Need help - Free Antivirus Forum

Need help

BullGuard Antivirus Forum > Bullguard zone > BullGuard Trial users > Need help

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

Caspian
New Member

Date Joined Jun 2006
Total Posts : 18

Posted 7-12-2006 3:48 (GMT +1)

it says someone is monitoring my comp

here is the IP adress of the attacker

65.254.52.108

and the MAC address

00-0E-83-06-42-90

bullguard only told me that much

but it says it bans them for 600 secs

and it just keeps popping up

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13649

Posted 7-12-2006 4:02 (GMT +1)

Hi Caspian

Do you know and recognize this ISP ? -

65.254.32.0 - 65.254.63.255
Global Net Access, LLC
55 Marietta St, NW
Suite 1720
Atlanta, GA
US

Regards - Touch idea

Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.

Do not PM me with logfiles. They will be deleted

Before posting a log

Caspian
New Member

Date Joined Jun 2006
Total Posts : 18

Posted 7-12-2006 4:03 (GMT +1)

nope

Caspian
New Member

Date Joined Jun 2006
Total Posts : 18

Posted 7-12-2006 4:19 (GMT +1)

what can i do?

Caspian
New Member

Date Joined Jun 2006
Total Posts : 18

Posted 7-12-2006 4:33 (GMT +1)

can i block it
or maybe like
idk

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13649

Posted 7-12-2006 4:56 (GMT +1)

I have a Danish version of BG, I therefore hope below is understandable -

You can block it, if You prefer. Rightclick on BG icon next to clock- open-Firewall, change to advanced mode, Logs Tab, scroll down to security log, rightclick on - 65.254.52.108 - deny/block the adress.

If in doubt, click on ? sign

Regards - Touch idea

Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.

Do not PM me with logfiles. They will be deleted

Before posting a log

Caspian
New Member

Date Joined Jun 2006
Total Posts : 18

Posted 7-12-2006 11:25 (GMT +1)

ok so i got that all done
but i cant obtain an internet connection
in normal mode

heres my hijack

Logfile of HijackThis v1.99.1
Scan saved at 5:25:34 AM, on 7/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS1\System32\smss.exe
C:\WINDOWS1\system32\winlogon.exe
C:\WINDOWS1\system32\services.exe
C:\WINDOWS1\system32\lsass.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\Explorer.EXE
C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\TY.USER-MOEGC231VW\Desktop\hijack\alternativ.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS1\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/034ae9af1b03bee7b015/netzip/RdxIE601.cab
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/clo/install/CLOActiveXInstallerProj1.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS1\SYSTEM32\WgaLogon.dll
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS1\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS1\system32\ZoneLabs\vsmon.exe

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13649

Posted 7-12-2006 11:49 (GMT +1)

IF you dont have/use -eTrust EZ Armor and zone labs, please follow the below instrutions -

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called: CA ISafe (CAISafe)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Same procedure with these:

VET Message Service (VETMSGNT
TrueVector Internet Monitor (vsmon

Run Hijackthis and place a check beside each of the following. Close all other browser windows except HJT.
Click fix checked.

O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe

Reboot into Safe Mode

Delete the following files or folders (delete item in bold). Please do not be concerned if
any of the items are not found as they may have been automatically removed by actions I had
you take earlier in the cleaning process.

Open Folder Options in Controlpanel >view and check your settings:
Select
Show hidden files and folders
Display the contents of system folders
Uncheck: Hide protected operating system files

Delete:

Folders:

C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe

Reboot, post new hijackthis log.

If You can´t obtain an internet connection
in normal mode, please tell why ?

Regards - Touch idea

Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.

Do not PM me with logfiles. They will be deleted

Before posting a log

Caspian
New Member

Date Joined Jun 2006
Total Posts : 18

Posted 7-12-2006 6:12 (GMT +1)

Logfile of HijackThis v1.99.1
Scan saved at 12:12:36 PM, on 7/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS1\System32\smss.exe
C:\WINDOWS1\system32\winlogon.exe
C:\WINDOWS1\system32\services.exe
C:\WINDOWS1\system32\lsass.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\TY.USER-MOEGC231VW\Desktop\hijack\alternativ.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS1\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/034ae9af1b03bee7b015/netzip/RdxIE601.cab
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/clo/install/CLOActiveXInstallerProj1.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS1\SYSTEM32\WgaLogon.dll
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS1\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Caspian
New Member

Date Joined Jun 2006
Total Posts : 18

Posted 7-12-2006 6:21 (GMT +1)

my comp realizes that the cables are connected
but it just wont connect

im not sure what thats about

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13649

Posted 7-12-2006 6:55 (GMT +1)

You can try a few things -

Download these::
Lspfix:
http://danborg.org/spy/Newnet/LSPfix.exe
http://www.bleepingcomputer.com/forums/index.php?showtutorial=59 <<Tutorial.

Run LspFix
Click on I know what I am doing. Click Finish and follow the prompts

Reboot

If it don´t help, check for corrupted systemfiles -

To do this simply go to the Run box on the Start Menu and type/copy in:

sfc /scannow

This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem.

Post back and tell how thing goes

Regards - Touch idea

Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.

Do not PM me with logfiles. They will be deleted

Before posting a log

Caspian
New Member

Date Joined Jun 2006
Total Posts : 18

Posted 7-12-2006 7:15 (GMT +1)

it said 0 things removed and 0 things renumbered

was i supposed to remove an LSP?

Caspian
New Member

Date Joined Jun 2006
Total Posts : 18

Posted 7-12-2006 8:30 (GMT +1)

didnt work

said i need a xp disc

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13649

Posted 7-13-2006 10:43 (GMT +1)

Ok.

Download and run Everest Home:

http://www.softpedia.com/get/System/System-Info/Everest-Home-Edition.shtml

Doubleclick on Network-windows network. In the right pane there is a driver download link. Get a new driver and see if it help

Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.

Do not PM me with logfiles. They will be deleted

Before posting a log

Caspian
New Member

Date Joined Jun 2006
Total Posts : 18

Posted 7-17-2006 10:07 (GMT +1)

everytime i block that ip address i lose my ability to connect to the internet

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13649

Posted 7-17-2006 10:50 (GMT +1)

Ok, allow - 65.254.32.0 - 65.254.63.255 - It is not a harmfull adr. and it is not an attacker/hacker

Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.

Do not PM me with logfiles. They will be deleted

Before posting a log

Forum Information

Currently it is Saturday, November 22, 2008 7:35 PM (GMT +1)
There are a total of 64.071 posts in 15.839 threads.
In the last 3 days there were 25 new threads and 169 reply posts. View Active Threads