Do not use on any
shared computer
August 20, 2008 04:30am pdt
 
[x]
Attachment Details

ping to *.symantec.com, *.ca.com, *.trendmicro.com, etc return reply from 127.0.0.1.  HOSTS file not to blame.

Zones: MS Forefront, Anti-Virus, Desktop Anti-Virus
Tags: Microsoft, Windows XP Professional SP2, SP2 w/ IE 6
I have a client's computer that has been cleaned of many trojans/viruses including the "WinAntivirusPro".  At this point when I try to go to housecalls.trendmicro.com for an online scan, it returns "page cannot be displayed", while a ping to trendmicro.com, symantec.com, ca.com, and many others return 127.0.0.1.

I checked the HOSTS file (and LMHOSTS etc), but they haven't been modified for over a year and the HOSTS file did not contain anything but the 5 entries we put into the computer for resolution of WAN connections.  As a matter of fact, I even removed the HOSTS file completely and still get the same reply from the localhost when trying to ping a antivirus/spyware related web-address.

I have run various fixes for trojans that do similar (but typically modify the HOSTS file) including AGOBOT and SmitFraud.
I've checked and rechecked DNS on several of our own server as well as public DNS servers.  Most sites resolve fine unless they are an anti-malware type site.  When I put a bogus IP for the DNS server, nothing resolves (as expected) except for the sites like symentec.com (reply from 127.0.0.1).

We have also attempted an install (early on in the process) of Firefox which installs fine, but will not run (starts to run but kills -- as shown in process explorer).

As well, upon removal of one of the many trojans, the application mapping for running .exe files was lost.  A patch was applied and this was restored.

I'm pretty well at my wits end here, and need some advise.  Format/reinstall is not an option on this machine unfortunately.

I'm including my HijackThis log:
------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:54:35 PM, on 6/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\SYSTEM32\DNTUS26.EXE
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\Windows\System32\userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15D73F88-277E-42EC-BE97-C64E1C6A18D9} - http://data-1/cbopracticemanager/Install/CPOPM04Client/CPOPM04Client.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E6AC13B-5ADA-4810-A79B-9658AEF060C8} - http://data-1/centricity/Install/McKesson04/McKesson04.cab
O16 - DPF: {329E2905-EDCC-4B43-8243-985AC1D9D4FF} - http://data-1/bravo/Install/ARBCBS04/ARBCBS04.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/20031016/akamai.info.apple.com/iTunes4/WW/win/061-0840.20031016.sAc49/iTunesSetup.exe
O16 - DPF: {4869BC42-91D5-433E-8557-F4285DCA0B6F} - http://data-1/cbopracticemanager/Install/CPOPM04GoldClientSP3/CPOPM04GoldClientSP3.cab
O16 - DPF: {5C09FD7C-B414-43CE-8A41-EBBA80EB0FFC} - http://data-1/bravo/Install/McKesson04/McKesson04.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {C93C8624-4FC1-4BC4-9FC9-CAB94FF8208F} - http://data-1/cbopracticemanager/Install/CPOPM04GoldClientSP2a/CPOPM04GoldClientSP2a.cab
O16 - DPF: {E5855096-43F4-47CF-8723-BAFC1759AFDC} - http://data-1/bravo/Install/CPOPM04GoldClient710/CPOPM04GoldClient710.cab
O16 - DPF: {E839F0A1-4D68-472A-BBB8-08FA530581CF} (MBCInstaller 6.0 object) - http://data-1/centricity/Install/MBCINSTaller60.dll
O16 - DPF: {F12CFEEA-7984-4AD4-BADD-02C315148F83} - http://server-1/pfs/Install/MPM02SP1ClientHF4/Default.cab
O16 - DPF: {F839F0A1-4D68-472A-BBB8-08FA530581CF} (GEMSInstaller 7.0 object) - http://data-1/bravo/Install/MBCINSTaller70.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CBO.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = CBO.LOCAL
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFD5B35E-B6DB-4716-8F3B-200F816D9CB4}: NameServer = 4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CBO.LOCAL
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CBO.LOCAL
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = CBO.LOCAL
O20 - Winlogon Notify: jkkijHBT - jkkijHBT.dll (file missing)
O20 - Winlogon Notify: __c006A764 - C:\WINDOWS\system32\__c006A764.dat (file missing)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DNTUS26.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

--
End of file - 5048 bytes
-------------------------------
Thanks in advance,
Patrick Ring
Start your free trial to view this solution
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
9.2
Question Stats
Zone: Microsoft
Question Asked By: pring
Solution Provided By: rpggamergirl
Participating Experts: 2
Solution Grade: A
Views: 67
Translate:
Loading Advertisement...
 
[+][-]Accepted Solution by rpggamergirl

Rank: Wizard

Accepted Solution by rpggamergirl:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
[+][-]Expert Comment by Admin3k
Expert Comment by Admin3k:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
[+][-]Author Comment by pring
Author Comment by pring:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
[+][-]Expert Comment by rpggamergirl

Rank: Wizard

Expert Comment by rpggamergirl:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
Loading Advertisement...
20080723-EE-VQP-34 / EE_QW_2_20070628