Proxy Server Problem!

[lakers]

Are you certain you have Ewido Anti-Virus and not anti-spy? Just checking.

I'm sorry, you are right, it's Ewido Anti-Malware!

TL, I'm sorry but I'm a little confused on the footnotes and that. I'm not really confident with doing things that are complex. What shall I do? Shall I just load the computer in safe mode and run the exe? Sorry if I come across as incompetent.

[TurcoLoco]

What shall I do? Shall I just load the computer in safe mode and run the exe?

Yes, download the executable and place it anywhere u want then boot in safe mode and double-click on the executable.

[jholland1964]

I'm sorry, you are right, it's Ewido Anti-Malware!

TL, I'm sorry but I'm a little confused on the footnotes and that. I'm not really confident with doing things that are complex. What shall I do? Shall I just load the computer in safe mode and run the exe? Sorry if I come across as incompetent.

So you are not running an anti-virus program AND you state you are running two firewalls...Windows and McAfee. Two big no-nos here....Intstall, update and enable an anti-virus program ASAP and turn off the Windows firewall if you have another installed and running. You NEVER should run two firewalls at the same time.

[lakers]

Hey, I'm afraid it didn't work! These two still appear in the log:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local

When I "fix" these, the Lan Settings automatically change to "use proxy server." When I unselect the "proxy server" box, the two "R1" keys come back in the log. Thanks for creating the code though, it was worth a try!

[lakers]

Another thing that may help you is when I try "trouble shooting in MSN Messenger 7.5, the IP, Default gateway, IE's offline setting, DNS, and Proxy Server all come up as OK. However, the "Hosts file" and "Key Ports" come up with the yellow hazzard symbol next to them.

Also, in the "lan settings" the port is set at "8080."

[TurcoLoco]

Lakers,

Just to let you know, the executable was a customized version of CleanXP with a list of suspicious files that were going to be re-named for safe keeping.
It was no miracle script and if the problem was caused by any of the files captured by AnalyzerXP, it could have remedied the situation however the cause must be something else.

What I need to know is what exactly have you done besides running the executable? Have you installed/uninstalled anything else?

If nothing, please run another scan with AnalyzerXP so I can see the changes.
Also, please download the HOST file manager called Hoster, this program is really easy to use and also has many features. Please compare yours to the screenshot. If it looks any different, please take a screenshot and attach to your next post before you do anything so we can see.

~TL

[lakers]

The screenshot is exactly the same. I'll run AnalyzerXP now and get back to you shortly.

[lakers]

[===============] AnalyzerXP by TL - forum.networktechs.com (www.IamNotaGeek.com) [===============]


22/01/2007
14:15

Some of the files listed could be safe and valid, so before you do anything, research further.
You could also submit this log on forum.networktechs.com - Spyware Central for help.


Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 22/01/2007 at 14:12:17



RSOP results for DILAN\Dilan Shah on DILAN : Logging Mode
----------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Standalone Workstation
OS Version: 5.1.2600
Domain Name: DILAN
Domain Type: N/A<Local Computer>
Site Name: N/A
Roaming Profile:
Local Profile: C:\Documents and Settings\Dilan Shah
Connected over a slow link?: Yes


COMPUTER SETTINGS
------------------

Last time Group Policy was applied: 22/01/2007 at 1323
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
N/A

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
NT AUTHORITY\Authenticated Users


USER SETTINGS
--------------

Last time Group Policy was applied: 22/01/2007 at 1323
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
N/A

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups:
----------------------------------------------------
None
Everyone
Debugger Users
BUILTIN\Administrators
BUILTIN\Users
LOCAL
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users


Volume in drive C has no label.
Volume Serial Number is 20E8-C18D

Directory of C:\WINDOWS\Tasks

04/12/2006 23:34 284 AppleSoftwareUpdate.job
1 File(s) 284 bytes
0 Dir(s) 3,623,675,904 bytes free


TaskName Next Run Time Status
==================================== ======================== ===============
AppleSoftwareUpdate 16:26:00, 26/01/2007
MP Scheduled Scan 02:15:00, 23/01/2007

INFO: No event triggers found.


=====] Looking for suspicious file types in WINDOWS folder:

W32i - - - - 224,256 03-31-1999 c:\windows\comctl32.oca
W32i - - - - 43,520 03-31-1999 c:\windows\msmapi32.oca
W32i - - - - 53,248 09-15-2003 c:\windows\_apprun.eee
W32i - - - - 129,536 07-23-1999 c:\windows\_auhccup1.lld
W32i - - - - 71,749 10-28-2005 c:\windows\_hcextoutput.lld

Volume in drive C has no label.
Volume Serial Number is 20E8-C18D

Directory of C:\WINDOWS



W32i - - - - 2,067,140 11-29-2005 c:\windows\system32\avcodec.dll
W32i - - - - 24,576 08-15-2003 c:\windows\system32\coinst.dll
W32i - - - - 23,040 09-18-2000 c:\windows\system32\cssms_in.dll
DOS - - - - 9,833 09-03-2001 c:\windows\system32\ddmi.vxd
DOS - - - - 9,321 11-11-2001 c:\windows\system32\dlpt.vxd
W32i - - - - 20,480 07-01-2002 c:\windows\system32\mpfapi.dll
DOS - - - - 25,225 11-27-2002 c:\windows\system32\mpfirewl.vxd
W32i - - - - 45,056 09-24-2001 c:\windows\system32\navlogon.dll
DOS - - - - 5,672 08-17-1998 c:\windows\system32\quartz.vxd
DOS - - - - 120,379 09-24-2001 c:\windows\system32\symevnt.386
W16 - - - - 10,240 08-17-1998 c:\windows\system32\vidx16.dll
W32i - - - - 262,416 10-17-1999 c:\windows\system32\_asfv2.lld
W16 - - - - 11,776 03-25-2003 c:\windows\system32\_zport4as.lld
W32i - - - - 55,936 12-06-2002 c:\windows\system32\drivers\mpfirewall.sys
W32i - - - - 27,440 08-23-2001 c:\windows\system32\drivers\secdrv.sys

SafeDisk Driver (used by games to authenticate CD and prevent burning a copy of protected applications) has been detected on this system! If everything is working fine, ignore this entry.

05/09/2006 23:01 2,451,824 ieapfltr.dat








=====] List of files located at the root of the C Drive:

Volume in drive C has no label.
Volume Serial Number is 20E8-C18D

Directory of C:\

01/12/2002 11:21 245,792 CLASSES.1ST
01/12/2002 11:38 0 CONFIG.BAK
18/01/2007 22:20 0 conmgr.log
19/01/2007 17:31 193,508 hpfr5550.log
26/12/2004 15:43 348 install.log
01/12/2002 11:10 3,833 RECOVERY.LOG
01/12/2002 15:04 470 SCANDISK.LOG
26/12/2004 15:59 3,723 _NavCClt.Log
21 File(s) 453,308 bytes
0 Dir(s) 3,623,391,744 bytes free



=====] Directory Analysis - PROGRAM FILES:

04/12/2006 23:37 <DIR> iPod
04/12/2006 23:37 <DIR> iTunes
21/08/2006 14:46 <DIR> Windows Defender
17/08/2006 15:46 <DIR> Driving Test Success 2006-2007
24/04/2006 09:23 <DIR> ArcSoft
03/04/2006 12:30 <DIR> Ahead
01/04/2006 15:59 <DIR> SAMSUNG
01/04/2006 09:38 <DIR> Elaborate Bytes
30/03/2006 18:03 <DIR> FileZilla
16/03/2006 22:41 <DIR> WinRAR

(Ignore the ones you know of)


=====] Directory Analysis - COMMON FILES (subfolder of Program Files folder):

04/04/2006 22:21 <DIR> L&H
03/04/2006 12:32 <DIR> Nero



=====] Directory Analysis - WINDOWS folder:

Volume Serial Number is 20E8-C18D

Directory of C:\WINDOWS

10/01/2007 14:42 <DIR> ie7updates
09/12/2006 12:00 <DIR> WBEM
09/12/2006 11:58 <DIR> ie7
03/04/2006 12:33 <DIR> InCD
24/08/2005 19:24 <DIR> report
24/08/2005 19:24 <DIR> AU_Backup
24/08/2005 19:20 <DIR> AU_Log
09/05/2005 17:05 <DIR> Downloaded Installations
15/12/2004 11:25 <DIR> Motive
10/10/2004 18:21 <DIR> occache
31/03/2004 20:55 <DIR> henry screensaver dir
04/12/2002 23:48 <DIR> Minidump
04/12/2002 09:59 <DIR> Modio
0 File(s) 0 bytes
189 Dir(s) 3,623,416,832 bytes free


=====] Process Analysis - User-based processes with their Services:


Image Name PID Services
========================= ====== =============================================
WebClient
sqlservr.exe 188 MSSQL$SQLEXPRESS
AOLDial.exe 524 N/A
AOLSP Scheduler.exe 568 N/A
dslstat.exe 596 N/A
dslagent.exe 668 N/A
fts.exe 132 N/A
MpfTray.exe 1256 N/A
ctfmon.exe 1800 N/A
MpfAgent.exe 2084 N/A
alg.exe 3324 ALG
AcroRd32.exe 3920 N/A


=====] Process Analysis - Currently running Service based Processes:


Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
InCDsrv.exe 1076 Console 0 1,520 K
AOLacsd.exe 1860 Console 0 2,200 K
defwatch.exe 1908 Console 0 944 K
ewidoctrl.exe 1940 Console 0 1,708 K
inetinfo.exe 1956 Console 0 6,312 K
mdm.exe 1984 Console 0 2,764 K
MpfService.exe 2024 Console 0 2,260 K
sqlservr.exe 188 Console 0 1,516 K
AOLDial.exe 524 Console 0 1,660 K
AOLSP Scheduler.exe 568 Console 0 428 K
dslstat.exe 596 Console 0 696 K
dslagent.exe 668 Console 0 232 K
fts.exe 132 Console 0 1,048 K
MpfTray.exe 1256 Console 0 1,228 K
ctfmon.exe 1800 Console 0 1,440 K
MpfAgent.exe 2084 Console 0 724 K
alg.exe 3324 Console 0 2,616 K
AcroRd32.exe 3920 Console 0 6,468 K



[====================] End of Log [====================]

Here's the new log.

I haven't installed anything new.

[lakers]

OK, heres something else that may help. When I open IE, there are three quick things that appear in the bottom left corner. It doesn't make sense to me but it may make sense to you. I've hosted three paint files from where I took three screenshots on what happens when I open IE.







The order of the images shows the sequence of what happens. It only takes about two seconds until it comes up with the "page could not be found" error.

[TurcoLoco]

Ok, those screenshots didn't mean much to me, perhaps it didn't really captre the odd occurances so well?

Anyhow, I do believe this 'no connection' issue is not caused by a malware but more like a misbehaving or corrupt application such as a firewall or Internet Security Suite (ring any bells?). I have experienced this problem myself with both ZoneAlarm and one other program that I can't recall right now, both were Internet Security type programs. I have also seen few others (1 offline using Norton Internet Security utility) experienced similar problems and it turned out to be a program related setting or a file.

In one case the program that the problematic file belonged to was not even on the system!

So, I might be wrong and there might still be a malware related reminant on the system but none of the log files you posted captured anything and the issue is either what I described above or a collateral damaged caused by a previous infection that is no longer on your system. The improper disinfection procedures could have also damaged the related registry settings.

But first, let's try this: pull up the utility list from my signature and download and run Autoruns. Open the program and click on Options, then check the 'Hide Microsoft Entries' option then click 'Refresh' button to update the list by scanning again.
Once done, click File > Save As (at the Save in window, click Desktop so it saves the log file on your desktop which would make it easier to locate the log file) > Save.

Attach Autoruns.txt file to your next post please.

~TL