Jump to content


Photo

Internet Dial-Up Disconnecting


  • Please log in to reply
8 replies to this topic

#1 shyam

shyam

    Active Member

  • Active Members
  • 22 posts

Posted 23 April 2004 - 06:27 AM

I have just run Ad-Aware & SpyBot but it hasn't helped - my internet connection is being terminated after 2 or 3 minutes. I have tried two different ISPs and two different telephone lines. So the problem really seems to be some malware. Please help! Here is my HiJackThis Log...

Logfile of HijackThis v1.97.5
Scan saved at 6:58:13 AM, on 23/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\WINDOWS\System32\PRISMSTA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Inoculator\inoc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\V-Gear PocketTV Video\rmc.exe
C:\Program Files\CyberLink\PowerVCRII\Agent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\System32\wisptis.exe
C:\WINDOWS\System32\NOTEPAD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Opera7\opera.exe
C:\Documents and Settings\Simon Manning\Desktop\My Files\SpyWare Tools\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fujitsu-pc-asia.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {201FCA3F-73C0-4099-829C-E059BD19E0C4} - C:\PROGRA~1\SOFTIN~1\RichBar\RichBar0.dll
O3 - Toolbar: Rich Explorer Bar - {1FFE8FE5-B4C8-49CB-A597-AC7F96DA2F04} - C:\PROGRA~1\SOFTIN~1\RichBar\RICHBA~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [PCBG] C:\Program Files\Intrigue Learning\pcbodyguard.exe /start
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [Inoculator] C:\Program Files\Inoculator\inoc.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [V-Gear PocketTV Video] C:\Program Files\V-Gear PocketTV Video\rmc.exe
O4 - HKLM\..\Run: [Agent] "C:\Program Files\CyberLink\PowerVCRII\Agent.exe"
O4 - HKLM\..\Run: [Remote_Agent] "C:\Program Files\CyberLink\PowerVCRII\RemoteAgent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: : Block Url - res://C:\Program Files\SoftInterop\RichBar\RichBar0.dll/hBlockUrlMenuDlg.htm
O8 - Extra context menu item: : Create Alias - res://C:\Program Files\SoftInterop\RichBar\RichBar0.dll/hCreateAliasMenuDlg.htm
O8 - Extra context menu item: : View in Multi-Tab Browser - res://C:\Program Files\SoftInterop\RichBar\RichBar03.dll/hViewInBrowserMenu.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsu-pc-asia.com
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.co...ease/instub.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn....id/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 decon101

decon101

    New Member

  • Member
  • 7 posts

Posted 23 April 2004 - 07:05 AM

Not checked your log file, but do you have BT services on your phone? these can sometimes cause disconnecting :huh:

#3 shyam

shyam

    Active Member

  • Active Members
  • 22 posts

Posted 23 April 2004 - 09:17 PM

No - no BT services. And this is a problem which has suddenly come up - it has never happened before over years.

Please help! Wave.gif

#4 CalamityJane

CalamityJane

    Global Board Mom

  • Charter Members
  • 5,268 posts

Posted 23 April 2004 - 09:22 PM

Hi shyam,

I can't see anything running on that log that would be malware. When did this start happening?

Also, on a different issue, when you had iSearch bar, it may have left a Hosts file on your system that blocks certain websites.

Could you please do a search on your PC for a file called: HOSTS

If found, please open it up and copy and paste the contents back here so we can make sure none of the entries are leftovers from the iSearch bar.

#5 shyam

shyam

    Active Member

  • Active Members
  • 22 posts

Posted 24 April 2004 - 02:52 AM

Here is the HOSTS search results...

HOSTS C:\WINDOWS\I386 File

LMHOSTS.SA_ C:\WINDOWS\I386 Unknown application

Hosts.sbs.sig C:\Program Files\Spybot - Search & Destroy\Signatures Unknown application

lmhosts C:\WINDOWS\system32\drivers\etc Unknown application

hosts C:\WINDOWS\system32\drivers\etc File

As for the disconnection, my Outlook Express settings were remotely tampered with, making the configuration "disconnect after downloading mail". Hmmmmmm. Sorry for the false alarm, but I know someone else who experienced the same thing a while ago. Seems there's someone out there getting a kick outta that.

What do you think about the HOSTS search?

Thanks, Calamity Jane. Yur great.

#6 CalamityJane

CalamityJane

    Global Board Mom

  • Charter Members
  • 5,268 posts

Posted 24 April 2004 - 11:56 AM

Hi shyam,

Open this Hosts file with notepad. Copy and paste the contents back here

hosts C:\WINDOWS\system32\drivers\etc File

#7 shyam

shyam

    Active Member

  • Active Members
  • 22 posts

Posted 26 April 2004 - 11:43 PM

Hi Calamity Jane!

The file seems pretty benign. It is at the end of this post. But I have further problems with Internet Explorer. You remember how previously I mentioned that the setting was modified to make it disconnect after downloading mail. I certainly didn't make that modification. But also other changes have happened which I can't fix.

Specifically, right click mode is changed. Sometimes right click wont work at all in IE. And always it shows 'save target as' and 'print target' and 'cut' and 'copy' as grayed out. And often if I click on a javascript link, nothing happens. Whereas the same link in Opera works perfectly.

Any thoughts on this? My IE never used to be like this.

flowerz.gif

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

127.0.0.1 internet-optimizer.com

127.0.0.1 www.internet-optimizer.com

#8 CalamityJane

CalamityJane

    Global Board Mom

  • Charter Members
  • 5,268 posts

Posted 27 April 2004 - 02:36 PM

I don't see anything wrong in the hosts settings that would cause it, nor do I see any malware causing it. I can only think that something in your network connection has changed or a third party software you are using (Richbar? or a firewall setting? Proxy software?)

If your system was working fine before a known date, try using System Restore to a prior date when it did work ok and see if that fixes the problem :)

#9 shyam

shyam

    Active Member

  • Active Members
  • 22 posts

Posted 03 May 2004 - 03:49 AM

Hi Calamity Jane!

I tried using System Restore, but it seems that the System Restore function has been disabled - not by me. Under SYSTEM in Control Panel, there is NO check against "Turn Off System Restore".

But when I go to use the System Restore wizard, there is a message after re-boot saying that System Restore has not happened, with no reason why not.

So something nasty is prohibiting System Restore. What do you think is going on? :(