Subj : Re: Windows issues
To   : Finnigann
From : Large
Date : Thu Jun 09 2005 03:30 pm

  Re: Re: Windows issues
  By: Finnigann to Digital Man on Wed Jun 08 2005 08:02 pm

 > -=> With interpidation and the MAGIC of QWK Mail Digital Man wrote to Finnig
 > <=-
 > 
 >  DM>   Re: Re: Windows issues
 >  DM>   By: Finnigann to Digital Man on Tue Jun 07 2005 11:25 pm
 > 
 >  >  > 1.) I keep losing my connection. But that is not entirely correct. I h
 >  >  > connection but I suspect something is happeneing to the TCP socket(s) 
 >  >  > I can make anything out of the various messages I get from different
 >  >  > programs.
 >  >  >
 >  >  > Agent says,
 >  >  > Error reported by winsock driver: Not enough memory to initialize driv
 >  >  > [Error 10055]; Connecting to news.cbou.com
 >  >  >
 >  >  > SBBS[FTP Window] says:
 >  >  >  6/7  12:59:08p  Executing external: *qnet-ftp VERT bbs.synchro.net xx
 >  >  >  6/7  12:59:08p  QNET-FTP: VERT bbs.synchro.net xxxxxx
 >  >  >  6/7  12:59:09p  QNET-FTP: !socket_open failure socket_error=55
 >  >  >
 >  >  >
 >  >  > Is this common amoung Windows users' experience?
 >  >
 >  >  DM> I've seen it before, but usually only when FDSZ is runninger
 >  >  DM> NTVDM. Is it possible you have something consuming system
 >  >  DM> resources that shouldn't be running?
 >  >
 >  > As I'm not a 'USER' BBS... unless getting qwk packets are/is what you
 >  > mean...
 > 
 >  DM> No. FDSZ is used for X/Y/Zmodem file transfers from your BBS. If
 >  DM> no one is "using" your BBS, then FDSZ isn't running.
 > 
 >  > Other than that, nothing shows up in the task manager as being a hog.
 > 
 >  DM> Welp, something is consuming those buffers it needs. :-)
 > 
 >  DM> Try running tcpview (www.sysinternals.com) maybe?
 > 
 > You have recommended this tool before.
 > 
 > 
 > It shows:
 > Admin.exe:2160          UDP     dad:1032        *:*
 > alg.exe:1760            TCP     dad:1027        dad:0   LISTENING
 > dllcachev2.exe:904      TCP     dad:9999        dad:0   LISTENING
 > Icq.exe:2220            TCP     dad:25100       dad:0   LISTENING
 > Icq.exe:2220            TCP     dad:1055        205.188.8.108:5190 ESTABLISH
 > Icq.exe:2220            UDP     dad:1118        *:*
 > LDServ.exe:708          UDP     dad:1033        *:*
 > LDServ.exe:708          UDP     dad:9000        *:*
 > LDServ.exe:708          UDP     dad:50019       *:*
 > sbbsctrl.exe:2208       TCP     dad:ftp         dad:0   LISTENING
 > sbbsctrl.exe:2208       TCP     dad:telnet      dad:0   LISTENING
 > sbbsctrl.exe:2208       TCP     dad:smtp        dad:0   LISTENING
 > sbbsctrl.exe:2208       TCP     dad:gopher      dad:0   LISTENING
 > sbbsctrl.exe:2208       TCP     dad:finger      dad:0   LISTENING
 > sbbsctrl.exe:2208       TCP     dad:http        dad:0   LISTENING
 > sbbsctrl.exe:2208       TCP     dad:pop3        dad:0   LISTENING
 > sbbsctrl.exe:2208       TCP     dad:nntp        dad:0   LISTENING
 > sbbsctrl.exe:2208       TCP     dad:8080        dad:0   LISTENING
 > sbbsctrl.exe:2208       UDP     dad:79           *:*
 > svchost.exe:1488        TCP     dad:epmap       dad:0   LISTENING
 > svchost.exe:1644        UDP     dad:ntp         *:*
 > svchost.exe:1644        UDP     dad:ntp         *:*
 > svchost.exe:1764        UDP     dad:1034        *:*
 > svchost.exe:1764        UDP     dad:1035        *:*
 > svchost.exe:1812        UDP     dad:1900        *:*
 > svchost.exe:1812        UDP     dad:1900        *:*
 > System:4                TCP     dad:microsoft-ds dad:0   LISTENING
 > System:4                TCP     dad:netbios-ssn  dad:0   LISTENING
 > System:4                UDP     dad:microsoft-ds *:*
 > System:4                UDP     dad:netbios-ns   *:*
 > System:4                UDP     dad:netbios-dgm *:*
 > 
 > 
 > How do I tell who's da hog?
 > 
 > And as I write this it's changing all the time...
 > 
 > The help file isn't very helpful. )-:
 > 
 > 
 > 
 > 
 >         	  ł James King       KC8UGV ł
 > 	          ł Sysop  Bits-N-Bytes BBS ł
 >         	  ł Coldwater, MI     49036 ł
 > 	      http://www.synchro.net/sbbslist.htmlł
 > 
 >        If the Republicans will stop telling lies about us,
 >            we'll stop telling the truth about them."
 > ... Chopped cabbage: It's not just a good idea, it's the slaw!

Your problem is due to a Trojan, you want to boot into safe mode with command
prompt and 
open regedt32(winxp), regedit or whatever its called in different verions of
windows and goto HKLM\Software\microsoft\windows\current version\run and
remove and reg entries corresponding to 
dllcachev2.exe
you also want to goto HKey users
Hk current user
and follow same path and remove the same reg entry.
aswell as removing it from run you want to remove it from runonce, runservices,
runservicesonce.

I tend to get a bit gung-ho in registry cos trojans normally download a lot of
spyware so anything your not too sure about in registry you want to check in
google.
e.g. if you have a file called start.exe you want to do a search in google for
start.exe and pages will load up that will give you process info or whatever
and if its virus or spyware just delete it, the worst that can happen is that
something won't load at windows startup.

you must do this in safe mode otherwise the virus will install itself again.

if you need any help, msg me.
l8ters, steve

---
 ţ Synchronet ţ The DarkSide BBS *** Telnet://darkside.dtdns.net

.