How to reset Internet Protocol (TCP/IP) in Windows XP
    MS KB811259: How to determine and recover from Winsock2 corruption
    SpyChecker.com: WinSock XP Fix 1.2
    Logged
    ,  

    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

    Offline live4me

    • Newbie
    • *
    • Posts: 15
    Re: router issues and win32 trojan-gen
    « Reply #2 on: September 27, 2006, 06:06:10 PM »
    Corrine,
    thanks for the fast reply!
    I am working on this right now I will be back shortly with response!
    running between rooms with network help for down loading bewteen computers!
    Linda
    Logged

    Offline SpiritWind

    • Jr. Member
    • **
    • Posts: 81
    Re: router issues and win32 trojan-gen
    « Reply #3 on: September 27, 2006, 06:21:57 PM »
     :D  Hi :

          I see you did take my advise on the Avast forums to come here !
          These people are very good .
    Logged
    For the BEST in what counts in Life :

    www.tacf.org

    Offline live4me

    • Newbie
    • *
    • Posts: 15
    Re: router issues and win32 trojan-gen
    « Reply #4 on: September 27, 2006, 09:21:03 PM »
    Yes Spirit i did .. it appears this may be a hardware issue  as I installed a NIC card and it works fine HP is going to bench test the whole thing and let me know what gives..
    Logged

    Offline live4me

    • Newbie
    • *
    • Posts: 15
    Re: router issues and win32 trojan-gen
    « Reply #5 on: September 27, 2006, 09:25:40 PM »
    also I sent to hijackthis forum   .. if there is an indication that this computer has been jacked

     I would like to remove all of this before sending it in or they maybe charging me tons of money to fix the problem..of which I am seriously lacking ... I havean italian desease called "de fundsarlow"
    I am italian so I can get away with saying this....
    smile  and all will smile with you!
    :-)
    LOL
    Logged

    Offline Corrine

    • The Mystical Rose
    • Administrator
    • Hero Member
    • *****
    • Posts: 11539
    • "Stronger than the past, united in our goal."
      • Security Garden
    Re: router issues and win32 trojan-gen
    « Reply #6 on: September 27, 2006, 11:52:02 PM »
    :lol:  It seems that disease infects other nationalities as well. 

    I don't see your HijackThis log. 
    Logged
    ,  

    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

    Offline live4me

    • Newbie
    • *
    • Posts: 15
    Re: router issues and win32 trojan-gen
    « Reply #7 on: September 29, 2006, 07:10:17 AM »
    Logfile of HijackThis v1.99.1
    Scan saved at 3:00:33 AM, on 9/29/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    c:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Common Files\AOL\1159512340\ee\AOLSoftware.exe
    c:\program files\common files\aol\1159512340\ee\aim6.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
    O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1159512340\ee\AOLSoftware.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159394738687
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

     it will connect via the modem and then stay that way once reset on the router but once you restart the computer it goes back to no connection

     so i really dont think it is a MB issue... I think it is the hijack setting in the registry have changed but I dont know what to reset in the registry to get the connection back to normal  winsock repairs dont seem to help clearing out the cache and temp didnt help so far nothing suggested by any one has ben ofuse for this one..
    IS this a new issue ... a first timer? am I A VIRGIN here? LOL
    I sure hope not .. I posted on tom coyote's forum and I am hoping they get me an answer computer is schedule for PU on the 2nd for bench testing .. I dont need them to tell me it will cost me $$$ for doing a complete restore on it when i can do that myself...I of course am trying to repair so I dont loose anymore information ... kids get nasty abouthaving to replace this much "STUFF"
    any more suggestions?
    Linda
    ...
    Logged

    Offline live4me

    • Newbie
    • *
    • Posts: 15
    Re: router issues and win32 trojan-gen
    « Reply #8 on: September 30, 2006, 12:14:35 AM »
    it appears that after runnin ewido we found isbar.s an adware zango in it  removed and preformed a smitfraudfix which was supposed to fix the problem well it di not so now we maybe clean but still not able to reboot an use internet with out hooking to modem first
    this will cause much stress in this house...
    anyone want a shot at this mess?
    this is what HJT looks like now:
    Logfile of HijackThis v1.99.1
    Scan saved at 7:55:02 PM, on 9/29/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
    C:\Program Files\Common Files\AOL\1159512340\ee\AOLSoftware.exe
    C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    c:\program files\common files\aol\1159512340\ee\aim6.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    c:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
    O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
    O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1159512340\ee\AOLSoftware.exe"
    O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZS
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159394738687
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    I still don't see where the culpritis?
    like i said I keep running all these programs and most of them ont find anything... so I remove the programs as i go ... but still no reboot to find internet connection there  have to hook up modem and then reroute thru router... what a pain in the @$$
    I have searched the net and most people give up and fdisk and format and re install but I cant see why they would not want to find out where the problem is..it has got to be a registry change..   on internet
    someone  please give it a shot.. Im gonna go bake a cake and fix my craving to satisfy my lack of satisfaction on this mess and fix it with a sugar kick... later

     I will be back to see if anyone else wants a crack at it....
    Linda
    Logged

    Offline Corrine

    • The Mystical Rose
    • Administrator
    • Hero Member
    • *****
    • Posts: 11539
    • "Stronger than the past, united in our goal."
      • Security Garden
    Re: router issues and win32 trojan-gen
    « Reply #9 on: September 30, 2006, 12:45:00 AM »
        Hi, Linda.  As this log is "fresher" and they are pretty busy over at Tom Coyote's place, I've requested that thread be closed. 

        Over at Coyote's place, you wrote:

    Quote
    I know it has a second user on it and it will connect via a modem directly but that is the only way to get it connected to the internet via the router

    Does that mean you set this up?  It certainly doesn't show up in any searches.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser

    Othere than that, there really isn't much.  MyWay Search Bar has been identified as a source of installing malware.  The best thing is to start with uninstalling it.  Then remove any leftovers if found with HijackThis:

    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    08 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZS


    If you did NOT set it up, remove each of these with HijackThis:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser


    How about updating ewido and doing a fresh scan.  Restart your computer in Safe Mode.[list=1]
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe Mode.
    • Login on your usual account.
    If you need further assistance with Safe Mode, see Symantec

    Scanning and system cleaning with ewido.  [list=1]
    • Lauch ewido-anti-spyware by double-clicking the icon on the desktop. IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.
    • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan"
    • ewido will now begin the scanning process.  Be patient as this may take a little time.
    • While scanning, ewido will list any infections found on the left side.
    • When the scan is completed, the recommended action should be set to Quarantine.  If not click Recommended Action and set it there. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right side.
    • Click on "Save Report", then "Save Report As".  This will create a text file.  Make sure you know where to find this file again (like on the Desktop).
    • Close ewido.

    Please post a reply about "seconduser", include the ewido log and a fresh HijackThis log.

    Thanks.
    Logged
    ,  

    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

    Offline live4me

    • Newbie
    • *
    • Posts: 15
    Re: router issues and win32 trojan-gen
    « Reply #10 on: September 30, 2006, 02:22:25 AM »
    Corrine,
    Thank you for not giving up on me.. if you negate to include the middle section of the registry  you will find many listings on the net with redirect seconduser issues.. as such i will list a few here maybe this will help figure what gives on this

    http://greyknight17.com/bb/index.php?topic=2666.0;prev_next=next

    http://forums.afterdawn.com/thread_view.cfm/388254

    http://forum.avast.com/index.php?topic=18713.0;prev_next=prev

    http://forums.spybot.info/showthread.php?t=5558

    http://forums.spywareinfo.com/index.php?showtopic=84437&hl=targetsaver

    http://www.newbie.org/help/index.php?showtopic=3094

    the ro's and r1's with redrt to seconduser seems to be integrated in HP machines so maybe this is a normal occurance??? man I wish i never bought one now....LOL this is not something I am familar with  I dont ever recall a compaq  redrting to seconduser but thanks for trying...
    Linda
    Logged

    Offline live4me

    • Newbie
    • *
    • Posts: 15
    Re: router issues and win32 trojan-gen
    « Reply #11 on: September 30, 2006, 03:11:35 AM »
    Hey Corrine I am psoting form his computer right now i have followed this  link and done most everything on it..  the lsp never fixed the internet connection issue...

    Click here: http://www.cexx.org/lspfix.htm to get LSP-Fix. this was already suggested earlier on another board.. it didnt do a thing...

    i know i do not have New.Net  so that one i skipped

    I will run smitrem which i just ran accross on here

    I ran Vundofix.exe already found nothing...


     i ran ewido before i ran  SmitfraudFix (by S!Ri) http://siri.urz.free.fr/Fix/SmitfraudFix.zip didnt seem to make a difference...did not find wininet.dll infected nor was anything else...

    ran killbox and it found nothing also
    but no one told me what files to delete either i know i have zango or did  and i updated the java to a new version so should i also delete that again?

     well I will be busy tonight  but i can not reboot via the modem again until well after midnight est...
     so i guess I will get busy scanning this now..
    Thnx again    Linda
    Logged

    Offline live4me

    • Newbie
    • *
    • Posts: 15
    Re: router issues and win32 trojan-gen
    « Reply #12 on: September 30, 2006, 07:15:35 AM »
    completed all an here are the reports:
    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

     + Created at:   1:58:22 AM 9/30/2006

     + Scan result:   



    :mozilla.86:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
    :mozilla.87:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
    :mozilla.90:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\HP_Owner.JAMES\Cookies\hp_owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
    :mozilla.6:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
    :mozilla.8:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
    :mozilla.57:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
    :mozilla.58:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
    :mozilla.59:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
    :mozilla.60:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
    :mozilla.61:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
    :mozilla.66:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
    :mozilla.70:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
    C:\Documents and Settings\HP_Owner.JAMES\Cookies\hp_owner@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
    :mozilla.51:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
    :mozilla.52:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
    :mozilla.53:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
    :mozilla.54:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
    :mozilla.55:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
    :mozilla.50:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
    :mozilla.78:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
    :mozilla.100:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
    :mozilla.94:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
    :mozilla.95:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
    :mozilla.96:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
    :mozilla.97:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
    :mozilla.98:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
    :mozilla.99:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
    :mozilla.67:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
    :mozilla.68:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
    :mozilla.69:C:\Documents and Settings\HP_Owner.JAMES\Application Data\Mozilla\Firefox\Profiles\d0eg9sqj.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
    C:\Documents and Settings\HP_Owner.JAMES\Cookies\hp_owner@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.


    ::Report end

    Logfile of HijackThis v1.99.1
    Scan saved at 3:05:59 AM, on 9/30/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
    C:\Program Files\Common Files\AOL\1159512340\ee\AOLSoftware.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    c:\windows\system\hpsysdrv.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
    O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1159512340\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159394738687
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

    but unfortunately still unable to get set up on the net via the router...
     I am sure that if I go through the modem and reroute thru the router once i get online on the modem that we will end up with the second user thing again... I still can not figure out why it will not recognize the connection from the router to the computer unless the modem is hooked up first..?? this does not make any sense to me at all.. everything should be totally clean and setup right like it as before the problem started but it still will not recognize the router without first putting the modem online  once that happens it is like it opens it's eye up and sees the connection but until then it will not connect..makes absolutely no sense to me at all...is this a MB issue? and is that why not NIC card will recognize the router without first putting it on the modem?
    have you ever heard of such a thing?

    should i put this baby to rest? LOL
    thank you for all...
    Linda
    Logged

    Offline Corrine

    • The Mystical Rose
    • Administrator
    • Hero Member
    • *****
    • Posts: 11539
    • "Stronger than the past, united in our goal."
      • Security Garden
    Re: router issues and win32 trojan-gen
    « Reply #13 on: September 30, 2006, 12:12:34 PM »
    Hi, Linda.  Running the SmitRem or SmitFraud tools will not solve your problem.  They are for specific infections which are not a problem with your machine.  Just to put to rest any question of malware, the one thing we can try is for you to rename HijackThis.exe.  The only reason I suggest that is because you had an old version of SunJava on that machine that was vulnerable to the Vundo/Winfixer infection, some variations of which can hide from HJT.

    Navigate to C:\Program Files\Hijackthis > Right click on HijackThis.exe > Select Rename > Rename it as you wish (i.e., L4M_HJT.exe).  Don't change the extension from .exe though.  Post a fresh HJT log with the renamed exe.

    As I said earlier, I do not use a router so cannot help there.  It could be that the NIC card has gone bad or needs to be re-seated.  I don't recall if Mitch uses a router but I think we need someone like him or Temmu to take a look at that issue.
    Logged
    ,  

    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

    Offline live4me

    • Newbie
    • *
    • Posts: 15
    Re: router issues and win32 trojan-gen
    « Reply #14 on: September 30, 2006, 04:33:44 PM »
    Oh Corrine,,,,
    Now my one son got his online but now the other one can not get on.. seems to be the same issue.....
    we are taking turns here...:-(
    Logged
    Pages: [1] 2   Go Up
    « previous next »