Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Internet access disabled after virus removal

  • Please log in to reply



    New Member

  • Member
  • Pip
  • 2 posts
I picked up a virus awhile back, which was identified as Mydoom.AR, Java/ByteVerify, and/or Java/OpenStream. I've run a host of AV/spybot programs including AVG, SpyBot S&D, Ad-Aware, CWShredder, McAfee AV running from a BartsPE boot disc, and a couple of online scanners as well. I've removed all files referenced as infected. So current virus scans are coming up negative.

I have completed the five steps as outlined by this forum regarding malware removal and have attached the HijackThis log below.

Here's the problem. Whenever I disable ZoneAlarm Pro (ZAP), my internet connection hangs up, preventing any program updates, browser access, etc. When I attempt a connection to any URL, both IE and FireFox are redirected to IP which then freezes. When ZoneAlarm is started back up, Internet access becomes available again!!!

I think it is some sort of worm that traveled through my local network, because three different machines exhibit the same issues. However, only the XP platform w/ZAP is able to access the Interent. My win98 machine with ZAP is completely locked out. I've tried several hosts file resets and winsock fixes as well but to no avail.

If anyone could provide any advice, suggestions, etc. on what I can do from here, I would be so greatful! Thanks in advance... Brian

Logfile of HijackThis v1.99.1
Scan saved at 12:40:20 PM, on 3/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
D:\Program Files\SETI@home\SETI@home.exe
D:\Program Files\Belkin\Bluetooth Software\BTTray.exe
D:\Program Files\SpySubtract\SpySub.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Downloaded Files\Utilities\Maintenence Utilities\HijackThis\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [seticlient] D:\Program Files\SETI@home\SETI@home.exe -min
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: SpySubtract.lnk = D:\Program Files\SpySubtract\SpySub.exe
O8 - Extra context menu item: Send To &Bluetooth - D:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103507796420
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...438/mcfscan.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - D:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - G:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - G:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - G:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92PagingServer - Unknown owner - G:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - G:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - G:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - G:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceORACLEDB - Oracle Corporation - g:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0




    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Found the solution for anyone who runs into this down the road.

To recap, whenever I disabled the ZoneAlarm Pro firewall, I would lose my interent connection. I had associated this with recent virus removal activities.

I'm connected to the interent via a D-Link DI-604 router. This router has a feature that, when enabled, works with ZoneAlarm Pro providing additional "security" for controlling traffic. I recently enable this option. And that's the problem!

When the firewall is shutdown, and the router's ZoneAlarm feature is on, the router will stop all traffic and redirect it to, port 8082. An IP lookup showed this address belonged to ZoneAlarm! And that's were I got a hint as to what was causing the trouble.

Sorry for the time and bandwidth taken on this issue.
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP