Results 1 to 9 of 9

Thread: Network Connections being hijacked

  1. #1
    Junior Member
    Join Date
    Jun 2006
    Posts
    5

    Default Network Connections being hijacked

    hi,

    My network connection for my internet is being hijacked, a couple of weeks ago I was infected with that smitfraud thing, so I followed the sticky and downloaded HJT, Smitfraud.exe and Ewido. Things went great and everything was clean - so I thought - until I noticed my net connection continually disconnecting and after attempting a redial, generating new connections ie. User???????

    I hope someone can help me as this is really becoming a problem.

    Logfile of HijackThis v1.99.1
    Scan saved at 8:45:10 PM, on 4/07/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    E:\Downloads\Avast Antivirus\New Folder\aswUpdSv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    E:\Downloads\Avast Antivirus\New Folder\ashServ.exe
    E:\Downloads\New\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    E:\Downloads\New\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Tablet.exe
    E:\Downloads\Avast Antivirus\New Folder\ashSimpl.exe
    C:\WINDOWS\system32\wuauclt.exe
    E:\Downloads\New\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 0;<local>
    O4 - HKLM\..\Run: [!ewido] "E:\Downloads\New\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Downloads\Avast Antivirus\New Folder\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - Unknown owner - E:\Downloads\Avast Antivirus\New Folder\ashServ.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\Downloads\New\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

    SmitFraudFix v2.65

    Scan done at 22:22:27.31, Tue 04/07/2006
    Run from E:\Downloads\New\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Alison\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Alison\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{86AA461F-2A5B-4889-B543-E1BBA6746D61}"="st3d"

    [HKEY_CLASSES_ROOT\CLSID\{86AA461F-2A5B-4889-B543-E1BBA6746D61}\InProcServer32]
    @="C:\WINDOWS\g25471281.dll"

    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{86AA461F-2A5B-4889-B543-E1BBA6746D61}\InProcServer32]
    @="C:\WINDOWS\g25471281.dll"


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End


    I'm running Ewido at the moment and will post a log report once the scan is complete.

    Thanks....Keme

  2. #2
    Junior Member
    Join Date
    Jun 2006
    Posts
    5

    Default

    here's the ewido log

    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 11:49:57 PM 4/07/2006

    + Scan result:



    Nothing found.


    ::Report end

  3. #3
    Junior Member
    Join Date
    Jun 2006
    Posts
    5

    Default

    Since my last post Ewido has picked up Trojan.dialer.pz and random C:\WINDOWS\temp\win?? files.

    Despite quarrantening and deleting these they are still being generated.

    I hope this also helps to figure out whats wrong.

    Thanks...Keme

  4. #4
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    kementari

    Run smithfraudfix option 2 while in safe mode, also run ewido in safe mode to.
    Redownload smithfraudfix as its updated often
    http://forums.spybot.info/showthread.php?t=4015

    What Symantec/norton programs do you have installed ?
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  5. #5
    Junior Member
    Join Date
    Jun 2006
    Posts
    5

    Default

    Ok I redownloaded Smitfraude.exe and ran it and HJT these are the logs..

    SmitFraudFix v2.68b

    Scan done at 18:32:05.93, Sun 09/07/2006
    Run from E:\Downloads\New\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End

    Logfile of HijackThis v1.99.1
    Scan saved at 6:34:33 PM, on 9/07/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    E:\Downloads\Avast Antivirus\New Folder\aswUpdSv.exe
    E:\Downloads\Avast Antivirus\New Folder\ashServ.exe
    E:\Downloads\New\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\svchost.exe
    E:\Downloads\New\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\cleanmgr.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\notepad.exe
    E:\Downloads\New\Hijackthis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [!ewido] "E:\Downloads\New\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D1531CD6-2DEE-4B7C-95E4-DE793206AC86}: NameServer = 203.2.75.132 198.142.0.51
    O20 - Winlogon Notify: winetn32 - C:\WINDOWS\SYSTEM32\winetn32.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Downloads\Avast Antivirus\New Folder\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - Unknown owner - E:\Downloads\Avast Antivirus\New Folder\ashServ.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\Downloads\New\ewido anti-spyware 4.0\guard.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

    -----------------

    I dont currently have Norton installed, though I found a Live Update (symantic) in my add/remove programs directory.

  6. #6
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Run Hijackthis click >"config" then "misc tools" >"delete file on reboot"
    (exact spelling counts!!! so dont browse to the files)
    Copy/Paste the bolded line below into the File name box then click Open,
    C:\WINDOWS\SYSTEM32\winetn32.dll
    Answer yes to the prompt to reboot the PC

    Once windows has restarted scan with Hiajckthis and fix this item
    O20 - Winlogon Notify: winetn32 - C:\WINDOWS\SYSTEM32\winetn32.dll
    =======================

    In addremove program uninstall Live Update and either avast or nod32
    then run through the steps here to cleanup after norton/symantect
    http://basconotw.mvps.org/SymRem.htm

    post another log and let use know if there are any problem's.
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  7. #7
    Junior Member
    Join Date
    Jun 2006
    Posts
    5

    Default

    I followed the above instructions I'm halfway through the process to remove the remains of symantic/norton.

    I also did a scan with Spy Sweeper and it picked up the following:

    Trojan Horse found: trojan agent winlogonhook
    HKLM\software\microsoft\mssmgr\ (9 subtraces)


    I've tried to delete this from the registry numerous times but it always comes back.

  8. #8
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Still with us kementari?
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  9. #9
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    This topic is closed.

    If you need it re-opened please send me a pm and provide a link to the thread.
    Applies only to the original topic starter.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •