Is this a virus ?

Hi and Welcome, dont appologise about your english as its just fine

When you mention Win200 Server, first thing that pops into my head is are you actually running a server off that PC, with IIS etc? which would want to keep iirc connecting to the net, even if you disconnect.

Do you get any popups on screen or any re-directions ( browser hijacks ) in your browser? if so can you name or discribe them.

BUT as you mention it keeps dialing up and trying to reconnect itself, that sounds to me like classic dialer infection, and to narrow this down and help you to remove this pest, we woudl need you to run the below guide and attach the requested logs, once attached our experts the the malware field will look them over and if they find something that shouldnt be their like malware they will post some further removal instructions that will be tailored to your PC and the infection you have.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy - ONLY IF you were not able to run Windows Defender
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Well you could skip those steps but you will be missing out on those scans finding anything harmful and causing your problem, so whilst I see your dilema in quota'd bandwidth, I can also see that what ever problem you have will also no doubt be using that bandwidth up as well, until removed.

We couldnt give you even 50% odds on removing whatever is causing this without all the logs. I wish their was a way around this for you, BUT these steps are tried and tested and do work, once we have all the logs attached we can give you if needed some tailored final removal steps.

 

You did not install and run GetRunKey and ShowNew properly. You MUST extract ALL files from the ZIP file and run the .bat from a Windows Explorer prompt. You must not run the .bat from inside the ZIP file. This was all explained in the download link instructions.

First goto Add/Remove programs and uninstall Search Bar
Now Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Network Location Manager ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Network Location Manager

If you receive any error messages just ignore them and continue. You probably will not find this NT Service name to stop so just inore the message from HijackThis and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now run HijackThis and look to see if the below O23 service line still exists:
O23 - Service: Network Location Manager - Unknown owner - C:\WINNT\system32\lssc.exe (file missing)
If it does, select that line and click Fix Checked.
Either way reboot your PC now and tell me if you are still having problems.
Also look for the C:\WINNT\system32\lssc.exe file and delete it if found.

Did you install the pcAnywhere Host Service and Remote Packet Capture Protocol programs yourself?
Why are you using such old version of Sun Java?
Is your copy of Ewido a free or paid version?

 

Not according to your logs! They show that the .bat files were run from inside the ZIP file. Delete the GetRunKey.zip and ShowNew.zip file from your hard disk. Now locate the GetRunKey.bat file and run it. Then locate the ShowNew.bat file and run it. Then attach the two logs. I need these logs!

Do you have anything from Symantec still installed? When did you uninstall it?

Now Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Windows Internet Name Service (WINS) ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

WINS

If you receive any error messages just ignore them and continue. You probably will not find this NT Service name to stop so just inore the message from HijackThis and continue.

Now exit HJT and reboot when it tells you it needs to.


After reboot attach a new HJT log.


Is PC Anywhere password protected? If you shut down PC Anywhere's host application, are you still seeing a packet count.


Install the current version of Sun Java from: Sun Java Runtime Environment

Then uninstall ALL old versions of Sun Java!

 

Okay something has corrupted your VDD registry key. See the below procedure from Microsoft that is used to fix this:

http://support.microsoft.com/default.aspx?scid=KB;EN-US;q254914&

Symantec also duplicated the above in their fix for the exact problem with their DLL file:

http://service1.symantec.com/SUPPORT/ent-security.nsf/529c2f9adcf33a1088256e22005026f1/a22e09c4be40053680256dac00564a18?OpenDocument&src=bar_sch_nam

After working thru this procedure, see if you can run GetRunKey and ShowNew.

 

I see you have Rdrivrem.zip and the log file from it on your Desktop! Did you have this problem at some point? The date is Sep 13th so it would have been good if you told us aout this.

I also see you have Ethereal. Did you capture the packets being received and determine where they are coming from! That is what the source IP address is?

While this has nothing to do with your problem, you need to uninstall all but one of the below? If any are paid versions keep that one, if all are trial versions, uninstall all and keep just Windows Defender.

• Ad-Aware with Ad-watch <-- I have to assume you purchased this since you would not have Ad-watch otherwise. So this should be the one you keep.
• Ewido
• SpywareDoctor
• Windows Defender

Did you have Norton Antivirus installed at some point? I see the below:
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

You should have HJT fix the below line which is for an old outdated version of SunJava.
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe


Delete the below folder:
C:\Program Files\Deskbar

No let's see if we can get rid of that SearchBar item in Add/Remove programs. Try using this Your Uninstaller! 2006 to uninstall Search Bar

 

Yes but didn't you look at the addresses to see who they belong to.

I see:

Code:

[B]IP Address[/B]   : 72.246.51.83 [ a72-246-51-83.deploy.akamaitechnologies.com ]
[B]ISP          :[/B] Akamai Technologies
[B]Organization :[/B] Akamai Technologies
[B]Location     :[/B] [IMG]http://img.cqcounter.com/flags/us.gif[/IMG] US, United States
[B]City         :[/B] Cambridge, MA 02142

which is talking to:

Code:

[B]IP Address[/B]   : 125.163.131.167 [ 167.subnet125-163-131.speedy.telkom.net.id ]
[B]ISP          :[/B] PT Telekomunikasi Indonesia
[B]Organization :[/B] PT Telekomunikasi Indonesia
[B]Location     :[/B] [IMG]http://img.cqcounter.com/flags/id.gif[/IMG] ID, Indonesia
[B]City         :[/B] Jakarta, 06 -

Are these part of your network?

And there were also some messages from the 125.163.131.167 PC and 202.134.0.155. This second address is for:

Code:

[B]IP Address[/B]   : 202.13.0.155 [ 202.13.0.155 ]
[B]ISP          :[/B] -
[B]Organization :[/B] -
[B]Location     :[/B] [IMG]http://img.cqcounter.com/flags/jp.gif[/IMG] JP, Japan
 
role:         Japan Network Information Center
address:      Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda
address:      Chiyoda-ku, Tokyo 101-0047, Japan
country:      JP

Only you can state whether these are valid for your network and what your PCs are supposed to be talking to.

 

I'm not sure what you are trying to ask me. TCP is a valid protocol used on everywhere (not just for your local network).

You need to determine what addresses are part of your network. That is what I was stating in my previous message when I listed who all the IP addresses belong to. Which ones do you recognize?

Nothing as far as I see. You do not have any remaining malware based on what we have run thus far. You may need to take the rest of your issues to the Networking Forum. For a person that is not to verse in networking you have a lot of process running that would not normally be running unless you were setting up all kinds of network stuff including some servers. What exactly is this PC used for? Is this a home PC or is it part of a business network?