Internet Disconnects After 10-15 Minutes - Page 2

colasus · 06-30-2008, 01:32 PM

Here is the Dr. Web CSV file:

aolconnfix.exe;C:\;Trojan.PWS.Gamania.origin;;
ComboFix.exe\327882R2FWJFW\FIND3M.bat;C:\Documents and Settings\Administrator\Desktop\ComboFix.exe;Probably SCRIPT.Virus;;
ComboFix.exe\327882R2FWJFW\psexec.cfexe;C:\Documents and Settings\Administrator\Desktop\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\Administrator\Desktop;Archive contains infected objects;;
restart.exe;C:\Documents and Settings\Administrator\Desktop\go through\SmitfraudFix;Tool.ShutDown.11;;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\3869.9.20;Probably BACKDOOR.Trojan;;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\3899.1.16;Probably BACKDOOR.Trojan;;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\3991.4.16;Probably BACKDOOR.Trojan;;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4000.1.4;Probably BACKDOOR.Trojan;;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4144.0.4;Probably BACKDOOR.Trojan;;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\AIMSUD338;Probably BACKDOOR.Trojan;;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131;Probably BACKDOOR.Trojan;;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.7.1;Probably BACKDOOR.Trojan;;
Get-Torrent-2.0.0.0-setup-0350.exe\data002;C:\Downloads\Get-Torrent-2.0.0.0-setup-0350.exe;Adware.Lop;;
Get-Torrent-2.0.0.0-setup-0350.exe\data013;C:\Downloads\Get-Torrent-2.0.0.0-setup-0350.exe;Trojan.Packed.149;;
Get-Torrent-2.0.0.0-setup-0350.exe;C:\Downloads;Archive contains infected objects;;
mcupdmgr(2).exe;C:\Program Files\McAfee\MSC;Probably DLOADER.Trojan;;
data001\data003;C:\Program Files\Morpheus\mymorpheustoolbar.exe\data001;Adware.Msearch;;
data001\data006;C:\Program Files\Morpheus\mymorpheustoolbar.exe\data001;Adware.Msearch;;
data001;C:\Program Files\Morpheus\mymorpheustoolbar.exe;Archive contains infected objects;;
mymorpheustoolbar.exe;C:\Program Files\Morpheus;Archive contains infected objects;;
M0PLUGIN.DLL;C:\Program Files\MorpheusBar\bar\1.bin;Adware.Msearch;;
NPMORPBR.DLL;C:\Program Files\MorpheusBar\bar\1.bin;Adware.Msearch;;
NPMorpBr.dll;C:\Program Files\Mozilla Firefox\plugins;Adware.Msearch;;

Ried · 06-30-2008, 01:54 PM

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Please download SmitfraudFix (by S!Ri) to your Desktop. Do not run it yet.

--------------------------------------------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following File:

C:\Downloads\ Get-Torrent-2.0.0.0-setup-0350.exe

--------------------------------------------------------------------

Double-click on SmitfraudFix.exe to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot into Normal Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

--------------------------------------------------------------------

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck everything and delete everything except 'My Current Home Page'

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

--------------------------------------------------------------------

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

--------------------------------------------------------------------

Double-click on SmitfraudFix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note

If you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

--------------------------------------------------------------------

Please post the C:\rapport.txt in your next reply, along with an update on internet behavior.

colasus · 06-30-2008, 02:30 PM

Here is the SmitFraud rapport:

SmitFraudFix v2.328

Scan done at 16:09:59.90, Mon 06/30/2008
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Program Files\VirusBlast\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CS2\Services\Tcpip\..\{AE01E70B-956B-40F2-A378-A5BC27AD9D68}: DhcpNameServer=24.25.5.148 205.152.37.23 192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.148 205.152.37.23 192.168.0.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

I'll let you know in about 15-20 min. and see if it stays up. It stayed up a little longer today but it cut off after about 20 min.

colasus · 06-30-2008, 02:46 PM

Nah it went offline again :(

Ried · 06-30-2008, 11:24 PM

I'd like you to try this online scanner. You should be able to download the active X and it's database before losing your connection. It will scan your system while disconnected.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan

06-30-2008, 01:32 PM	#21 (permalink)
colasus Registered User Join Date: Jun 2008 Posts: 16 OS: xp	Re: Internet Disconnects After 10-15 Minutes Here is the Dr. Web CSV file: aolconnfix.exe;C:\;Trojan.PWS.Gamania.origin;; ComboFix.exe\327882R2FWJFW\FIND3M.bat;C:\Documents and Settings\Administrator\Desktop\ComboFix.exe;Probably SCRIPT.Virus;; ComboFix.exe\327882R2FWJFW\psexec.cfexe;C:\Documents and Settings\Administrator\Desktop\ComboFix.exe;Program.PsExec.171;; ComboFix.exe;C:\Documents and Settings\Administrator\Desktop;Archive contains infected objects;; restart.exe;C:\Documents and Settings\Administrator\Desktop\go through\SmitfraudFix;Tool.ShutDown.11;; setup.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\3869.9.20;Probably BACKDOOR.Trojan;; inst.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\3899.1.16;Probably BACKDOOR.Trojan;; setup.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\3991.4.16;Probably BACKDOOR.Trojan;; inst.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4000.1.4;Probably BACKDOOR.Trojan;; setup.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4144.0.4;Probably BACKDOOR.Trojan;; inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\AIMSUD338;Probably BACKDOOR.Trojan;; setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131;Probably BACKDOOR.Trojan;; setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.7.1;Probably BACKDOOR.Trojan;; Get-Torrent-2.0.0.0-setup-0350.exe\data002;C:\Downloads\Get-Torrent-2.0.0.0-setup-0350.exe;Adware.Lop;; Get-Torrent-2.0.0.0-setup-0350.exe\data013;C:\Downloads\Get-Torrent-2.0.0.0-setup-0350.exe;Trojan.Packed.149;; Get-Torrent-2.0.0.0-setup-0350.exe;C:\Downloads;Archive contains infected objects;; mcupdmgr(2).exe;C:\Program Files\McAfee\MSC;Probably DLOADER.Trojan;; data001\data003;C:\Program Files\Morpheus\mymorpheustoolbar.exe\data001;Adware.Msearch;; data001\data006;C:\Program Files\Morpheus\mymorpheustoolbar.exe\data001;Adware.Msearch;; data001;C:\Program Files\Morpheus\mymorpheustoolbar.exe;Archive contains infected objects;; mymorpheustoolbar.exe;C:\Program Files\Morpheus;Archive contains infected objects;; M0PLUGIN.DLL;C:\Program Files\MorpheusBar\bar\1.bin;Adware.Msearch;; NPMORPBR.DLL;C:\Program Files\MorpheusBar\bar\1.bin;Adware.Msearch;; NPMorpBr.dll;C:\Program Files\Mozilla Firefox\plugins;Adware.Msearch;;

06-30-2008, 01:54 PM	#22 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 19,747 OS: WinXP and Vista	Re: Internet Disconnects After 10-15 Minutes Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ************************************************* Please download SmitfraudFix (by S!Ri) to your Desktop. Do not run it yet. -------------------------------------------------------------------- Please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. -------------------------------------------------------------------- Using 'My Computer', navigate to and delete the following File: C:\Downloads\ Get-Torrent-2.0.0.0-setup-0350.exe -------------------------------------------------------------------- Double-click on SmitfraudFix.exe to start the tool. Select option #2 - Clean by typing 2 and press Enter*. Wait for the tool to complete and disk cleanup to finish. You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes* by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot into Normal Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. -------------------------------------------------------------------- Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck everything and delete everything except 'My Current Home Page' Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK. -------------------------------------------------------------------- Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin. -------------------------------------------------------------------- Double-click on SmitfraudFix.exe to start the tool. Select option #3 - Delete Trusted zone by typing 3 and press Enter Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter. Note If you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. -------------------------------------------------------------------- Please post the C:\rapport.txt in your next reply, along with an update on internet behavior. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-30-2008, 02:30 PM	#23 (permalink)
colasus Registered User Join Date: Jun 2008 Posts: 16 OS: xp	Re: Internet Disconnects After 10-15 Minutes Here is the SmitFraud rapport: SmitFraudFix v2.328 Scan done at 16:09:59.90, Mon 06/30/2008 Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» VACFix VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri's WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\Program Files\VirusBlast\ Deleted »»»»»»»»»»»»»»»»»»»»»»»» IEDFix IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» 404Fix 404Fix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CS2\Services\Tcpip\..\{AE01E70B-956B-40F2-A378-A5BC27AD9D68}: DhcpNameServer=24.25.5.148 205.152.37.23 192.168.0.1 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.148 205.152.37.23 192.168.0.1 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End I'll let you know in about 15-20 min. and see if it stays up. It stayed up a little longer today but it cut off after about 20 min.

06-30-2008, 02:46 PM	#24 (permalink)
colasus Registered User Join Date: Jun 2008 Posts: 16 OS: xp	Re: Internet Disconnects After 10-15 Minutes Nah it went offline again :(

06-30-2008, 11:24 PM	#25 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 19,747 OS: WinXP and Vista	Re: Internet Disconnects After 10-15 Minutes I'd like you to try this online scanner. You should be able to download the active X and it's database before losing your connection. It will scan your system while disconnected. Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."