?
Solved

site trying to dial up but cann't find anything with ad-aware

Posted on 2004-08-04
7
Medium Priority
?
316 Views
Last Modified: 2013-12-04
Hi,
A few times a day the dial up box opens and says that ftp.mega-game.org is trying to access the interenet. Then when I close that it often pops up again and says the same thing but with pop3 and then again with imap. Any thoughts? I have run Ad-aware and spybot through a number of times but they find nothing. I have also run norton antivirus corporate edition 9 with all updates

here is the log file.

Logfile of HijackThis v1.97.7
Scan saved at 16:34:20, on 02/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Symantec\WinFax\wfxctl32.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\Olympus\DeviceDetector\devdtct2.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINNT\SYSTEM\winlogon.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Documents and Settings\G. EVANS\Desktop\clean up programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tes-property.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] C:\WINNT\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINNT\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - Startup: Microsoft Office.lnk = C:\MSOFFICE\MSOFFICE.EXE
O4 - Global Startup: WinFax PRO Controller.lnk = C:\Program Files\Symantec\WinFax\wfxctl32.exe
O4 - Global Startup: WinFax Application Port Starter.lnk = C:\WINNT\system32\wfxsnt40.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\devdtct2.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
0
Comment
Question by:lenny109
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
7 Comments
 

Author Comment

by:lenny109
ID: 11713432
sorry about the 30 points, I am just about out of them!
0
 
LVL 12

Accepted Solution

by:
rossfingal earned 300 total points
ID: 11713860
Hi!
This entry points to something suspicious:
C:\WINNT\SYSTEM\winlogon.exe

This is the valid entry:
C:\WINNT\system32\winlogon.exe

Note: the valid one is running from the System32 folder,
the questionable entry is running from the System folder.

Good luck!
RF
0
 

Author Comment

by:lenny109
ID: 11736399
I have looked everywhere for the winlogon.exe file and it is nowhere to be found. I have also changed the view settings to view all system files and hidden files but still can not find it.

To stop that process do I need to delete the file maually or just stop it from msconfig.
Cheers
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:lenny109
ID: 11736413
Here is the latest hijack file but the logon file is still there.

Logfile of HijackThis v1.97.7
Scan saved at 15:32:13, on 06/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Symantec\WinFax\wfxctl32.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\Olympus\DeviceDetector\devdtct2.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINNT\SYSTEM\winlogon.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINNT\explorer.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\spool\drivers\w32x86\2\fppdis1.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\G. EVANS\Desktop\clean up programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tes-property.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] C:\WINNT\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINNT\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
O4 - Startup: Microsoft Office.lnk = C:\MSOFFICE\MSOFFICE.EXE
O4 - Global Startup: WinFax PRO Controller.lnk = C:\Program Files\Symantec\WinFax\wfxctl32.exe
O4 - Global Startup: WinFax Application Port Starter.lnk = C:\WINNT\system32\wfxsnt40.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\devdtct2.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
0
 

Author Comment

by:lenny109
ID: 11757628
OK here is an update. I have opened windows task manager and canceled the winlogon process from there. Then searched to winlogon using the search facility. It found the winlogon in the system folder. I hilighted it and deleted it from there. I am still having loads of trouble with the system trying to dial up it's self. Still many times to  ftp.mega-game.org  and imap.mega-game.org and also to smtp.mega-game.org.

Any other ideas? I am fairly stuck now.
Cheers
0
 

Author Comment

by:lenny109
ID: 11758233
not sure if this is any relevence but when I run tracert on ftp.mega-game.org it traces the route to www.ff-bank.com  (912.183.78.184). This looks like an off shore bank but the site only stays open for a few moments. Could this be anything to do with my dial up problem. Some how I think not.
0
 
LVL 12

Expert Comment

by:alandc
ID: 12228823
Please do not post HijackThis logs as questions.

Scan your own log at
http://hijackthis.de/index.php

You need to update your spyware tool and reboot into SAFE mode to run your spyware search and clean while in that mode.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
OfficeMate Freezes on login or does not load after login credentials are input.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question