[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

site trying to dial up but cann't find anything with ad-aware

Posted on 2004-08-04
7
Medium Priority
?
331 Views
Last Modified: 2013-12-04
Hi,
A few times a day the dial up box opens and says that ftp.mega-game.org is trying to access the interenet. Then when I close that it often pops up again and says the same thing but with pop3 and then again with imap. Any thoughts? I have run Ad-aware and spybot through a number of times but they find nothing. I have also run norton antivirus corporate edition 9 with all updates

here is the log file.

Logfile of HijackThis v1.97.7
Scan saved at 16:34:20, on 02/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Symantec\WinFax\wfxctl32.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\Olympus\DeviceDetector\devdtct2.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINNT\SYSTEM\winlogon.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Documents and Settings\G. EVANS\Desktop\clean up programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tes-property.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] C:\WINNT\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINNT\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - Startup: Microsoft Office.lnk = C:\MSOFFICE\MSOFFICE.EXE
O4 - Global Startup: WinFax PRO Controller.lnk = C:\Program Files\Symantec\WinFax\wfxctl32.exe
O4 - Global Startup: WinFax Application Port Starter.lnk = C:\WINNT\system32\wfxsnt40.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\devdtct2.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
0
Comment
Question by:lenny109
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
7 Comments
 

Author Comment

by:lenny109
ID: 11713432
sorry about the 30 points, I am just about out of them!
0
 
LVL 12

Accepted Solution

by:
rossfingal earned 300 total points
ID: 11713860
Hi!
This entry points to something suspicious:
C:\WINNT\SYSTEM\winlogon.exe

This is the valid entry:
C:\WINNT\system32\winlogon.exe

Note: the valid one is running from the System32 folder,
the questionable entry is running from the System folder.

Good luck!
RF
0
 

Author Comment

by:lenny109
ID: 11736399
I have looked everywhere for the winlogon.exe file and it is nowhere to be found. I have also changed the view settings to view all system files and hidden files but still can not find it.

To stop that process do I need to delete the file maually or just stop it from msconfig.
Cheers
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:lenny109
ID: 11736413
Here is the latest hijack file but the logon file is still there.

Logfile of HijackThis v1.97.7
Scan saved at 15:32:13, on 06/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Symantec\WinFax\wfxctl32.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\Olympus\DeviceDetector\devdtct2.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINNT\SYSTEM\winlogon.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINNT\explorer.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\spool\drivers\w32x86\2\fppdis1.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\G. EVANS\Desktop\clean up programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tes-property.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] C:\WINNT\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINNT\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
O4 - Startup: Microsoft Office.lnk = C:\MSOFFICE\MSOFFICE.EXE
O4 - Global Startup: WinFax PRO Controller.lnk = C:\Program Files\Symantec\WinFax\wfxctl32.exe
O4 - Global Startup: WinFax Application Port Starter.lnk = C:\WINNT\system32\wfxsnt40.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\devdtct2.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
0
 

Author Comment

by:lenny109
ID: 11757628
OK here is an update. I have opened windows task manager and canceled the winlogon process from there. Then searched to winlogon using the search facility. It found the winlogon in the system folder. I hilighted it and deleted it from there. I am still having loads of trouble with the system trying to dial up it's self. Still many times to  ftp.mega-game.org  and imap.mega-game.org and also to smtp.mega-game.org.

Any other ideas? I am fairly stuck now.
Cheers
0
 

Author Comment

by:lenny109
ID: 11758233
not sure if this is any relevence but when I run tracert on ftp.mega-game.org it traces the route to www.ff-bank.com  (912.183.78.184). This looks like an off shore bank but the site only stays open for a few moments. Could this be anything to do with my dial up problem. Some how I think not.
0
 
LVL 12

Expert Comment

by:alandc
ID: 12228823
Please do not post HijackThis logs as questions.

Scan your own log at
http://hijackthis.de/index.php

You need to update your spyware tool and reboot into SAFE mode to run your spyware search and clean while in that mode.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question