Solved

Removed Spyware - no only have local connectivity, no internet

Posted on 2008-10-22
13
583 Views
Last Modified: 2012-05-05
Hi

I have an infected machine here, I have removed what I believe to be all the spyware using a combination of removers alongside hijackthis. it was working fine on my home network so I took it back round to my friends house, but we could not get it online. (BT USB Voyager modem)
I have brought it back to me and now I cannot get it online on my home network
I have tried assigning the correct settings and using auto, it gets the correct info from my router, but it will not go online.
I can ping my local machines but no internet addresses. I have also checked the hosts file.

What can I try next?

thanks, Spotta
0
Comment
Question by:sp0tta
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 3

Expert Comment

by:NetAdminGuy
Comment Utility
Sounds like a corrupt TCP stack.  If this is XP I'd downlaod Winsock Fix and run it.  Should restore the internet.  I am guessing from your tag.  If Vista, reply and I'll get the MS KB article on how to fix that.
http://www.snapfiles.com/get/winsockxpfix.html  
0
 

Author Comment

by:sp0tta
Comment Utility
Hi

I forgot to mention that I have already run Winsock Fix on it with no luck. I'm at a loss at the moment.

Spotta
0
 
LVL 4

Expert Comment

by:smittyboom
Comment Utility
Any of these may or may not help you:
Post the HiJackThis log.
Uninstall the NIC from Device Manager and reinstall.
Assign Static IP Address.
Make sure that Malware Bytes and Spybot were 2 of the Removers that you are using.
Download CCCleaner and run the Cleaner Tool as well as the Registry Cleaner.
Unplug the modem for 10 minutes, then bring the PC and modem up at the same time and try DHCP Settings again.
0
 

Author Comment

by:sp0tta
Comment Utility
Hi

I used both Malware Bytes and Spybot, as well as Superantispywrae and A Squared. I then run an online scan from Symantec and trend micro.
I assigned a static ip but that made no differnce either, I hadn't run ccleaner, but I have now again with no difference.

Here is the hijack This log.

Thanks, Spotta

Logfile of HijackThis v1.99.1
Scan saved at 15:14:51, on 22/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BT Voyager 105 ADSL Modem\BT Broadband.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\PROGRAM FILES\A-SQUARED FREE\a2service.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BT Broadband Basic Help\bin\MotiveBrowser.exe
C:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.EXE
C:\Program Files\BT Broadband Basic Help\bin\mad.exe
E:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
E:\PortableApps\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BBDial] C:\Program Files\BT Voyager 105 ADSL Modem\BT Broadband.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\PROGRAM FILES\A-SQUARED FREE\a2service.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

0
 
LVL 4

Expert Comment

by:smittyboom
Comment Utility
The log looks fairly clean i believe.
If you have tried reinstalling the nic, is there anyway that you can try a external nic to see if the card is the problem? I realize this started with an infection but you could save a lot of time by trying a different nic and see if that solves the problem.
0
 

Author Comment

by:sp0tta
Comment Utility
Hi

I added a USB to Ethernet adapter that I sometimes use, now both adapters get an IP, but still no internet =[
Below is the results of ipconfig and pinging a local and internet address.

Spotta

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\tina>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : SN037832020143
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : netgear.com
                                            netgear.com

Ethernet adapter Local Area Connection 3:

        Connection-specific DNS Suffix  . : netgear.com
        Description . . . . . . . . . . . : DM9601 USB To Fast Ethernet Adapter
        Physical Address. . . . . . . . . : 06-06-00-01-0B-27
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.24.253
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.24.1
        DHCP Server . . . . . . . . . . . : 192.168.24.1
        DNS Servers . . . . . . . . . . . : 192.168.24.1
        Lease Obtained. . . . . . . . . . : 22 October 2008 15:53:09
        Lease Expires . . . . . . . . . . : 23 October 2008 15:53:09

Ethernet adapter Local Area Connection 4:

        Connection-specific DNS Suffix  . : netgear.com
        Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Eth
ernet NIC
        Physical Address. . . . . . . . . : 00-0D-61-EE-65-03
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.24.233
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.24.1
        DHCP Server . . . . . . . . . . . : 192.168.24.1
        DNS Servers . . . . . . . . . . . : 192.168.24.1
        Lease Obtained. . . . . . . . . . : 22 October 2008 15:53:34
        Lease Expires . . . . . . . . . . : 23 October 2008 15:53:34

C:\Documents and Settings\tina>ping 192.168.24.10

Pinging 192.168.24.10 with 32 bytes of data:

Reply from 192.168.24.10: bytes=32 time=6ms TTL=128
Reply from 192.168.24.10: bytes=32 time=2ms TTL=128
Reply from 192.168.24.10: bytes=32 time=2ms TTL=128
Reply from 192.168.24.10: bytes=32 time=2ms TTL=128

Ping statistics for 192.168.24.10:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 6ms, Average = 3ms

C:\Documents and Settings\tina>ping www.bbc.co.uk
Ping request could not find host www.bbc.co.uk. Please check the name and try ag
ain.



0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 4

Expert Comment

by:smittyboom
Comment Utility
Not sure why netgear.com would be the DNS suffix but i rarely use routers as i support a domain network. If you remove that from the DNS Suffix list under Advanced>DNS tab, does that change anything?
0
 
LVL 4

Accepted Solution

by:
smittyboom earned 250 total points
Comment Utility
Also, im assuming that you are plugged into a router that is plugged into a cable modem? If that is so try going straight to the modem on DHCP and bypass the router. You may need to unplug the router so that the new MAC address will be allowed to connect.
0
 
LVL 3

Assisted Solution

by:NetAdminGuy
NetAdminGuy earned 250 total points
Comment Utility
(think its picking that up from the dhcp server built into the netgear device.  harmless)
Just a thought...   have you logged into the netgear interface...suspect it has a ping utility built into it that would let you know if you have a circuit issue...could be the machine is fine but the circuit out has an issue.  Admit it would be a coincidence if so...
0
 
LVL 1

Expert Comment

by:prlit
Comment Utility
Try pinging to the direct address rather then the name.

Ie, ping 209.85.171.99 instead of google.com

If it works, maybe for some odd reason your routers DNS forwarding got messed up.
0
 

Author Comment

by:sp0tta
Comment Utility
Hi

A repair install got it back online sort of, the homepage would load but trying to go anywhere else would result in another blank IE window.
I wiped and reinstalled completely after backing files and all was well again.

S.
0
 

Author Closing Comment

by:sp0tta
Comment Utility
points split between both contributors.
0
 

Author Comment

by:sp0tta
Comment Utility
points split between both contributors.

S.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Sub-Titled: “My Way” (with apologies to Francis Albert Sinatra) Let me start by stating emphatically that I am one of those Experts who prefer doing things “My Way”. It’s kind of a no-brainer. “The following procedure works for me, so here is …
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now