Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Zone Alarm picking up Windows NT Logon attempts


  • Please log in to reply

#1
Davrobin

Davrobin

    Member

  • Member
  • PipPip
  • 28 posts
I have been having problems with my internet connection over the past couple of days. I use Windows XP, through an Ethernet connection into a Netgear ADSL router. Symptom is that Internet Explorer just won't see anything on the network. Rebooting the machine sometimes clears the problem.

Hijack This log shows nothing untoward.

I am running a hardware firewall (the Netgear router) which blocks pretty much everything. I am also running Zone Alarm on my PC (two firewalls are always better than one!). Looking at the Zone Alarm logs, I find that I am getting lots of entries for "Windows NT Logon Application" being blocked from accessing the internet. Whatever is doing the logon is attempting to get to a range of IP addresses... 64.74.134.14:80 69.20.20.161; 64.94.29.64 etc.

Why should windows be trying to do this?

I'm also picking up a load of messages about attempting to run a DLL as an application, again trying to get to a range of IP addresses.

For completeness, I am connected to the Wanadoo network in the UK so MY router's address is in the range 81.79.226.xxx
The Gateway IP address is 62.25.204.168 and the DNS is at 195.92.195.94

So as far as I can see, whatever is trying to get out is not looking at the Wanadoo network.

Any suggestions where to look?
Spybot comes clean every time.
I am also running Sophos antivirus which is fully up to date.

THanx
Dave R.
  • 0

Advertisements


#2
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Hey DavRobin. Welcome to Geeks To Go. <_<

This is definitely one time when two is not better than one. You need one firewall. Uninstall the one you do not want.

Please download a Hijack This Log so we can see what is going on with your system.

http://www.geekstogo...?showtopic=2852
  • 0

#3
Davrobin

Davrobin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Re 2 firewalls - what I mean is the router has a hardware firewall, which is set to only allow in HTTP and HTTPS. Then on my PCs (I have a couple) I am running the free Zone Alarm so that I can see what is going on, and pick up / block any outgoing rubbish that I may not want. (hence I have been able to pick up these outbound network login attempts)

I also ran the spyware /adware scanner available as an Active X from Sophos (hence you will see the references to activescanner or pps in Hijackthis)

Finally, from the Sophos scanner, I know that I have a couple of odd items that I don't really want but am stuck with, relating to Kodak Easyshare, and also WinMX music downloads.

HijackThis Log file is:
Logfile of HijackThis v1.97.7
Scan saved at 07:38:10, on 28/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\StarOffice7\program\soffice.exe
C:\Documents and Settings\Dave\My Documents\downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.c...rch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [VOBID] C:\Program Files\Pinnacle\InstantCDDVD\InstantDrive\InstantDrive.exe /remount
O4 - HKLM\..\Run: [IW ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: ppctlcab - http://69.44.122.156...er/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156...r/axscanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab



Just for good measure, the sort of stuff Zone Alarm has started to pick up (and this only started a couple of days ago) is lots of...

ACCESS,2004/09/26,16:55:18 +1:00 GMT,Windows NT Logon Application was temporarily blocked from connecting to the local zone (192.168.0.1:DNS).,N/A,N/A
ACCESS,2004/09/26,16:55:30 +1:00 GMT,Messenger was blocked from accepting a connection from the local zone (192.168.0.1:Port 2050).,N/A,N/A
ACCESS,2004/09/26,16:55:52 +1:00 GMT,Run a DLL as an App was blocked from connecting to the Internet (64.94.29.64:HTTP).,N/A,N/A
ACCESS,2004/09/26,16:55:52 +1:00 GMT,Run a DLL as an App was blocked from connecting to the Internet (69.20.20.161:HTTP).,N/A,N/A
ACCESS,2004/09/26,16:57:04 +1:00 GMT,Run a DLL as an App was blocked from connecting to the Internet (64.74.134.64:HTTP).,N/A,N/A
ACCESS,2004/09/26,16:58:18 +1:00 GMT,Run a DLL as an App was blocked from connecting to the Internet (192.168.0.1:DNS).,N/A,N/A
ACCESS,2004/09/26,16:58:34 +1:00 GMT,Windows NT Logon Application was temporarily blocked from connecting to the Internet (192.168.0.1:DNS).,N/A,N/A
ACCESS,2004/09/26,16:58:40 +1:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (192.168.0.2:Port 68).,N/A,N/A
ACCESS,2004/09/26,16:59:18 +1:00 GMT,Run a DLL as an App was blocked from connecting to the Internet (64.94.29.14:HTTP).,N/A,N/A
ACCESS,2004/09/26,16:59:18 +1:00 GMT,Run a DLL as an App was blocked from connecting to the Internet (69.20.20.161:HTTP).,N/A,N/A
ACCESS,2004/09/26,16:59:34 +1:00 GMT,Windows NT Logon Application was temporarily blocked from connecting to the local zone (192.168.0.1:DNS).,N/A,N/A
ACCESS,2004/09/26,16:59:38 +1:00 GMT,Messenger was blocked from accepting a connection from the local zone (192.168.0.1:Port 2050).,N/A,N/A
ACCESS,2004/09/26,17:00:32 +1:00 GMT,Run a DLL as an App was blocked from connecting to the Internet (64.94.29.64:HTTP).,N/A,N/A
ACCESS,2004/09/26,17:07:16 +1:00 GMT,Run a DLL as an App was blocked from connecting to the Internet (64.74.134.64:HTTP).,N/A,N/A
ACCESS,2004/09/26,17:08:22 +1:00 GMT,Run a DLL as an App was blocked from connecting to the Internet (64.94.29.14:HTTP).,N/A,N/A
ACCESS,2004/09/26,17:08:22 +1:00 GMT,Run a DLL as an App was blocked from connecting to the Internet (69.20.20.161:HTTP).,N/A,N/A
ACCESS,2004/09/26,17:09:14 +1:00 GMT,Windows NT Logon Application was temporarily blocked from connecting to the local zone (192.168.0.1:DNS).,N/A,N/A


Any ideas?

Dave R
  • 0

#4
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
OK. Sorry, I misunderstood. Someone will take a look at your log and get back with you.
  • 0

#5
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Try disabling Zone Alarm and Installing Sygate Personal Firewall (it's free too) and check to see what it says. Windows NT Logon has to do with your username and password, so I wouldn't let that go accessing the internet for any reason. I'm not sure what this is all about, but we'll try to get some more answers. Try a Sygate in the meantime and get back to us.
Sygate Personal Firewall


-=jonnyrotten=- <_<
  • 0

#6
Davrobin

Davrobin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
THanks - Disabled Zone Alarm and insatlled sygate. Within seconds of rebooting I got alarms about Windows Login and also RunDLL both trying to connect to www.look2me4.com.

I've had 3 attempts at posting the log files here but the link keeps timing out on me. I'll try again with another post after this one!

In the meantime, any idea where the network login and rundll are being initated from?

Dave R.
  • 0

#7
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
http://www.rackspace.../monitoring.php

This link is to the address mentioned here.
ACCESS,2004/09/26,16:55:52 +1:00 GMT,Run a DLL as an App was blocked from connecting to the Internet (69.20.20.161:HTTP).,N/A,N/A

I check on some of the other ones and they all link to large companies that do one thing or another.

I also read this

HAL9000
05-12-2001, 12:47 AM
Hey there Cosmyre, with accesscomm.ca, you must be in Regina as well. Anyhow... I did a bit of playing and got Windows and ZoneAlarm to bring up the RUNDLL as an app when I went to update a driver and it searched folders, drives, then the internet, so this is one example of when it will occur and is normal.
Uwey


at this forum.
http://forum.pcmech....hp/t-12317.html

I'm not sure if this will help at all, but It's a little bit of info to maybe give us a lead in the right direction.

-=jonnyrotten=- <_<
  • 0

#8
Davrobin

Davrobin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
I think all my problems are leading back to a look2me infestation.... problem is i can't find an easy way to get rid of it!

I tried downloading and running kill2me, but it said it couldn't find the infection <_<

I've also had problems posting anything but short replies into this forum :D

Still..... at least I have more of an idea what to look for!

Dave R
  • 0

#9
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
http://www.look2me.c...bin/UnInstaller

Have you tried this one?

-=jonnyrotten=- <_<
  • 0

#10
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
http://www.pchell.co...t/look2me.shtml

Instructions for manually removing the look2me parasite.

-=jonnyrotten=- <_<
  • 0

#11
Davrobin

Davrobin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Thanks for the pointers.... I've found my way to most of these via Google - though there was conflicting advice in this forum about the look2me uninstaller from look2me - from what I have found so far about look2me I would not trust anything from them as far as i could throw them.

Still, I'm trying instructions found at

http://www.2-spyware...ve-look2me.html

However - most of my scans etc, claim not to be able to find the "classic" look2me.... and nothing Ive found so far says anything about stuff doing a windows logon...

I'll keep you posted!

Dave R
  • 0

#12
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
Download the latest version of Ad-Aware from here (if you already have Ad-Aware installed, make sure that it is the latest version and always go online and update it before you run it).

Download Lavasoft's VX2 Cleaner plug-in here
http://updates.ls-se...lvx2cleaner.exe

How to use Lavasoft's VX2 Cleaner plug-in

- Close Ad-Aware 6 and Ad-Watch (if running)
- Download the free VX2 Cleaner at http://updates.ls-se...lvx2cleaner.exe
- Install the VX2 Cleaner
- Start Ad-Aware 6
- Go to "Plug-ins"
- Select the VX2 Cleaner plug-in and click "Run Plugin"
- If your computer isn't infected, click "Close".


If your computer is infected

- Select "Clean system"
- Reboot your computer
- Scan your computer with Ad-Aware
- Remove any VX2 objects detected
- Reboot your computer again
- Run a second scan to make sure the files have been removed from your computer

Reboot your PC.
  • 0

#13
Davrobin

Davrobin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Well, after much hacking around I finally seem to have got rid of MX2. In the end it was a combination of using Ad-Aware and a VX2finder utility (similar to the Ad-Aware extension mentioned in the last post).

Key learnings from my experience were:
1) it could well have been the look2me uninstaller that infected my system
2) Key is to ensure that explorer is not running when doing the disinfecting... I had to put ad-aware and vx2finder on the desktop.

VX2Finder located the offending registry entries for the "guardian key" which I used regedit to delete. THen I did an ad-aware scan to remove all other components then rebooted. Then did a further scan with both products when the system came back.

The Sygate firewall was useful for providing better diagnostics than zone alarm, though I think I will revert to zone alarm for day-to-day use - keeping Sygate available if I have problems in future.

I'll be running a mix of ad-aware and Spybot S&D to check my system in future.

Dave R <_<
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP