Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Internet access disabled after virus removal

Started by bwpotter , Mar 09 2005 11:43 AM

  • Please log in to reply

#1
bwpotter
Posted 09 March 2005 - 11:43 AM

bwpotter

    New Member

  • Member
  • Pip
  • 2 posts
I picked up a virus awhile back, which was identified as Mydoom.AR, Java/ByteVerify, and/or Java/OpenStream. I've run a host of AV/spybot programs including AVG, SpyBot S&D, Ad-Aware, CWShredder, McAfee AV running from a BartsPE boot disc, and a couple of online scanners as well. I've removed all files referenced as infected. So current virus scans are coming up negative.

I have completed the five steps as outlined by this forum regarding malware removal and have attached the HijackThis log below.

Here's the problem. Whenever I disable ZoneAlarm Pro (ZAP), my internet connection hangs up, preventing any program updates, browser access, etc. When I attempt a connection to any URL, both IE and FireFox are redirected to IP 208.185.174.63:8082 which then freezes. When ZoneAlarm is started back up, Internet access becomes available again!!!

I think it is some sort of worm that traveled through my local network, because three different machines exhibit the same issues. However, only the XP platform w/ZAP is able to access the Interent. My win98 machine with ZAP is completely locked out. I've tried several hosts file resets and winsock fixes as well but to no avail.

If anyone could provide any advice, suggestions, etc. on what I can do from here, I would be so greatful! Thanks in advance... Brian

Logfile of HijackThis v1.99.1
Scan saved at 12:40:20 PM, on 3/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\SETI@home\[email protected]
D:\Program Files\Belkin\Bluetooth Software\BTTray.exe
D:\Program Files\SpySubtract\SpySub.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Downloaded Files\Utilities\Maintenence Utilities\HijackThis\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [seticlient] D:\Program Files\SETI@home\[email protected] -min
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: SpySubtract.lnk = D:\Program Files\SpySubtract\SpySub.exe
O8 - Extra context menu item: Send To &Bluetooth - D:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103507796420
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...438/mcfscan.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - D:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - G:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - G:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - G:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92PagingServer - Unknown owner - G:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - G:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - G:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - G:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceORACLEDB - Oracle Corporation - g:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

Advertisements

#2
bwpotter
Posted 10 March 2005 - 08:33 AM

bwpotter

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Found the solution for anyone who runs into this down the road.

To recap, whenever I disabled the ZoneAlarm Pro firewall, I would lose my interent connection. I had associated this with recent virus removal activities.

I'm connected to the interent via a D-Link DI-604 router. This router has a feature that, when enabled, works with ZoneAlarm Pro providing additional "security" for controlling traffic. I recently enable this option. And that's the problem!

When the firewall is shutdown, and the router's ZoneAlarm feature is on, the router will stop all traffic and redirect it to 208.185.174.63, port 8082. An IP lookup showed this address belonged to ZoneAlarm! And that's were I got a hint as to what was causing the trouble.

Sorry for the time and bandwidth taken on this issue.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP