• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 468
  • Last Modified:

Access to Antivirus/Spware Sites Blocked

I've removed a load of spyware and spyware infections from a friend's pc and while it seems to be running fine in most respects and I can reach most websites I can't access certain welll known AV and anti spyware sites.

I know this is a common thing for some spyware to do but I have run endless checks with Superantispyware (updated from a manual download on another pc), spybot (which uniquely, does update ok). AVG, Malware bytes, Hijackthis, ComboFix, SmitfraudFix and VundoFix. I can't find anymore infections and have also checked the HOSTS file for any entries. There doesn't seem to be any of these sites added in the Restriced sites area of IE. Firefox is also installed and is also blocked from the same sites...

I have run all these utilities in every user account.

I have also used LSPFIX and found nothing odd and reset the network settings with WinsockFix.

This is a machine running XP Home with SP2.

Any idea's where I can start looking  for an answer?

dc
0
alfaro
Asked:
alfaro
  • 7
  • 4
  • 2
  • +1
2 Solutions
 
David-HowardCommented:
Good troubleshooting so far. Really nice.
Did you disable System Restore and then run your scans in Safe Mode?
Directions for disabling System Restore can be found here:
http://support.microsoft.com/kb/310405
Have you by chance run SFC SCANNOW or a Repair?
I offer that vice rebuilding the TCP/IP stack.
Both require your OS CD.
SFC SCANNOW
http://www.updatexp.com/scannow-sfc.html
XP Repair:
http://www.michaelstevenstech.com/XPrepairinstall.htm
There is also a trusted and free utility that shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. AutoRuns for Windows
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
0
 
alfaroAuthor Commented:
I'll work through those suggestions when I get back to work. Currently I am enjoying a cruise to Denmark in first class...

Somebody's got to do it..

dc
0
 
David-HowardCommented:
lol...well okay then. Rough life.....:-)
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
alfaroAuthor Commented:
but not a rough sea.. And free booze included  (and free wireless internet obviously)..

About rebuilding the tcpip stack. Would that be necessary if the internet is accessible apart from well known antivirus and antispyware sites and updates from such sites?

dc
0
 
DooflegnaCommented:
Sounds like you have a NPnP driver level hijack.

1. Open up Device Manager.
2. View -> Show Hidden Devices
3. Expand Non-Plug and Play Drivers
4. Look for any Non-Plug and Play Drivers named clbdriver, seneka, or tdss***.  If you see any, right click and disable.
5. Reboot to Safe Mode.
6. Open up Device Manager, View -> Show Hidden Devices
7. Uninstall those previously disabled drivers.
8. Reboot to Safe Mode w/ Networking and test.  Do you still have address redirects?  If so, please come back and post a screenshot / list of your Non-Plug and Play Drivers for analysis.
0
 
rpggamergirlCommented:
Since you've already run combofix, can you attach the logfile? there might still be some bad files that aren't removed during its first run.
0
 
alfaroAuthor Commented:
Right, I'm back from my little cruise.. I have run ComboFix and attached a code. I have had a look at the Non P&P drivers and couldn't see anything odd there. I can affix a screen shot later if that would help.

DC
log.txt
0
 
alfaroAuthor Commented:
I don't believe it... I have run ComboFix one more time after the latest update of it and it seems to have fixed the problem... Please have a look at the file to see if there is anything else that is still lurking there but the blocking to the av and anti spyware sites is fixed...

dc
0
 
rpggamergirlCommented:
Hi,

You need to disable your antivirus shield while running combofix.
How to disable AVG's Resident Shield:
Right click the AVG icon and click Open.
In the Overview panel click on Resident Sheild > Uncheck the Resident Sheild Active box > Save Changes


There are still some leftover files and folders and reg entries from a Lop infection and SDBot (3 of the files there probably no longer exist as CF put a question mark on them but I've included them in the script just in case they are still there.

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\system32\zjgadm.dll
c:\windows\system\svhost.exe
c:\windows\system32\jajigougi.exe
c:\windows\system32\hilolo.exe
c:\windows\Tasks\A060A6EE918B21D6.job

Folder::
c:\documents and settings\pat\Application Data\funk slow part
c:\documents and settings\neil\Application Data\funk slow part

Driver::
brgltpk
quwjsjesi
iiimh0uieidii1
oa7ixnzqao5
WindowsTelephony

RegLock::
[HKEY_LOCAL_MACHINE\software\Fun Web Products]

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WindowsTelephony]
[-HKEY_LOCAL_MACHINE\software\Fun Web Products]
------------------------------------------------------------------------
3. Save the above as CFScript.txt on the same location as Combofix.exe --> E:\ComboFix.exe
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

0
 
alfaroAuthor Commented:
Here is the new log after I added your text..

dc
log.txt
0
 
rpggamergirlCommented:
c:\windows\system32\zjgadm.dll <-- be honest with me please, did you take this file out of the script thinking it was legit because of the date 2007? If so, then you thought wrong.
If you didn't take it out of the script then we still have a problem here because the file is still there, it seems to have respawn somehow.


And these ones below, Trust me, these are Lop jobs! I know them when I see them. I've never mistaken Lop jobs before. If you remove them they won't come back because their folders are already gone.
Though they are harmless now, wouldn't you rather remove them than leaving them there?
2009-02-23 c:\windows\Tasks\A060A6EE918B21D6.job
- c:\docume~1\neil\applic~1\funksl~1\exitsurfoption.exe []
2009-02-23 c:\windows\Tasks\A78C925A93C73E4E.job
- c:\docume~1\pat\applic~1\funksl~1\exitsurfoption.exe []
0
 
alfaroAuthor Commented:
zjgadm.dll seems to have gone for good now. I've removed the other entries relating to Lop infections and everything seems fine now.
The pc has been returned to its owner who is more than happy.. Thanks for the help..

dc
0
 
alfaroAuthor Commented:
Excellent help received...
0
 
rpggamergirlCommented:
No problem.
Good to know that the issue has been resolved.
Thanks for the points.
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 7
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now