Strange behaviours - windows firewall diabled, no internet

[scriggs]

Hi,

I have 1 rogue machine on my network.

1. Internet explorer will not work on the machine and Windows Explorer also hangs.
2. We have Windows Firewall enforced by Group Policy (so it cannot be disbled) yet it is disabled on this machine? I have never seen this before

To try to resolve I have:
1. Checked and through cmd I can ping and tracert to internet services.
2. If I boot in safe mode (with network) everything is fine - can use IE to browse, etc.
3. I have run Spybot, Adaware and Microsoft Antispyware which have not detected anything.
4. I have manually removed MyWebSearch through Add/Remove programs.
5. Run a full AV using today's definition files.

I don't know where else to go, any suggestions?

 

[aquias]

A few additional programs to run...

Ewido Security Suite
HiJackThis!

And, if you can get to the web, run an online scanner. Something like

http://housecall.trendmicro.com.

If you need assistance with the log files from Ewido or HJT! post them up here.

 

[scriggs]

Cheers aquais

I have downloaded and am running Ewido.

Have run HijackThis! and results follow, any advice please - never used this before:

Logfile of HijackThis v1.99.1
Scan saved at 15:23:25, on 05/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
C:\Program Files\sas\Practice Management\QuickApexPMS.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
\HAL\Clients\Setup\applnch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\securitysuite.exe
\hal\cabs\Software\Programs\Standards\Utilities\Spyware\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.euro.dell.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://companyweb

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://companyweb

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.euro.dell.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: GA311 Smart Wizard Utility.lnk = C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Sage Quick Time Entry.lnk = C:\Program Files\sas\Practice Management\QuickApexPMS.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI05E6~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab

O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) -

http://hal/connectcomputer/nshelp.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

 

[aquias]

Remove these entries..

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.

6.cab

Couldn't find information on this file...

C:\Program Files\sas\Practice Management\QuickApexPMS.exe

You actually look VERY clean.

As an FYI of what I do with these files. I go to

http://www.hijackthis.de/index.php

and run an analysis of the file. I DO NOT take what it says as correct. I like the way the parser formats the file. Once I run the file through the checker, I do Google and various other searches to discover if the file name is possibly malware.

 

[aquias]

Side note! Did you run an Ewido scan? It'll verify if there are any trojans loaded. Dohp and last thing, I should have started with this, turn off system restore prior to removing malware.

 

[scriggs]

Thanks for that, will remember for the future how to use that.

I know the machines are fairly clean which is why I so confused. I lock all users down as limited users so they can't accidently install stuff.

I disable access to Messenger files so that it cannot run, so the first items should be OK. Smileycentral is part of MyWebSearch so I have disabled that. The last one is a specific programme we use so is OK.

Made no difference - I think I am going to have to reinstall soon! So strange.

 

[aquias]

Heh, almost forgot about this...

Try the winsock fix

http://www.snapfiles.com/get/winsockxpfix.html

Sometimes when removing malware it slaps up a few items on your system.

 

[scriggs]

Tried the winsock fix, no joy on internet but system does seem more stable - will let windows explorer, etc. run. I have just installed Firefox and am writing this on the computer - I will try the online scanner next.

Strange - the issue is just with IE then? I am not happy leaving it like this but not sure what else I can do?

 

[aquias]

Yay! One step closer...now, lets try this fix!

http://www.snapfiles.com/get/lspfix.html

 

[scriggs]

Thanks for your help on this one.

I have the machine in safe mode at the moment, running IE and doing the online scan. Will try the LSPFix when that finsihes, maybe tomrrow now.

I ran process explorer a little bit ago and notice one strange item listed - vshare.386 - which googling reports as win95 networking. Could this be some spyware/virus? I have checked on other (identicial) machines and this is not shown by process explorer.

 

[aquias]

Does this process only run in safe mode or is it being listed on the standard mode as well?

 

[aquias]

I did some further research on this file...vshare.386. This is actually a Windows 3.1 file, it looks as if it carried forward to the 9x generations. However, I cannot find any reference to that file on anything in the NT era of windows (although it seems to be heavily associated with problems with share.exe from that era as well).

What exactly does this machine have in its startup programs? Have you run an MSCONFIG to see?

Additionally, what services are starting up? Have you identified those yet?

 

[Sympology]

This may seem a little obvious, but maybe you have two seperate problems.

1. i.e, have you tried a reinstall / repair
2. Is it logging onto the domain correctly.
3. Does the same issue occur is different people log in, it may be a corrupt profile. Delete the profile if it's only one user.

All else fails, blow the damm thing away and start anew.

Stu..

Only the truly stupid believe they know everything.
Stu.. 2004

 

[scriggs]

Hey Stu

Thanks for the reply. I had thought of the first issues:
1. Tried reinstalling SP2 as advised by MS KB article to reinstall IE6.
2. Logs into domain fine and can access network data (albeit slowly!). Like I said Firefox works OK too, just IE and windows explorer causing trouble.
3. Occurs on all logons, only works when in Safe Mode.

As you have suggested I did start again - luckily I have a bunch of similar machines so I just ghosted one over.

My problem is tho, that I don't like not finding a solution and there is a niggling that maybe some rogue spyware/virus could have made it into my network. Lets hope not tho!