Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijack This log - continued dropping of Inet conne [RESOLVED]


  • This topic is locked This topic is locked

#1
shalgrim

shalgrim

    New Member

  • Member
  • Pip
  • 5 posts
Hi.

I'm having a problem with my Internet connection that I think may be caused by a virus, but I'm really not sure. It's either a virus or my ISP and my ISP has been limited in their helpfulness, so I'd like to submit a log here and see if you can find anything.

For what it's worth, my problem is that my wirless router will, after being up for some time, stop being able to access Internet content. It stil has its IP address and my machine is still connected to the access point, but I can't get anywhere on the Internet. So my thought was that maybe a virus was making it shut down. I know it's not the router itself because I bought two brand new routers and had the same problem. :tazz:

Anyway, I did everything on the 'You must read this...' page and I'm still having trouble.

Thank you so much for any help you can provide.

Log:
Logfile of HijackThis v1.99.1
Scan saved at 4:33:27 PM, on 9/14/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NDAS\3.10.1216\ndassvc.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\ltmsg.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINNT\SM1BG.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\system32\monitorsmc.exe
C:\Program Files\SharpReader\SharpReader.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\scotty\My Documents\Downloads\GeeksToGo\HT\HijackThis.exe

O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe" /auto:TivoTransfer /registry /service
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /registry /service
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{321A1CB9-F158-4E0A-ADF9-38A925F57122}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{321A1CB9-F158-4E0A-ADF9-38A925F57122}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{321A1CB9-F158-4E0A-ADF9-38A925F57122}: NameServer = 192.168.0.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: NDAS Service (ndassvc) - Unknown owner - C:\Program Files\NDAS\3.10.1216\ndassvc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINNT\system32\snmptrap.exe (file missing)
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

- Scott
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Can you surf to:
http://virusscan.jotti.org/
and upload this file:
C:\WINNT\system32\monitorsmc.exe
Let me know the results.

Also when it happens again can you open a Command Prompt and use this command:

IPCONFIG /flushdns

See if that re/eanbles your connection.
Also let me know what you normally do to resolve it.

Regards,
  • 0

#3
shalgrim

shalgrim

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thank you for your help, Metallica.

The scan over at jotti said it was OK and no program found anything. The MD5 was df1d676f9998349ca70670ee86a8354c and Packets detected was just: -.

When the problems happens, I am still connected to my wireless router just fine and can get and receive IP addresses from it with no problem. However, the router has difficulty obtaining an IP address from my ISP. Do you still want me to do the ipconfig /flushdns from my client machine? If so, I will do that the next time I have a problem and let you know what happens.

I've done all kinds of troubleshooting on the problem...I've bought new routers, bought new cables, etc. I've had this same problem with all of those solutions. The only thing that fixes it is to unplug the router and leave it unplugged for a long time...just leaving it unplugged for five minutes will not fix it, nor will hitting the reset button. I note no consistency with the problem...it sometimes happens within 2 hours of getting up and running, and at other times it takes 20 hours. :tazz:

I've involved my ISP and Netgear support as well, but it's a tough nut to crack and they are tiring of me. I am posting here not in the expectation that you will fix my problem (though I would be thrilled if you did), but just with the hope that you could interpret my Hijack This! log and tell me if I have any viruses on my hard drive that might be causing the problem.

Thanks for whatever you can tell me.

Scott

Edited by shalgrim, 22 September 2005 - 03:23 PM.

  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Hi Scott,

As far as I could tell from your log there are no viruses running on your computer.

The only file I didn't recognize was the one I asked you to upload.

I would still like you to try to flush the dns cache as described before.
If it helps we may be a big step closer to the solution.

We have lots of experts on this board I can ask for more specialized help and we don't get tired very quickly. :tazz:

Another thing that might be related:
I saw the file for tis service listed as missing in your log:
http://labmice.techt...orking/snmp.htm

Can you check if C:\WINNT\system32\snmptrap.exe is really gone and, if you know, when and why it was removed.

Regards,
  • 0

#5
shalgrim

shalgrim

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks, Metallica.

I tried the dnsflush, but it didn't seem to fix anything. If it had any effect, I didn't notice it.

A technician from my ISP lent me his wireless router (a Linksys WRV54G) over the last week and that demonstrated the same problem, however by doing an ipconfig release/renew, I was able to get Internet connectivity back. That's not ideal, but it's a huge improvement over what happens with my router, which is that I just have to leave it unplugged for a long time.

So now I'm in the process of buying different types of routers and trying them out.

also, snmptrap.exe is definitely not in c:\winnt\system32\. I'm not sure why it disappeared, though it's at least somewhat likely that I was a bit over-aggressive in trying to rid myself of viruses. :tazz:

The file does show up in C:\WINNT\$NtServicePackUninstall$\ (version 5.0.2153.1) and in C:\WINNT\ServicePackFiles\i386\ (version 5.0.2195.6601).

Thanks again for all of your help. Let me know if you need any more clarification on anything above.

Scott
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
The missing file may be related with your problem.

http://www.liutiliti...brary/snmptrap/

snmptrap.exe is a process belonging to the Microsoft Windows Operating System, related to the Simple Network Management Protocol (SNMP). This process listens for SNMP trap messages and processes them accordingly.

Copy the latest version of the file you have (C:\WINNT\ServicePackFiles\i386\snmptrap.exe) to the c:\winnt\system32\ directory.

Then click Start > Run > then type services.msc > OK
In the list of services find:
SNMP Trap Service (SNMPTRAP)
Rightclick that line and choose Properties.
On the General tab Stop and set the service to Automatic.

Reboot your computer for the change to take effect.

Regards,
  • 0

#7
shalgrim

shalgrim

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks for all your help, Metallica.

I put back the snmptrap executable and set it to start up automatically and then restarted. It's running now, but it hasn't fixed my problem.

I have since gone out and bought a different router that worked all weekend with my Internet connection, so that's a good sign since I wasn't getting anything that lengthy before.

You can feel free to close this one if you want.

Thanks again,

Scott
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP