Timeout: connection elapsed - AGAIN

3 weeks ago, I was having trouble with Timeouts popping up, indicating that the system had been hijacked and was sending out emails unbidden. I chatted with several of you on this forum and you helped me run some scans, use HJT, etc, and eventually it stopped. But I deleted something related to MS MOney, which caused it to keep trying to install that program, and continually fail. I couldn’t uninstall the program either. So I went back to my HJT backup and restored everything with an MS Money name in it. I was then able to uninstall MS Money.

I also restored some AIM (AOL Instant Messenger) files, because AIM kept popping up randomly from the background where I usually keep it. I thought maybe I had deleted something it needed to run properly.

Last nite, the same Connection Elapsed messages stared showing up on my computer, and then my ISP blocked me from sending emails. I talked to them and they said that the log showed I had sent over 250 emails last nite and another 380 this morning. Which of course I never sent. So something in there was causing the problem - I presume.

I ran a thorough Avast scan and it deleted 2 viruses. I also deleted AIM altogether, just in case that’s the problem

Now I’m paranoid about having my email program open for long (Thunderbird), as it might start sending out spam again. When the timeout messages pop up, they say either: thunde.exe-> charter.net:25 OR explorer.exe->charter.net:25

I just ran another HJT scan and have attached the results. Does anyone see anything here that I should be concerned about? I also use Ewido and a Zone Alarm firewall.

This is an on-line analysis of your log, check out the Possibly nasty and unknown entries, etc. either by knowing what they are (you installed them, etc.) or using google to check out the filenames, etc. to see if there is anything malicious associated with it.

http://hijackthis.de/logfiles/c4e40ab5c1b67d7a0ce5c80fcf2697c5.html

Yeah, I’ve done this online thing before. The only question I have is whether anything with an ActiveX in the name is necessarily bad. I think 1 or 2 of them are from my installing that program when I ran a Trend Micro scan, especially the Red Swoosh one (I’m presuming). The other two have Gateway in the file name, which makes me worried about deleting them - my computer is a Gateway and I don’t want to delete something that I need.

Anything with the name “Multipass” in it is something to do with my printer, which is a Canon Multipass.So I know those are fine.

Is it really so bad to use AIM?

  1. The fact that they have Gateway doesn’t necessarily mean that is what they are.
  2. You Can scan the suspect files at that site, see the paper clip next to the entry they can be scanned.
  3. I’m unsure that you would be deleting the activeX entries, in the same way you were able to restore other things. If they are for Gateway, have you used them are they required, personally I think not and they don’t get flagged possibly nasty for nothing.
  4. I’m aware of the multipass being something to do with cannon, but I don’t know if you had/have a cannon printer (neither does the analysis tool), that is why you need to check those unknown entries. I have a cannon Pixma i4000 and I don’t have any of these entries (different printer perhaps). Check your options and see if the monitor is actually required.
  5. I’ve never used AIM so I can’t say, but there are other IMs that will work with AOHell’s IM, Trillian I believe.

Geez - this is getting really old. So I ran a thorough scan of avast yesterday, which deleted maybe 2 things. Checked my firewall settings, everything seemed fine. I used email this morning without problems., then put the computer in Standby mode while I was out. When I came back, there were 12 of those timeout messages. DAMN!! What is happening here? I think I’ve scanned everything, cleaned everything, all is well - then, wham, there it is again. In less than 24 hours. And there seems to be no way to determine what virus is causing thing problem. My ISP hasn’t blocked me yet, but that could happen any time. Who knows how many messages got sent that the connection didn’t elapse on.

I just ran an Ewido scan it found 5 items, which were just cookies, which I removed. I’ll try fixing those Gateway items on the registry, but have no idea what else to do.

My firewall is the Zone Alarm free download. Is that good enough? When I was using their Security Suite (before I know it would cause a problem running alongside Avast), it allowed me to block outbound email sent with certain extensions, like explorer.exe. Now that I have only the free firewall, I can’t seem to figure out how to do this, or if it’s even available.

I also loaded Trillian this morning - how cool is that? Thanks for suggesting it - I’d never even heard of it before. Very cool.

Why isn’t avast fixing this?

So I ran a thorough scan of avast yesterday, which deleted maybe 2 things.
What did it delete, virus name, file name and location. This sort of information is too important to just be glossed over.
I used email this morning without problems., then put the computer in Standby mode while I was out. When I came back, there were 12 of those timeout messages.
Please provide full details of the timeout message (or a screenshot), especially if there is mention of the program causing it.

Well, I don’t know what those viruses were. Is there a way to find them in Avast, now that they’ve been deleted? I’ll check the program to see.

The Timeout window can’t be “copied”, but it says this:
avast! Timeout: Connection Elapsed.
(explorer.exe->charter.net:25)
Continue waiting?
Yes No
I had it on standby again for about 2 hours just now and there were 10 timeouts waiting to be “processed”!

Should I go to www.lurkhere and ask them? Cloussau suggested it a couple of weeks ago when I was having this problem, over on the Home/Pro forum.

It won’t hurt to get alternative advice.

Do a search and search for exploere.exe and let us know if there is more than one occurance and what location it is found.

http://www.neuber.com/taskmanager/process/explorer.exe.html See the comments about it being found in a different location.

This is the Windows shell (desktop, file browser, taskbar etc), closing it is not recommended. However, if the path is C:\Explorer.exe, it's a virus. (Due to lazy programming, Windows does not look in a specific path for this file. If it finds it here, it'll launch it instead of the real shell.)

http://www.liutilities.com/products/wintaskspro/processlibrary/explorer/

Note: explorer.exe is also registered as a process which is the w32.Codered and the w32.mydoom.b@mm viruses. These viruses are distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open it’s hostile attachment. The worms have their own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself.

There are 2 occurences. They say:
C:\WINNT
C:\WINNT\ServicePack\i386

The first one says it was created 12/31/79
The 2nds one says, 8/4/04

Do these sound like trouble?

I have two also
C:\Windows
C:\Windows\ServicePackFiles\i386
Now obviously I’m using windows XP but both of my files are the exactly the same size and date (looking at the last modified date).

Usually when in the C:\ root folder the explorer.exe is a virus/malware so these locations seem genuine.

I don’t know what to suggest to do about this imbalance (if it exists when you compare date modified and size) in your files, as I believe you may be using the older version in C:\WINNT which could leave you vulnerable to exploit.
Perhaps checking the file/s at: Jotti - Multi engine on-line virus scanner and see if any other scanners here detect them as malware, etc.
Or VirusTotal - Multi engine on-line virus scanner