Solved

Virus, Malware removed, Lost Internet Connection

Posted on 2009-05-02
11
836 Views
Last Modified: 2013-12-09
Had Vundo and a few other nasties on a firends computer.  Remvoed what I could.
Safe mode will connect to the net. Logging in normal will not.  Also, even though I cant get any web pages on FireFox or IE, I can ping addresses.. DNS is working.

Below is a curent HJT log.
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:00:03 AM, on 5/3/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal
 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\imapi.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\ReNamedHijackThis.exe
 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by110w.bay110.mail.live.com/mail/InboxLight.aspx?n=455197355

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [kirinuhapa] Rundll32.exe "C:\WINDOWS\system32\jokobepo.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O20 - AppInit_DLLs: C:\WINDOWS\system32\batokawi.dll lnblha.dll beyodo.dll mbhvtb.dll c:\windows\system32\rafobeha.dll ablzki.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe

O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
 

--

End of file - 6999 bytes

Open in new window

0
Comment
Question by:mrchaos101
11 Comments
 
LVL 15

Expert Comment

by:xmachine
ID: 24288903
Hi,

1) Unkown Files: If you don't recognize them or need them. Backup up the files then delete them and see if you are able to browse:

O4 - HKUS\S-1-5-19\..\Run: [kirinuhapa] Rundll32.exe "C:\WINDOWS\system32\jokobepo.dll",s (User 'LOCAL SERVICE')


O20 - AppInit_DLLs: C:\WINDOWS\system32\batokawi.dll lnblha.dll beyodo.dll mbhvtb.dll c:\windows\system32\rafobeha.dll ablzki.dll


2) Start Windows in Safe mode then start a full virus scan

3) Download and run CCleaner (www.ccleaner.com/download)

A Symantec Certified Specialist @ your service
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24289059
Infeciton is still showing in the log, using anosther pc download into a USB stick and run MBAM and Combofix. Show us the combofix log so we can check to make sure it's clean.
Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.
http://www.malwarebytes.org/mbam.php


If you can't access the above link then use this link and rename the file before saving to your desktop.
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button



Please download ComboFix by sUBs:(rename while still in another pc if it won't run at first try)
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 24290626
Here is the combo fix log.

I did not remove the entries in HJT yet....from the first post that is.

ComboFix 09-05-02.4 - Sue Binder 05/03/2009 11:28.1 - NTFSx86

Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.254.75 [GMT -6:00]

Running from: c:\documents and settings\Sue Binder\Desktop\ReNamedComboFix.exe

AV: AVG 7.5.557 *On-access scanning enabled* (Updated)

AV: Norton Internet Security *On-access scanning disabled* (Outdated)

FW: Norton Internet Security *disabled*
 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.
 

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.
 

c:\windows\system32\agukapig.ini

c:\windows\system32\alagulom.ini

c:\windows\system32\aromisuk.ini

c:\windows\system32\avoputiy.ini

c:\windows\system32\bszip.dll

c:\windows\system32\ekokanuz.ini

c:\windows\system32\enamilub.ini

c:\windows\system32\ifojumum.ini

c:\windows\system32\ilagakir.ini

c:\windows\system32\odofilud.ini

c:\windows\system32\ozozowuz.ini

c:\windows\system32\ugavomow.ini

c:\windows\system32\uvupufif.ini
 

.

(((((((((((((((((((((((((   Files Created from 2009-04-03 to 2009-05-03  )))))))))))))))))))))))))))))))

.
 

2009-05-03 05:58 . 2009-05-03 05:57	396288	----a-w	C:\ReNamedHijackThis.exe

2009-05-03 05:57 . 2009-05-03 05:57	--------	d-----w	c:\program files\Trend Micro

2009-05-03 05:53 . 2009-05-03 05:53	--------	d-----w	c:\documents and settings\Test\Application Data\U3

2009-05-03 05:51 . 2009-05-03 05:51	--------	d-----w	c:\documents and settings\Test\Local Settings\Application Data\Mozilla

2009-05-03 05:50 . 2009-05-03 05:52	--------	d-----w	c:\documents and settings\Test\Application Data\AVG7

2009-05-03 04:36 . 2004-08-04 10:00	31232	-c--a-w	c:\windows\system32\dllcache\weitekp9.sys

2009-05-03 04:36 . 2004-08-04 10:00	41600	-c--a-w	c:\windows\system32\dllcache\weitekp9.dll

2009-05-03 04:36 . 2004-08-04 10:00	48256	-c--a-w	c:\windows\system32\dllcache\w32.dll

2009-05-03 04:36 . 2004-08-04 10:00	86073	-c--a-w	c:\windows\system32\dllcache\voicesub.dll

2009-05-03 04:36 . 2004-08-04 10:00	426041	-c--a-w	c:\windows\system32\dllcache\voicepad.dll

2009-05-03 04:34 . 2001-08-18 04:36	23040	-c--a-w	c:\windows\system32\dllcache\EXCH_regtrace.exe

2009-05-03 04:33 . 2004-08-04 10:00	98304	-c--a-w	c:\windows\system32\dllcache\msir3jp.dll

2009-05-03 04:32 . 2004-08-04 10:00	7680	-c--a-w	c:\windows\system32\dllcache\kbdnecnt.dll

2009-05-03 04:31 . 2004-08-04 10:00	36864	-c--a-w	c:\windows\system32\dllcache\hanjadic.dll

2009-05-03 04:30 . 2004-08-04 10:00	18944	-c--a-w	c:\windows\system32\dllcache\cprofile.exe

2009-05-03 04:29 . 2004-08-04 10:00	331264	-c--a-w	c:\windows\system32\dllcache\aqueue.dll

2009-05-03 04:29 . 2001-08-18 04:36	45056	-c--a-w	c:\windows\system32\dllcache\EXCH_aqadmin.dll

2009-05-03 04:29 . 2004-08-04 10:00	19456	-c--a-w	c:\windows\system32\dllcache\agt0804.dll

2009-05-03 04:29 . 2004-08-04 10:00	19456	-c--a-w	c:\windows\system32\dllcache\agt0412.dll

2009-05-03 04:29 . 2004-08-04 10:00	19456	-c--a-w	c:\windows\system32\dllcache\agt0411.dll

2009-05-03 04:29 . 2004-08-04 10:00	19456	-c--a-w	c:\windows\system32\dllcache\agt040d.dll

2009-05-03 04:29 . 2004-08-04 10:00	19456	-c--a-w	c:\windows\system32\dllcache\agt0404.dll

2009-05-03 04:29 . 2004-08-04 10:00	19456	-c--a-w	c:\windows\system32\dllcache\agt0401.dll

2009-05-03 04:29 . 2001-08-18 04:36	5632	-c--a-w	c:\windows\system32\dllcache\EXCH_adsiisex.dll

2009-05-03 04:21 . 2004-08-04 10:00	16384	-c--a-w	c:\windows\system32\dllcache\isignup.exe

2009-05-03 04:21 . 2004-08-04 10:00	32768	-c--a-w	c:\windows\system32\dllcache\icwdl.dll

2009-05-03 04:21 . 2004-08-04 10:00	20480	-c--a-w	c:\windows\system32\dllcache\inetwiz.exe

2009-05-03 04:21 . 2004-08-04 10:00	86016	-c--a-w	c:\windows\system32\dllcache\icwconn2.exe

2009-05-03 04:21 . 2004-08-04 10:00	214528	-c--a-w	c:\windows\system32\dllcache\icwconn1.exe

2009-05-03 03:50 . 2009-05-03 04:42	--------	d-----w	c:\windows\LastGood

2009-05-03 03:50 . 2004-08-04 10:00	13312	-c--a-w	c:\windows\system32\dllcache\irclass.dll

2009-05-03 03:50 . 2004-08-04 10:00	13312	----a-w	c:\windows\system32\irclass.dll

2009-05-03 03:50 . 2004-08-04 10:00	24661	-c--a-w	c:\windows\system32\dllcache\spxcoins.dll

2009-05-03 03:50 . 2004-08-04 10:00	24661	----a-w	c:\windows\system32\spxcoins.dll

2009-05-03 01:19 . 2009-05-03 01:19	--------	d-----w	c:\documents and settings\Sue Binder\Application Data\Malwarebytes

2009-05-02 23:49 . 2009-05-02 23:48	102664	----a-w	c:\windows\system32\drivers\tmcomm.sys

2009-05-02 23:35 . 2009-05-03 00:53	--------	d-----w	c:\documents and settings\Administrator\.housecall6.6

2009-05-02 22:36 . 2009-05-02 22:36	--------	d-----w	c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-05-02 22:36 . 2009-04-06 21:32	15504	----a-w	c:\windows\system32\drivers\mbam.sys

2009-05-02 22:36 . 2009-04-06 21:32	38496	----a-w	c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-02 22:36 . 2009-05-02 22:36	--------	d-----w	c:\documents and settings\All Users\Application Data\Malwarebytes

2009-05-02 22:36 . 2009-05-02 22:36	--------	d-----w	c:\program files\Malwarebytes' Anti-Malware

2009-05-02 22:31 . 2009-05-02 22:33	--------	d-----w	c:\documents and settings\Administrator\Application Data\AVG7

2009-05-02 22:31 . 2009-05-02 22:31	--------	d-----w	c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2009-05-02 21:39 . 2009-05-02 21:39	--------	d-----w	c:\windows\dell
 

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-03 17:36 . 2004-08-10 18:08	6	---ha-w	c:\windows\Tasks\SA.DAT

2009-05-03 14:54 . 2005-08-02 22:32	374	----a-w	c:\windows\Tasks\Symantec NetDetect.job

2009-05-03 04:24 . 2004-08-10 17:50	67	--sha-w	c:\windows\Fonts\desktop.ini

2009-05-03 04:19 . 2004-08-10 18:02	23444	----a-w	c:\windows\system32\emptyregdb.dat

2009-03-25 23:35 . 2005-08-08 19:31	--------	d-----w	c:\program files\Dl_cats

2009-03-21 02:17 . 2005-08-08 19:22	558	----a-w	c:\windows\Tasks\Norton AntiVirus - Scan my computer - Sue Binder.job

.
 

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4
 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-11 68856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DLBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2004-12-07 69632]

"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-25 590848]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\STSYSTRA.EXE [2005-03-23 339968]
 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-09 219136]
 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

"wave"= serwvdrv.dll
 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
 

[HKLM\~\startupfolder\C:^Documents and Settings^Sue Binder^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]

path=c:\documents and settings\Sue Binder\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe

backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Symantec Core LC"=2 (0x2)

"SPBBCSvc"=3 (0x3)

"SNDSrvc"=2 (0x2)

"SBService"=2 (0x2)

"ccSetMgr"=2 (0x2)

"ccPwdSvc"=3 (0x3)

"ccProxy"=2 (0x2)

"ccEvtMgr"=2 (0x2)
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=

"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=

"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Adobe\\Acrobat 6.0\\Reader\\AcroRd32.exe"=
 

--- Other Services/Drivers In Memory ---
 

*Deregistered* - AFD

*Deregistered* - ALG

*Deregistered* - ASCTRM

*Deregistered* - Ati HotKey Poller

*Deregistered* - AudioSrv

*Deregistered* - audstub

*Deregistered* - Automatic LiveUpdate Scheduler

*Deregistered* - Avg7Alrt

*Deregistered* - Avg7Core

*Deregistered* - Avg7RsW

*Deregistered* - Avg7RsXP

*Deregistered* - Avg7UpdSvc

*Deregistered* - AvgClean

*Deregistered* - Beep

*Deregistered* - Browser

*Deregistered* - Cdfs

*Deregistered* - CryptSvc

*Deregistered* - DcomLaunch

*Deregistered* - Dhcp

*Deregistered* - Dnscache

*Deregistered* - drvnddm

*Deregistered* - dsunidrv

*Deregistered* - eeCtrl

*Deregistered* - ERSvc

*Deregistered* - EventSystem

*Deregistered* - Fastfat

*Deregistered* - FastUserSwitchingCompatibility

*Deregistered* - Fax

*Deregistered* - Fips

*Deregistered* - FltMgr

*Deregistered* - Ftdisk

*Deregistered* - Gpc

*Deregistered* - helpsvc

*Deregistered* - HidServ

*Deregistered* - HTTP

*Deregistered* - i2omgmt

*Deregistered* - IpNat

*Deregistered* - IPSec

*Deregistered* - ISSVC

*Deregistered* - Kbdclass

*Deregistered* - KSecDD

*Deregistered* - lanmanserver

*Deregistered* - lanmanworkstation

*Deregistered* - LiveUpdate

*Deregistered* - LmHosts

*Deregistered* - MDM

*Deregistered* - mnmdd

*Deregistered* - Mouclass

*Deregistered* - MountMgr

*Deregistered* - MRxDAV

*Deregistered* - MRxSmb

*Deregistered* - Msfs

*Deregistered* - mssmbios

*Deregistered* - Mup

*Deregistered* - navapsvc

*Deregistered* - NAVENG

*Deregistered* - NAVEX15

*Deregistered* - NDIS

*Deregistered* - NdisTapi

*Deregistered* - Ndisuio

*Deregistered* - NdisWan

*Deregistered* - NDProxy

*Deregistered* - NetBIOS

*Deregistered* - NetBT

*Deregistered* - Netman

*Deregistered* - Nla

*Deregistered* - Npfs

*Deregistered* - Ntfs

*Deregistered* - Null

*Deregistered* - omci

*Deregistered* - PartMgr

*Deregistered* - PolicyAgent

*Deregistered* - PptpMiniport

*Deregistered* - ProtectedStorage

*Deregistered* - PSched

*Deregistered* - RasAcd

*Deregistered* - Rasl2tp

*Deregistered* - RasMan

*Deregistered* - RasPppoe

*Deregistered* - Raspti

*Deregistered* - Rdbss

*Deregistered* - RDPCDD

*Deregistered* - RetroExp Helper

*Deregistered* - RetroExpLauncher

*Deregistered* - RpcSs

*Deregistered* - SamSs

*Deregistered* - SAVRT

*Deregistered* - SAVRTPEL

*Deregistered* - Schedule

*Deregistered* - seclogon

*Deregistered* - SENS

*Deregistered* - SharedAccess

*Deregistered* - ShellHWDetection

*Deregistered* - Spooler

*Deregistered* - sr

*Deregistered* - srservice

*Deregistered* - Srv

*Deregistered* - SSDPSRV

*Deregistered* - ssrtln

*Deregistered* - stisvc

*Deregistered* - swenum

*Deregistered* - SYMDNS

*Deregistered* - SymEvent

*Deregistered* - SYMFW

*Deregistered* - SYMIDS

*Deregistered* - SYMIDSCO

*Deregistered* - symlcbrd

*Deregistered* - SYMNDIS

*Deregistered* - SYMREDRV

*Deregistered* - SYMTDI

*Deregistered* - TapiSrv

*Deregistered* - Tcpip

*Deregistered* - TermService

*Deregistered* - tfsnboio

*Deregistered* - tfsncofs

*Deregistered* - tfsndrct

*Deregistered* - tfsndres

*Deregistered* - tfsnifs

*Deregistered* - tfsnopio

*Deregistered* - tfsnpool

*Deregistered* - tfsnudf

*Deregistered* - tfsnudfa

*Deregistered* - Themes

*Deregistered* - tmcomm

*Deregistered* - TrkWks

*Deregistered* - Update

*Deregistered* - VgaSave

*Deregistered* - VolSnap

*Deregistered* - w32time

*Deregistered* - Wanarp

*Deregistered* - WebClient

*Deregistered* - winmgmt

*Deregistered* - wscsvc

*Deregistered* - wuauserv

*Deregistered* - WZCSVC
 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]

\Shell\AutoRun\command - I:\LaunchU3.exe -a
 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44dbfca2-960d-11dc-980c-001a70ac7f20}]

\Shell\AutoRun\command - I:\Imageviewer.exe
 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{733f54a7-acef-11dc-9810-001a70ac7f20}]

\Shell\AutoRun\command - I:\Imageviewer.exe

.

Contents of the 'Scheduled Tasks' folder
 

2009-03-21 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Sue Binder.job

- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-03-15 21:47]

.

- - - - ORPHANS REMOVED - - - -
 

SSODL-CDBurn-{fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll
 
 

.

------- Supplementary Scan -------

.

uStart Page = hxxp://by110w.bay110.mail.live.com/mail/InboxLight.aspx?n=455197355

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: {{FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\Messenger\msmsgs.exe

Trusted Zone: turbotax.com

FF - ProfilePath - c:\documents and settings\Sue Binder\Application Data\Mozilla\Firefox\Profiles\oo48gn3p.default\

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.
 

**************************************************************************
 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-03 11:39

Windows 5.1.2600 Service Pack 2 NTFS
 

scanning hidden processes ...  
 

scanning hidden autostart entries ... 
 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

  DLBXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? 
 

scanning hidden files ...  
 

scan completed successfully

hidden files: 0
 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------
 

- - - - - - - > 'explorer.exe'(1160)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe

c:\progra~1\Grisoft\AVG7\avgamsvr.exe

c:\progra~1\Grisoft\AVG7\avgupsvc.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE

c:\progra~1\Dantz\RETROS~1\retrorun.exe

c:\windows\system32\wscntfy.exe

c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

.

**************************************************************************

.

Completion time: 2009-05-03 11:45 - machine was rebooted

ComboFix-quarantined-files.txt  2009-05-03 17:45
 

Pre-Run: 63,126,392,832 bytes free

Post-Run: 64,147,849,216 bytes free
 

335	--- E O F ---	2009-03-16 09:03

Open in new window

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24295279
Combofix had deleted a lot of bad files.
 Run Hijackthis again and we'll see what entries left to be fixed.
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 24300122
Here is the new HJT log file.

ALSO,  there is still no connection to the internet after Combofix.
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:52:17 PM, on 5/4/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal
 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

C:\WINDOWS\explorer.exe

C:\ReNamedHijackThis.exe
 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by110w.bay110.mail.live.com/mail/InboxLight.aspx?n=455197355

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe

O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
 

--

End of file - 6724 bytes

Open in new window

0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 24311210
There are no malicious entries showing in your Hijackthis log.
The log shows that you have 2 antivirus installed (AVG and Norton), you only need one resident antivirus, having 2 will not double your protection quite the opposite as they conflict with each other and also resulting inefficiency in protection.

So you need to uninstall one of them.
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 24311561
Any idea on why there is no internet connection still?
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 500 total points
ID: 24311719
No connection still?
Have you uninstalled one of your antivirus and which one?

Have you also tried using WinsockFix tool:
http://www.softpedia.com/progDownload/WinSockFix-Download-15337.html

OR, the netsh winsock reset catalog command from this link:
http://windowsxp.mvps.org/winsock.htm
0
 
LVL 4

Expert Comment

by:BGTSLLC
ID: 24489160
Download Dial A Fix to verify the winsock issue.

Also, I would do the following:

1. Start - Run - type CMD.
Ping www.yahoo.com
What are the results?

Sometimes Spyware jacks DNS and if you can ping it; but not get to it; uninstall IE first [or you may have to uninstall SP3 then IE 7] then reinstall SP3 first; then IE and that will take care of it as well.
0
 
LVL 3

Expert Comment

by:eSouth
ID: 26568271
If you still do not have Internet, there are only 2 things I've seen cause that in the past:

FOR ALL PCS: It is possible the virus broke the Layered Service Provider. It is fairly common that this get broken. CEXX has the most popular repair tool:

http://cexx.org/lspfix.htm

FOR PCS WITH NORTON/SYMANTIC INSTALLED: It is possible that the firewall component has become corrupted and is blocking Internet access. This can happen even if you've never used the Norton firewall or not. Even disabling or uninstalling the software will not necessarily correct this probelm. Download the Norton Removal Tool:

http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now