Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Explorer tcp connections until crash[CLOSED]

Started by lhdow , Apr 29 2005 04:44 PM

  • This topic is locked This topic is locked

#1
lhdow
Posted 29 April 2005 - 04:44 PM

lhdow

    New Member

  • Member
  • Pip
  • 5 posts
System had many problems by the time it got to me. Proceeded with the do this first items. Spybot, AdAware, CWShredder all removed things. Installed Norton Internet Security 2005 and it found viruses and other spyware. Tried to go to XPSP2. Seemed ok, but the firewall would not start. Applet returns "unknown problem prevents firewall configuration from being displayed. Event log showed a tcp error on too many connections. Did a netstat -no and found that it was Explorer (the desktop) itself opening all the tcp connections to the internet. Can't really kill that one. XPSP2 backed out to SP1a. Spybot, Adaware, CWShredder all come back clean. Virusscan is clean too, and has been deinstalled. Log attached.

Attached Files


  • 0

Advertisements

#2
Michelle
Posted 07 May 2005 - 01:07 AM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Logfile of HijackThis v1.99.1
Scan saved at 5:46:58 PM, on 4/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\HPConfig.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\RadioSvr.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\updates\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://yoursearch.ws/browser/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - _{6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program Files\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {ECD07A28-FC4C-4DC1-8A9A-13EAA5FB7841} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {ECD07A28-FC4C-4DC1-8A9A-13EAA5FB7841} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} (Diagmgr Class) - http://instantsuppor...DiagManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114448703343
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O21 - SSODL: WyBfwPdN - {84AE118A-2E04-BB20-D3C9-77348BED0B97} - C:\WINDOWS\System32\yynml.dll
O21 - SSODL: NTDBGTOOL - {38684FF2-8AAF-4DD6-A35D-C500C4628E64} - C:\WINDOWS\System32\ieakview.dll
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#3
Michelle
Posted 07 May 2005 - 01:08 AM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I'll brb!
  • 0

#4
Michelle
Posted 07 May 2005 - 01:19 AM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Well, you've got some kind of hijacker! The suspicious files I see appear to have random names. Will you please post a new HiJackThis log for me to make sure they've kept the same name?
  • 0

#5
lhdow
Posted 07 May 2005 - 09:58 AM

lhdow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Well, I had a week to play with it. Here's the current status. System had had ivp6 installed, and backed out. I put it back, hoping for the updated firewall. no good. I then updated to XP SP2, and all subsequent patches. Firewall applet will still not start, so its still there. SP2 does limit the connections so its not as bad, but still there. I tried deleting the networking and recreating it (including regedit to remove lans 2-6) and just managed to irritate it. (caused a explorer fault and restart and it was back). New log attached. If you want the system backed out to SP1a, let me know.

Attached Files


  • 0

#6
Michelle
Posted 07 May 2005 - 10:49 AM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
First, I need you to disable the Microsoft Antispyware program as it could interfere with cleaning your system. To disable the program, follow the instructions below:
1.) Right click on the Microsoft Antispyware tray icon (a little red and yellow circle looking thing)
2.) Click on Security Agents Status (Enabled)
3.) Click on Disable Real-time Protection.

Then, Please download the following programs but don't run them yet:

1) CWShredder - Download it and save it to your desktop.
2) Ad-Aware - Download, install, and update After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run a scan. Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".

Reboot into Safe Mode.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run Ad-Aware
Reconfigure Ad-Aware for Full Scan as per the following instructions:
In the Ad-Aware main window, click on the gear icon at the top of the screen to open the preferences window. In the "General" window, make sure the following options are selected:
1) Automatically save log-file
2) Automatically quarantine objects prior to removal
3) Safe Mode (always request confirmation)

Click the "Scanning" button on the left-hand side and make sure the following options are selected:
1) Scan within archives
2) Scan active processes
3) Scan registry
4) Deep scan registry
4) Scan my IE Favorites for banned URLs
5) Scan my Hosts file

Please also click on "Select drives & folders to scan" and select your hard drive(s). Then click the "Advanced" button on the left-hand side and make sure all the options under "Log-file Detail Level" are selected. Next, click the "Tweak" button on the left-hand side. Click on "Scanning Engine" and make sure the following options are selected:
1) Unload recognized processes & modules during scanning
2) Obtain command line of scanned processes
3) Scan registry for all users instead of current user only

Click on "Cleaning Engine" and make sure the following options are selected:
1) Always try to unload modules before deletion
2) During removal, unload Explorer and IE if necessary
3) Let Windows remove files in use at next reboot
4) Delete quarantined objects after restoring

Finally, click on "Safety Settings" and make sure the following options are selected:
1) Automatically select problematic objects in results lists
2) Write-protect system files after repair (Hosts file, etc)

Click on "Proceed" to save the preferences. Then please click the "Start" button on the bottom left side to begin a scan. Select "Use custom scanning options" and then click "Next". Ad-Aware will then scan for malware. When it is finished, make sure any objects listed in RED are selected and click "Next" to remove the objects.

Reboot into normal mode.

Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found, and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://yoursearch.ws/browser/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - _{6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)

O9 - Extra button: Microsoft AntiSpyware helper - {ECD07A28-FC4C-4DC1-8A9A-13EAA5FB7841} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {ECD07A28-FC4C-4DC1-8A9A-13EAA5FB7841} - (no file) (HKCU)

O21 - SSODL: WyBfwPdN - {84AE118A-2E04-BB20-D3C9-77348BED0B97} - C:\WINDOWS\System32\yynml.dll
O21 - SSODL: NTDBGTOOL - {38684FF2-8AAF-4DD6-A35D-C500C4628E64} - C:\WINDOWS\System32\ieakview.dll

Close HiJackThis.

Delete these files, if found:

C:\WINDOWS\System32\yynml.dll
C:\WINDOWS\System32\ieakview.dll

Post a new HiJackThis log.
  • 0

#7
lhdow
Posted 07 May 2005 - 01:01 PM

lhdow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Done. Seems to have stopped the tcp connections, but the firewall is still broken. Back out to 1a and try update again ? Last scan attached.

Attached Files


  • 0

#8
Michelle
Posted 07 May 2005 - 01:14 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Your log looks great, so the firewall was probably corrupted somehow. I would recommend uninstalling SP2, then re-installing it again. It should work perfectly this time.

Before doing that, one other thing:

F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\

If you don't know why this is there, run HiJackthis and place a check next to this item and click fix checked:

F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\

Let me know how the uninstall, reinstall goes!
  • 0

#9
Michelle
Posted 07 May 2005 - 01:37 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please do this as well:

Run this online virus scan:
ActiveScan

Copy the results of the ActiveScan and paste them here. ActiveScan finds adware/spyware that other programs don't find. It doesn't delete them, but we can do that ourselves! We just want to make sure nothing else is hiding.
  • 0

#10
lhdow
Posted 08 May 2005 - 06:30 AM

lhdow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
SP2 uninstalled. ICF tested under 1a, didn't work. Spplied SP2 and subsequent patches, and the Firewall still will not start.
Ran Activescan. The only interesting thing I see is the WUpd entry. I tried searching the registry for it and couldn't find it. I did find all the windows update entries though. Scan attached. The other three items I'm going to delete. netscan -no 's are coming back ok, so we've managed to cripple whatever it is. Any ideas on debugging the firewall ?

Attached Files


  • 0

#11
Michelle
Posted 08 May 2005 - 02:36 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Is it just showing that the firewall is disabled or what's going on exactly?

Have you already done this:

http://help.isu.edu/...d=876&cat_id=81
  • 0

#12
lhdow
Posted 12 May 2005 - 05:08 AM

lhdow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Some really strange things were happenning when I tried to post to this before. Messages about database errors and such. Anyway, yes I tried all that. When I tried to enable ICF under 1a, it just said it couldn't do it. Under 2a, Security Center, it says, "Due to unidentified problem, Windows cannot display Windows Firewall settings." I've run chkdisk online, and at boot, seems ok. I'm starting to think that it might be some type of ownership/security issue, as I found other files that I had to take ownership of (under safe mode) to get rid of, as they had unknown security headers. Others when I tried to uninstall, just rebooted the system. Perhaps this system was part of a domain at one time, and items were installed under a account, that had administrator priviledge, that was deleted when it was dumped into a workgroup. Either that or the virus's it had messed with the security headers. Unless something rings a bell here, I'm just going to install Norton Internet Security 2005 and be done with it.
  • 0

#13
Michelle
Posted 12 May 2005 - 11:41 AM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Hmm, I've never run into that problem with the XP firewall! Unless you had some serious infections that you got rid of before posting here, I don't think it's malware that caused it.

I will still research this and let you know what I find out!

Have you tried creating a new Admin account to see if it works from there?
  • 0

#14
Michelle
Posted 12 May 2005 - 11:44 AM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Possible solution?

http://windowsxp.mvp...haredaccess.htm
  • 0

#15
Michelle
Posted 24 May 2005 - 11:29 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP