Solved

# Removed Spyware - no only have local connectivity, no internet

Posted on 2008-10-22
586 Views
Hi

I have an infected machine here, I have removed what I believe to be all the spyware using a combination of removers alongside hijackthis. it was working fine on my home network so I took it back round to my friends house, but we could not get it online. (BT USB Voyager modem)
I have brought it back to me and now I cannot get it online on my home network
I have tried assigning the correct settings and using auto, it gets the correct info from my router, but it will not go online.
I can ping my local machines but no internet addresses. I have also checked the hosts file.

What can I try next?

thanks, Spotta
0
Question by:sp0tta
• 6
• 4
• 2
• +1

LVL 3

Expert Comment

ID: 22775649
Sounds like a corrupt TCP stack.  If this is XP I'd downlaod Winsock Fix and run it.  Should restore the internet.  I am guessing from your tag.  If Vista, reply and I'll get the MS KB article on how to fix that.
http://www.snapfiles.com/get/winsockxpfix.html
0

Author Comment

ID: 22775739
Hi

I forgot to mention that I have already run Winsock Fix on it with no luck. I'm at a loss at the moment.

Spotta
0

LVL 4

Expert Comment

ID: 22775815
Post the HiJackThis log.
Uninstall the NIC from Device Manager and reinstall.
Make sure that Malware Bytes and Spybot were 2 of the Removers that you are using.
Download CCCleaner and run the Cleaner Tool as well as the Registry Cleaner.
Unplug the modem for 10 minutes, then bring the PC and modem up at the same time and try DHCP Settings again.
0

Author Comment

ID: 22777067
Hi

I used both Malware Bytes and Spybot, as well as Superantispywrae and A Squared. I then run an online scan from Symantec and trend micro.
I assigned a static ip but that made no differnce either, I hadn't run ccleaner, but I have now again with no difference.

Here is the hijack This log.

Thanks, Spotta

Logfile of HijackThis v1.99.1
Scan saved at 15:14:51, on 22/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRAM FILES\A-SQUARED FREE\a2service.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.EXE
E:\PortableApps\Hijack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\PROGRAM FILES\A-SQUARED FREE\a2service.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

0

LVL 4

Expert Comment

ID: 22777207
The log looks fairly clean i believe.
If you have tried reinstalling the nic, is there anyway that you can try a external nic to see if the card is the problem? I realize this started with an infection but you could save a lot of time by trying a different nic and see if that solves the problem.
0

Author Comment

ID: 22777324
Hi

I added a USB to Ethernet adapter that I sometimes use, now both adapters get an IP, but still no internet =[
Below is the results of ipconfig and pinging a local and internet address.

Spotta

Microsoft Windows XP [Version 5.1.2600]

C:\Documents and Settings\tina>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : SN037832020143
Primary Dns Suffix  . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : netgear.com
netgear.com

Ethernet adapter Local Area Connection 3:

Connection-specific DNS Suffix  . : netgear.com
Description . . . . . . . . . . . : DM9601 USB To Fast Ethernet Adapter
Physical Address. . . . . . . . . : 06-06-00-01-0B-27
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.24.253
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.24.1
DHCP Server . . . . . . . . . . . : 192.168.24.1
DNS Servers . . . . . . . . . . . : 192.168.24.1
Lease Obtained. . . . . . . . . . : 22 October 2008 15:53:09
Lease Expires . . . . . . . . . . : 23 October 2008 15:53:09

Ethernet adapter Local Area Connection 4:

Connection-specific DNS Suffix  . : netgear.com
Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Eth
ernet NIC
Physical Address. . . . . . . . . : 00-0D-61-EE-65-03
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.24.233
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.24.1
DHCP Server . . . . . . . . . . . : 192.168.24.1
DNS Servers . . . . . . . . . . . : 192.168.24.1
Lease Obtained. . . . . . . . . . : 22 October 2008 15:53:34
Lease Expires . . . . . . . . . . : 23 October 2008 15:53:34

C:\Documents and Settings\tina>ping 192.168.24.10

Pinging 192.168.24.10 with 32 bytes of data:

Reply from 192.168.24.10: bytes=32 time=6ms TTL=128
Reply from 192.168.24.10: bytes=32 time=2ms TTL=128
Reply from 192.168.24.10: bytes=32 time=2ms TTL=128
Reply from 192.168.24.10: bytes=32 time=2ms TTL=128

Ping statistics for 192.168.24.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 6ms, Average = 3ms

C:\Documents and Settings\tina>ping www.bbc.co.uk
Ping request could not find host www.bbc.co.uk. Please check the name and try ag
ain.

0

LVL 4

Expert Comment

ID: 22777394
Not sure why netgear.com would be the DNS suffix but i rarely use routers as i support a domain network. If you remove that from the DNS Suffix list under Advanced>DNS tab, does that change anything?
0

LVL 4

Accepted Solution

smittyboom earned 250 total points
ID: 22777419
Also, im assuming that you are plugged into a router that is plugged into a cable modem? If that is so try going straight to the modem on DHCP and bypass the router. You may need to unplug the router so that the new MAC address will be allowed to connect.
0

LVL 3

Assisted Solution

ID: 22777471
(think its picking that up from the dhcp server built into the netgear device.  harmless)
Just a thought...   have you logged into the netgear interface...suspect it has a ping utility built into it that would let you know if you have a circuit issue...could be the machine is fine but the circuit out has an issue.  Admit it would be a coincidence if so...
0

LVL 1

Expert Comment

ID: 22799654
Try pinging to the direct address rather then the name.

If it works, maybe for some odd reason your routers DNS forwarding got messed up.
0

Author Comment

ID: 22822057
Hi

A repair install got it back online sort of, the homepage would load but trying to go anywhere else would result in another blank IE window.
I wiped and reinstalled completely after backing files and all was well again.

S.
0

Author Closing Comment

ID: 31511777
points split between both contributors.
0

Author Comment

ID: 22843501
points split between both contributors.

S.
0

## Featured Post

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

### Suggested Solutions

To Remove Security Suite for Windows Malware from a Windows XP Machine:  Restart computer in Safe Mode (to do this see http://tinyurl.com/me78p) Login as Administrator Go to My Computer /Tools/ Folder Options/ View/  check mark the selectio…
Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.