Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: Internet Connection Freezes Up

  1. #1
    Junior Member
    Join Date
    Aug 2006
    Posts
    12

    Default Internet Connection Freezes Up

    I hope that this is the correct place to start this thread. But anyways, here's the deal.

    For some reason or another, my internet connection just freezes up rendering my ability to game/surf/download off the internet impossible for about 30-60 seconds. After this freeze up, I can once again surf/download/game until the next time it occurs.

    This has never happened until this past week, so I immediately think its something to do with trojans or what not so I then go on to use the spybot tool to search and destroy countless stuff. The only exception being the malware called command service. Using the instructions given in the dlee1964 thread (posted 2006-07-27, 15:27), I was able to eliminate it. So now when I run s&d it finds nothing critical (I forgot the extact phrase it states). However, the problem of my internet connection freezing up still exsists.

    At this point, I truely don't know what it may be and hope that someone out there may know what it is, cuz I have run outta ideas.

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    32,702

    Default

    Hello, please see our 'sticky' topic:
    BEFORE you post and who will advise you. Preliminary Steps

    Copy paste the HJT log here into this thread and a helper will advise you as soon as available to do so.

    Cheers.
    Microsoft MVP. Consumer Security 2006-2014


  3. #3
    Junior Member
    Join Date
    Aug 2006
    Posts
    12

    Default hjk log

    Here is the hjk log

    Logfile of HijackThis v1.99.1
    Scan saved at 6:24:49 PM, on 04/08/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\AVWLPSTA.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Happy Lappy\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL (file missing)
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [AVWLPSTA.exe] AVWLPSTA.EXE START
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [defender] C:\\dfndrff_7.exe
    O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_7.exe
    O4 - HKLM\..\Run: [ktu7bba2] RUNDLL32.EXE wdc0100c.dll,n 0027bba00000000adc0100c
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1123934408296
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: Media Center - C:\WINDOWS\system32\cZrds.dll (file missing)
    O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\cslbact.dll (file missing)
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

  4. #4
    Junior Member
    Join Date
    Aug 2006
    Posts
    12

    Default

    And the simpilfied end report of the online anti-virus scan of housecall:

    (MS06-005) Vulnerability in Windows Media Player Could Allow Remote Code Execution (911565)
    (MS06-006) Vulnerability in Windows Media Player Plug-in with Non-Microsoft Internet Browsers Could Allow Remote Code Execution (911564)
    (MS06-007) Vulnerability in TCP/IP Could Allow Denial of Service (913446)
    (MS06-008) Vulnerability in Web Client Service Could Allow Remote Code Execution (911927)
    (MS06-013) Cumulative Security Update for Internet Explorer (912812)
    (MS06-014) Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)
    (MS06-015) Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531)
    (MS06-016) Cumulative Security Update for Outlook Express (911567)
    (MS06-018) Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580)
    (MS06-021) Cumulative Security Update for Internet Explorer (916281)
    (MS06-022) Vulnerability in ART Image Rendering Could Allow Remote Code Execution (918439)
    (MS06-023) Vulnerability in Microsoft JScript Could Allow Remote Code Execution (917344)
    (MS06-025) Vulnerability in Routing and Remote Access Could Allow Remote Execution (911280)
    (MS06-030) Vulnerability in Server Message Block Could Allow Elevation of Privilege (914389)
    (MS06-032) Vulnerability in TCP/IP Could Allow Remote Code Execution (917953)
    (MS06-035) Vulnerability in Server Service Could Allow Remote Code Execution (917159)
    (MS06-036) Vulnerability in DHCP Client Service Could Allow Remote Code Execution (914388)

  5. #5
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,078

    Default

    Hello

    Post a combofix log
    1. Download this file - combofix.exe
    http://download.bleepingcomputer.com/sUBs/combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
    If the log is large You might need to post half in one reply half in another.
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  6. #6
    Junior Member
    Join Date
    Aug 2006
    Posts
    12

    Default

    These are the only 2 lines in the log file...

    Start Time= 10/08/2006 2:07:33.31
    Running from: C:\Documents and Settings\Happy Lappy\Desktop

  7. #7
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,078

    Default

    Start Hijackthis and place a check next to these items If there.
    O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL (file missing)
    O4 - HKLM\..\Run: [defender] C:\\dfndrff_7.exe
    O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_7.exe
    O4 - HKLM\..\Run: [ktu7bba2] RUNDLL32.EXE wdc0100c.dll,n 0027bba00000000adc0100c
    ====================================
    Hit fix checked and close Hijackthis.

    Although the infection looks inactive Please download Look2Me-Destroyer.exe to your to the root drive, eg: Local Disk C: or partition where your operating system is installed.
    http://www.atribune.org/content/view/28/
    Close all windows before continuing.
    Double-click Look2Me-Destroyer.exe to run it.
    Put a check next to Run this program as a task.
    You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 to five minute's. Click OK
    When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
    Once it's done scanning, click the Remove L2M button.
    You will receive a Done Scanning message, click OK.
    When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
    Your computer will then shutdown.
    Wait about Four minutes, Turn your computer back on.
    Please post the contents of Look2Me-Destroyer.txt

    Post a report from this tool if any FILES show
    F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
    Click the i accept button near the bottom of that page.
    Download and run blacklite click > scan then > next, next again then exit
    there will be a new txt near blacklite. post it please.
    Important: If any files show Do not rename them YET.....legitimate files can be listed.
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  8. #8
    Junior Member
    Join Date
    Aug 2006
    Posts
    12

    Default look2me-destroyer.txt contents

    Look2Me-Destroyer V1.0.12

    Scanning for infected files.....
    Scan started at 10/08/2006 10:58:02 AM

    Infected! C:\WINDOWS\system32\cZrds.dll
    Infected! C:\WINDOWS\system32\cslbact.dll
    Infected! C:\System Volume Information\_restore{37016AFA-ACD1-41CE-86B6-62862DAA3D27}\RP393\A0029427.dll
    Infected! C:\System Volume Information\_restore{37016AFA-ACD1-41CE-86B6-62862DAA3D27}\RP393\A0029428.dll

    Attempting to delete infected files...

    Attempting to delete: C:\System Volume Information\_restore{37016AFA-ACD1-41CE-86B6-62862DAA3D27}\RP393\A0029427.dll
    C:\System Volume Information\_restore{37016AFA-ACD1-41CE-86B6-62862DAA3D27}\RP393\A0029427.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{37016AFA-ACD1-41CE-86B6-62862DAA3D27}\RP393\A0029428.dll
    C:\System Volume Information\_restore{37016AFA-ACD1-41CE-86B6-62862DAA3D27}\RP393\A0029428.dll Deleted successfully!

    Making registry repairs.

    Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Media Center
    Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A5AC6A4F-CAA4-4452-8213-6C739E0B728A}"
    HKCR\Clsid\{A5AC6A4F-CAA4-4452-8213-6C739E0B728A}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{DBE2D8B1-9A66-4108-870C-AAE5CF7817CC}"
    HKCR\Clsid\{DBE2D8B1-9A66-4108-870C-AAE5CF7817CC}

    Restoring Windows certificates.

    Replaced hosts file with default windows hosts file


    Restoring SeDebugPrivilege for Administrators - Succeeded

  9. #9
    Junior Member
    Join Date
    Aug 2006
    Posts
    12

    Default F-Secure Blacklight txt contents

    08/10/06 11:10:52 [Info]: BlackLight Engine 1.0.42 initialized
    08/10/06 11:10:52 [Info]: OS: 5.1 build 2600 (Service Pack 2)
    08/10/06 11:10:52 [Note]: 7019 4
    08/10/06 11:10:52 [Note]: 7005 0
    08/10/06 11:10:58 [Note]: 7006 0
    08/10/06 11:10:58 [Note]: 7011 404
    08/10/06 11:10:59 [Note]: 7026 0
    08/10/06 11:10:59 [Note]: 7026 0
    08/10/06 11:11:05 [Note]: FSRAW library version 1.7.1019
    08/10/06 11:13:00 [Note]: 7007 0

  10. #10
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,078

    Default

    Hi

    Try running combofix again, if you see any error's let us know
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •