Something's trying to connect to the internet on start up!

Hello. I've tried to follow all the directions for downloading and properly scanning my PC. I'm afraid to connect it to the internet (different PC than what I'm using here) because I think there is a nasty program trying to download more junk - so I used the desktop app. A-Squared to scan for trojans rather than trying online trojan scan.

Here's what I've done so far:
Downloaded and got updates for all recommended "tools".
Scanned with A-Squared ( 2 trojans removed (yekpa.dat and apkey.exe)
Installed plugin and scanned with Ad-Aware SE (154 objects including virtumonde, 180Solutions, and DealHelper)
Scanned with SpyBot (30 problems fixed) Also used immunize.
CCleaner
Ad-Aware SE again (4 objects in registry - Virtumonde)
Norton AV scan (2 found 00074508.dll and WUinst.dll)

I downloaded and ran the Norton tool for removal of virtumonde. I ran it and then Ad-Aware - nothing found.

However - problem is on every reboot, I'm prompted to connect to the internet (running Win 98 and using a dial up connection - I don't have a firewall - will ZoneAlarm or Kerio work with a dialup connection? - do you advise that I get one?) I have to click cancel on the connection prompt about 8 times before it goes away. Periodically, the prompt will reappear.

There's got to be more junk on my PC - but what?

ps. I've re-ran SpyBot and it reports 1 item (DSO Exploit)

Hope you can help. Thanks in advance.

 

a firewall wouldn't be a bad idea.. kerio or outpost are my picks.

lets see your log file.
Hijack This Tutorial And How To Post Your Log File

 

Attached is my log. Thank you.

 

Ya, you gotta be crazy to not have a firewall up nowadays.

ZoneAlarm Pro is a very popular one, but I use and recommend Sygate Personal Firewall Pro.

 

I found Startup Monitor by Mike Lin helpfull. It tells you when a program registers to run at next startup...
http://www.mlin.net/StartupMonitor.shtml

..The trick is, that if you see this warning, and you don't know the program, record all the data about it while the warning is in front of you. Then you gop to your C-Drive, and search and delete the directory it created to store it's files, and delete everything, then go to Registry and search and do the same.
>All this before you reboot again.

By the time you see the warning, the srupilous website has already downloaded stuff to your C-Drive.

 

I use Zone Alarm. Once I go used to it, I found it very helpful. The main thing is that it prompts me whenever something is trying to dial out. I can then either allow or deny depending on whether I recognize it or not. Also, I started using WinPatrol. It has an option to disable certain programs from running on startup. I only use these particular programs because they are free, but you get what you pay for.

 

Attached is my log after following HJT instructions from Chaslang. After fixing and rebooting - the persistent prompt to connect to the internet is still happening.

I did download and run the SpyBot DSO Exploit tool and that is now gone.

I did not use the online scanners because I'm afraid if I connect to the internet (as I'm being mysteriously prompted to do so) - I'd get more junk. That's why I used the desktop scanner rather than those suggested in READ ME FIRST.

(I'm emailing you from a different PC - the infected pc hasn't been back online since before my first post and all the various scans).

Thanks

 

the following lines are the only things I see wrong in that log

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

check those boxes and click fix. Then go into the control panel for IE and make sure all the settings for all the zones under the security tab are at their default levels.

Then try the online scans and post a new log.

 

I'm in the process of doing the Trend Micro scan.

I've fixed the 2 items you recommend in HJT.

I've set IE defaults for the zones:
Internet (medium)
Intranet (low-medium)
Trusted Sites (low)
Restricted Sites (high)

I installed the personal firewall Kerio before using my dial up. I had to disable it after a few minutes because I was being prompted to "permit" or "deny" every few seconds with lots of requests going out over different ports - is that normal? Also Netscape froze and wouldn't open.

I'll let you know how the scan goes - should I do both and use the McAfee stinger exe as noted in READ ME FIRST?

 

normal? it depends on what's trying to get out. If you've already set IE and such to use the connection then you may get a few more at first run , but definately should not be constant.

Netscape may have froze due to restrictions in place by Kerio when you opened NS.

Do as many of the scans as possible. It can only help.

 

I'm attaching my latest HJT log now that I have run the online scans of Trend Micro (no infections found) and Symantec Security Check (3 items were noted as problems - I pasted those results to word and can send that if you want it too.)

I couldn't get the Stinger.exe to run in safe mode, so I scanned in normal mode - no infections found.

 

I've fixed the 2 lines in HJT as recommended. Nothing showing up in Ad-aware or SpyBot. Still being prompted to connect to the internet on startup. I disabled Norton LiveUpdate from automatically updating to see if that might be the culprit - no luck. Any ideas on how to find out what item is prompting for the connection?

I couldn't run Stinger in SafeMode because I lose my mouse in that mode. I tried some keyboard short-cuts - including Alt-S (Scan) - but couldn't get it going.

 

Yes. I ran the Norton tool for Virtumonde and the phone line was disconnected from the PC.

 

I see - yes, now I have downloaded and ran the latest tool for Vundo. Result, "Trojan Vundo has not been found on your computer".

I believe this saga is coming to an end! I am able to restart and I'm not prompted to connect to the Internet.

2 more questions:

I've installed Zone Alarm and fired up my dial up. I was online about 5 minutes. Zone Alarm now reports "total intrusions blocked, 15". What exactly does that mean - were there really 15 attempts in that short time to compromise my system?

Is opening email in web-based programs - like Netscape or Yahoo - safer than bringing the email down onto my PC - like in Outlook or Thunderbird? When I open an email on Yahoo - is it opening "out there" - not on my system and therefore can't infect me - or is that just a silly misperception?

Thanks for all your help and the service that you provide here! I really appreciate it!