Software seeking internet access by itself!

admin note: thread moved from XP to here

Good morning, this is my first post and I couldn't find a reference any where else. About 5 days ago my computer was hijacked and I ran a bunch of adware programs and then hijack this and it seems to be clear. But now what seems to be the result is something or a program is trying to get internet access. I have all spyware and adware programs automatic updates off. I have messenger completely off or removed. I have Dsl and its physically off, cable unplugged. It doesn't seem to do any harm with the exception that if I'm doing some thing else about every 30 seconds I get this little window that states that it is trying to connect to the internet, I click it off and in thirty seconds it comes back and its driving me mad. If I insert the cable it connects by itself and its driving me mad. Does anyone have any ideas where to go even to find out what is causing it, thank you Andy1...

 

Hello Andy,

Post your HJT log in the Virus/Spyware removal section. You missed something.

Regards - Chales

 

Charlesvar; Got it: file of HijackThis v1.99.1
Scan saved at 5:12:29 PM, on 3/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
G:\Program Files\Alwil Software\Avast4\ashServ.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
G:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
G:\WINDOWS\system32\ZoneLabs\vsmon.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
G:\Program Files\RFA\rfagent.exe
G:\Program Files\Microsoft AntiSpyware\gcasServ.exe
G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
G:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
G:\Program Files\Messenger\msmsgs.exe
G:\WINDOWS\System32\ctfmon.exe
G:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
G:\Program Files\SpywareGuard\sgmain.exe
G:\Program Files\program\soffice.exe
G:\Program Files\OpenOffice.org 1.9.65\program\soffice.exe
G:\Program Files\OpenOffice.org 1.9.65\program\soffice.BIN
G:\Program Files\SpywareGuard\sgbhp.exe
G:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
G:\Documents and Settings\3\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.******.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\SYSTEM\OOBE\BLANK.HTM
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\SYSTEM\OOBE\BLANK.HTM
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - G:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [rfagent] G:\Program Files\RFA\rfagent.exe
O4 - HKLM\..\Run: [gcasServ] "G:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [Zone Labs Client] "G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [SpySweeper] "G:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\System32\ctfmon.exe
O4 - Startup: OpenOffice.org 1.1.2.lnk = G:\Program Files\program\quickstart.exe
O4 - Startup: OpenOffice.org 1.9.65.lnk = G:\Program Files\OpenOffice.org 1.9.65\program\quickstart.exe
O4 - Startup: SpywareGuard.lnk = G:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = G:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - G:\WINDOWS\system32\ZoneLabs\vsmon.exe

O.K. this is the file, and I still can't read it!!! This from the other day Since then I haven't installed anything but I have messenger disabled as well as some other stuff. I turned automatic updates off in AVG but in this morning it still is seeking internet access, the reason I know is Zone Alarm!

 

Hi Andy,

You have HJT in a temp folder, should be in a folder of it's own.

Let Lonny or Dave look at this before you fix those three R0 items.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.******.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\SYSTEM\OOBE\BLANK.HTM

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\SYSTEM\OOBE\BLANK.HTM

Zone Alarm: Go into Overview > Preferences tab and next to Program Updates tick manually.

If you think ZA is the culprit, then Start > run > type msconfig > startup tab and disable ZA processes from starting up temporarily.

You can use this for other software as well, disabling one at a time.

Regards - Charles

 

No I did not mean Zone Alarm, I went into set options and set automatic updates to manual in Grisofts AVG and the first thing that comes up looking for the internet is AVG, and the only way I know that is through Zone Alarm. Also since this log I have disabled some stuff others that I wanted I didn't because I can not read the code. I thought I was hijacked because I was on the net at a tech site and all of a sudden something surreal like a shadow of something flashed through the screen almost like a form in the movies and then my computer crashed. I then disconnected the cable from the modem and thats when everything started going wrong. I ran Spybot, Ad-Ware, Spysweeper and M$ beta and I had a trojan and a variety of the C2lop. Its just this seeking for the internet when I'm off line that is driving me crazy. By the way Charlesvar, thank you,Andy1...

 

Do fix those entries Charles listed, after unzipping HijackThis to a permanent folder of it's own, and I recommend you uninstall or completely disable either AVG or Avast. Antivirus programs often conflict with one another. Then do manual updates to whichever you keep. You should also get to Windows Update and choose the Express Install. Accept all critical updates, reboot when prompted and go back, until there are no more offered.

Post a new HJT log when done.

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.******.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\SYSTEM\OOBE\BLANK.HTM

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\SYSTEM\OOBE\BLANK.HTM

Excuse me What is a temp folder or what is the difference? I downloaded this to my dest top then put it in a folder and then made a copy in my Documents, which is the temp folder? What is RO? And start page=http//start.*******.com/ is my start page I had just put the **** in not to show the world my start page. How do I put HijackThis in a permanent folder of its own?
Is c:\windows\system\oobe\blank.htm what I type into Run? I do not know too much about the command line, so what exactly do I type in, and in Run or in the registry? Thank you Andy1!!!

 

Hi

In post three you popsted an old log, old logs are no good to us. when asked for one always post a current hijackthis log

What is it ? we need a file name and location in order to clue into the problem.

Your running Hijackthis from a temp and it still hasnt been unzipped, neither is a good idea.
Create a new folder, for instance C:\AntiSpyware
Download the exe from here to that new folder.
http://www.merijn.org/files/HijackThis.exe
This is necessary to ensure you have backups should anything go wrong

Make and post a new log, someone here will be glad to help.

 

Hi Lonny Jones, What I do not understand is a temp folder, isn't a folder a folder? Is there a folder difference? I have a HiJackThis.exe zip on my desktop, is that different than the one that I copied to my documents? Any way I came on line now to see if this would be relevant. About three minuetes after I boot up Zonealarm pops up stating that something is trying to access the internet, if I want to allow or deny, since I didn't know what it was I always deny then the little window starts to pop up trying to connect to the internet, the one that this thread is all about. This time I allowed it to try and connect but with the cable off only to see if this is the culprit,http://pralerts.zonelabs.com/praler...=1033&CL=en&LICFLAG=1&OEM=1013&SKU=0&Mode=1,I just copied and pasted so as you folks could read it.
Thank you Andy1.

 

Andy

You are right. A folder by any other name is a folder. However...A folder which stores files temporarily is said to be a "temp folder" as the files are there only for a specific purpose and can be deleted after their use is finished.

If you simply relax and do as Lonny says, your problem will go away. Remember that good troubleshooting can only be accomplished in a logical and methodical way.

Installing HJT into a permanent directory is so that you can, at a later date, use it again without all the hassle of the first time.

 

BMorre1129, I'm not uptight with you guys, in fact I'm thankful. I know a temp file is temporary, I just don't understand what in a computer how to tell the difference or what is the criteria that is used to distingush a temp file from a permanent file. I simply do not know. I went to a computer school and I asked my teacher what the difference is, and his answer was one is temporary and the other is permanent. I.E. I downloaded a file onto my desktop called hijackthis.zip and then I copied it to my documents, so I have two. Now which is the permanent and which is the temp?
I came to this forum not because of my problem but on one day while lurking I seen advice posted by noahdfear and I was quite impressed by his knowledge and forthrightedness with a member then I started looking more carefully at the other post and I seen that some of the peeps here had some real in depth knowledge. So I don't want anyone to think that I get upset easyly, its quite the contrary I view all the people that give me advice with respect, thank you Andy!.

 

Hi Andy1

It would be easyer if you delete the ones you have now and re-download it. as the last posts suggest's.

Rightclick on this link, chose save target as and save it to your My-documents folder
http://www.merijn.org/files/HijackThis.exe

 

Hi Andy,

One of the things shown in a HijackThis log is the location and state of HijackThis itself. If you look back up at the log you posted, you will see at the bottom of the running processes the location and state of HijackThis on your computer when you ran the scan.

G:\Documents and Settings\3\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

You can see in the filepath that HijackThis.exe is in a subfolder of the Temp folder in red, and is also a file within Temporary Directory 1 for HijackThis.zip, in blue. This tells us that it is being run from a temp folder and also the zip file it was downloaded in. That temp folder is a default operating system folder where many programs leave their temporary files, and that includes malware. It is also oftentimes the default directory for downloaded files. When we make recommendations for cleanup, we more often than not instruct the user to empty that temp folder. We recommend running disk cleanup alot also, which cleans the contents of that temp folder, except only for the logged user. The 3 in that filepath is the user profile, eg; username......usually the login name on the welcome screen. Spouse or child with their own user account named 4, would have a temp folder in the same location as the 3 account.

G:\Documents and Settings\4\Local Settings\Temp

When you create a new folder, as long as it's not a sub-folder of a temp folder or Temporary Internet Files folder, it's a permanent folder. Hence, if you create a new folder in the My Documents folder, it's a permanent folder, as would one in Local Disk C: (G: in your case) or on your desktop. You could even create a new folder named temp and it would be permanent.

(G)C:\Documents and Settings\3\My Documents\temp

This is because it's not a subfolder of the default temp folder. There are several default temp folders.

(G)C:\Temp (more often seen in Win 98 and ME than in XP)
(G)C:\Windows\Temp
(G)C:\Windows\System32\config\systemprofile\Local Settings\Temp
(G)C:\Documents and Settings\*username*\Local Settings\Temp

**Note- the Local Settings folder is by default a hidden folder

When you download a zip file, it's best to right click it and select extract. This will move a copy of it's contents out of the zip file and to wherever you direct it.

On another note, please do not do any editing to your log before posting it. Makes it difficult for us to determine valid entries from invalid.

Hope this helps.

 

, Helps? That more than helps, thank you I still have more questions because its not completely clear but its starting to make sense. How would I go into Run and search and find the temporary files? I'm not going to do it until you folks have seen the new Hijack log and have given me instructions, but can a program like Spybot or Ad-ware run and clean just temp files? Is there a difference between temp files and temp internet files. One browser downloads into my documents and the other browser downloads onto the desktop, are they both temp folders or is the one in my documents a permanent folder? Also some times when I download something it doesn't come as a folder but only as a file is that a temp file or permanent? I really want to understand that is the reason for all the questions and what you've explained helps to bring me a little closer to my goal which is learning the command line. I'll catch you later when I post the Hijack this log.Andy1.

 

CCleaner will clean your temp files/folders, and more. Familiarize yourself with it before using.

If you really want to learn the command line, start with bookmarking these links.

Windows XP Professional Command-line Reference AtoZ

Windows XP Home Command-line Reference AtoZ

Your best bet in finding temp folders is through the search option on the start menu. You need to show hidden files and folders, and customize the search window to look in hidden folders. Look under more options.

You have the option when downloading a file to save it anywhere you want to through navigation in the save dialog box. You have to click Save on the download dialog box rather than Run/Open. You will then get the Save Dialog box. (see attached pictures) On the left hand side you have default locations to choose from (mine is customized). You can use the drop down address window for more places and/or double click any folder/location in the main window to switch to that directory.

You have stated that one browser downloads to your documents. I'm assuming that's the one you downloaded HijackThis.zip with, in your initial scan log. It is not saving to your documents folder. The path to your documents would be as follows.
G:\Documents and Settings\3\My Documents
The file system is setup like a tree, with C: (G: ) being the trunk, and the folders being main branches, sub-folders being smaller branches, etc. Open My Computer and right click G:, then select explore. In the left pane, start clicking the plus signs next to the folders. You'll get a better understanding of the directory structure.

Temporary Internet Files are the files loaded into a specified default folder to store images of everything you see on a web page. The operating system has to load the source code from each page you visit and convert it to text, images, etc to display it on your screen.

Temp files are created when; an application is run on your computer; during installations; while creating a document, etc.

 

Good morning, Noahdfear, thank you for the command line reference. Whever I download anything I always 'save to disk'. Mozilla has a most fantistic download manager in that it always saves in your documents and you can always go back a long time later and it has a 'show file location'. Firefox I think, I set to download to desktop so as I could see if there was a difference and to practice moving and copying files and folders, and creating folders. Internet Explorer just downloads to desktop. I downloaded Hijack this with Firefox and it came as a folder 'hijackthis.zip' onto the desktop, then I copyed it to my documents and opened it there. I really do not know the proper procedure or the effects of doing it one way or another. Sometimes when I download something it will come as a file and other times as a folder and I also do not know why or if it is important.
Also I done what you instructed as far as the settings of hidden files and folders and when I went to open temp folders all I got was a blank space, complete window. The other thing is you said in the Hijack log I was the third person on the computer, I'm the only person on the computer because I live alone. No wife or children, because if I had either it would take me even longer to do all this computer stuff.
Thank you veeerrry much for the explanation of temp files, 'me thinks you just told me something the experts don't know'!!!
I'll get back to you with that file and thank you very much,Andy1.

 

I didn't mean to suggest you were user #3 on the computer. Open My Computer, then G:, then Documents and Settings. Without viewing hidden files/folders, in XP Home you will see two folders. They are your username, in your case 3, and All Users. In XP Pro you would also see an Administrator folder. If you go to the control panel>user accounts and create another user, say you name it Andy, you would then see a folder in Docs and Settings named Andy also. Again, not showing hidden folders, if you open the 3 folder and Andy folder, you would see the same default set of subfolders.....My Documents, Favorites, Desktop, Cookies, Start Menu and User Data. Once you enable hidden folders, you will then see the Local Settings folder (and several other folders) inside of each username (account) folder. Each user account has it's own Temp and Temporary Internet Files folder as a subfolder to the Local Settings folder. As pointed out before, your HijackThis.zip file was located in G:\Documents and Settings\3\Local Settings\Temp\Temporary Directory 1
If you open My Documents from the start menu and create a folder named Stuff, open the stuff folder and create another folder named HJT, then copy/paste/move HijackThis.zip there, the filepath would then be G:\Documents and Settings\3\My Documents\Stuff\HJT\HijackThis.zip
If you moved HijackThis.zip from the desktop to your documents as you stated, the filepath would be G:\Documents and Settings\3\My Documents\HijackThis.zip\HijackThis.exe in your log. The path in your log suggests that you clicked either run on the download, or clicked save and allowed it to go to the default location, then clicked open when the download was complete.

A zip file is still a file. It can contain a single file or folder, or many of each. If you right click any file or folder and choose Send To>>>Compressed (zipped) Folder, it will create a zip file, of the same name with a zip extension, with a copy of the selected file/folder inside of it, within the directory you are currently in....eg; if you zip a file on your desktop it will create a zip file on your desktop; zip a file in My Documents, it will create a zip file in My Documents. Once a zip file is created, you can drag-n-drop or copy/paste many files and folders into that zip file. It's important with applications like HijackThis, if saved as a zip file, to extract the contents before running the app. Right click the zip file and select extract. You can then choose it's destination or allow it to extract to the default location, the filepath of which will be shown in the extracton wizard.

 

Thank you, so when Lonny said to delete the Hijack This folder did he you you mean to delete in the three folders and also in the desktop? Also are those folders, all three of created all by themselves? I didn't create any of them that I'm aware of. I just took a look and I have a folder in my name and one in my name, one all users, and the other one as the default. Noah also I found a file and if I end the proccess in the task manager the insistent window goes away til I boot up. Now if I end the process with the task manager and I go online is the proccess not active but dormant, but can it still do its malicious work?The is named, (ashServ.exe), I believe its an exe file, anyway when I stop it in the task manager then no more looking for the internet. Well thanks to you I'm finally going to get to understand the file system and thanks to you and Lonny I'm going to be able to get rid of this pest. Happy Easter and see you later!!!
I forgot to answer the rest of the post, I downloded HiJack This onto the desktop and then made a copy of it in my documents and opened it there. I don't know the proper way so I do both ways. And yes HJT came as a zip,does a file change when it comes as a zip or you make it a zip?

 

ashServ.exe is the Avast AntiVirus you have installed. Decide if you want to keep Avast or AVG, then go to the control panel>add/remove programs and uninstall the other. It's unwise to run two AV programs. They usually conflict with each other. Reboot.

Right click the desktop and choose New>Folder. Name it HJT. If you have HijackThis.exe, move it to that folder and run a scan, then post the log. Otherwise, click here to download it and put it in the new folder.

 

Noah, the file on the desktop is hijackthis.zip, do I do the same or do I open it on the desktop? Do you still want me to delete all the other hijackthis folders and files first? Also I have the Avast automatic updating on manual and the reason I have two antivirus is because I got some virus awhile back and the AVG couldn't get it and the Avast did get it. One of the conflicting issues is AVG is very easy to use and Avast is very through. Is the Trojan in the Avast file or folder or is the Avast program the malware. Can I burn either program to disc, a C/D? Thank you and will be waiting to hear from you on instructions, Andy1.