Solved

Virus, Malware removed, Lost Internet Connection

Posted on 2009-05-02
11
848 Views
Last Modified: 2013-12-09
Had Vundo and a few other nasties on a firends computer.  Remvoed what I could.
Safe mode will connect to the net. Logging in normal will not.  Also, even though I cant get any web pages on FireFox or IE, I can ping addresses.. DNS is working.

Below is a curent HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:03 AM, on 5/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\ReNamedHijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by110w.bay110.mail.live.com/mail/InboxLight.aspx?n=455197355
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [kirinuhapa] Rundll32.exe "C:\WINDOWS\system32\jokobepo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\batokawi.dll lnblha.dll beyodo.dll mbhvtb.dll c:\windows\system32\rafobeha.dll ablzki.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
 
--
End of file - 6999 bytes

Open in new window

0
Comment
Question by:mrchaos101
11 Comments
 
LVL 15

Expert Comment

by:xmachine
ID: 24288903
Hi,

1) Unkown Files: If you don't recognize them or need them. Backup up the files then delete them and see if you are able to browse:

O4 - HKUS\S-1-5-19\..\Run: [kirinuhapa] Rundll32.exe "C:\WINDOWS\system32\jokobepo.dll",s (User 'LOCAL SERVICE')


O20 - AppInit_DLLs: C:\WINDOWS\system32\batokawi.dll lnblha.dll beyodo.dll mbhvtb.dll c:\windows\system32\rafobeha.dll ablzki.dll


2) Start Windows in Safe mode then start a full virus scan

3) Download and run CCleaner (www.ccleaner.com/download)

A Symantec Certified Specialist @ your service
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24289059
Infeciton is still showing in the log, using anosther pc download into a USB stick and run MBAM and Combofix. Show us the combofix log so we can check to make sure it's clean.
Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.
http://www.malwarebytes.org/mbam.php


If you can't access the above link then use this link and rename the file before saving to your desktop.
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button



Please download ComboFix by sUBs:(rename while still in another pc if it won't run at first try)
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix 
 
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 24290626
Here is the combo fix log.

I did not remove the entries in HJT yet....from the first post that is.

ComboFix 09-05-02.4 - Sue Binder 05/03/2009 11:28.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.254.75 [GMT -6:00]
Running from: c:\documents and settings\Sue Binder\Desktop\ReNamedComboFix.exe
AV: AVG 7.5.557 *On-access scanning enabled* (Updated)
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*
 
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
c:\windows\system32\agukapig.ini
c:\windows\system32\alagulom.ini
c:\windows\system32\aromisuk.ini
c:\windows\system32\avoputiy.ini
c:\windows\system32\bszip.dll
c:\windows\system32\ekokanuz.ini
c:\windows\system32\enamilub.ini
c:\windows\system32\ifojumum.ini
c:\windows\system32\ilagakir.ini
c:\windows\system32\odofilud.ini
c:\windows\system32\ozozowuz.ini
c:\windows\system32\ugavomow.ini
c:\windows\system32\uvupufif.ini
 
.
(((((((((((((((((((((((((   Files Created from 2009-04-03 to 2009-05-03  )))))))))))))))))))))))))))))))
.
 
2009-05-03 05:58 . 2009-05-03 05:57	396288	----a-w	C:\ReNamedHijackThis.exe
2009-05-03 05:57 . 2009-05-03 05:57	--------	d-----w	c:\program files\Trend Micro
2009-05-03 05:53 . 2009-05-03 05:53	--------	d-----w	c:\documents and settings\Test\Application Data\U3
2009-05-03 05:51 . 2009-05-03 05:51	--------	d-----w	c:\documents and settings\Test\Local Settings\Application Data\Mozilla
2009-05-03 05:50 . 2009-05-03 05:52	--------	d-----w	c:\documents and settings\Test\Application Data\AVG7
2009-05-03 04:36 . 2004-08-04 10:00	31232	-c--a-w	c:\windows\system32\dllcache\weitekp9.sys
2009-05-03 04:36 . 2004-08-04 10:00	41600	-c--a-w	c:\windows\system32\dllcache\weitekp9.dll
2009-05-03 04:36 . 2004-08-04 10:00	48256	-c--a-w	c:\windows\system32\dllcache\w32.dll
2009-05-03 04:36 . 2004-08-04 10:00	86073	-c--a-w	c:\windows\system32\dllcache\voicesub.dll
2009-05-03 04:36 . 2004-08-04 10:00	426041	-c--a-w	c:\windows\system32\dllcache\voicepad.dll
2009-05-03 04:34 . 2001-08-18 04:36	23040	-c--a-w	c:\windows\system32\dllcache\EXCH_regtrace.exe
2009-05-03 04:33 . 2004-08-04 10:00	98304	-c--a-w	c:\windows\system32\dllcache\msir3jp.dll
2009-05-03 04:32 . 2004-08-04 10:00	7680	-c--a-w	c:\windows\system32\dllcache\kbdnecnt.dll
2009-05-03 04:31 . 2004-08-04 10:00	36864	-c--a-w	c:\windows\system32\dllcache\hanjadic.dll
2009-05-03 04:30 . 2004-08-04 10:00	18944	-c--a-w	c:\windows\system32\dllcache\cprofile.exe
2009-05-03 04:29 . 2004-08-04 10:00	331264	-c--a-w	c:\windows\system32\dllcache\aqueue.dll
2009-05-03 04:29 . 2001-08-18 04:36	45056	-c--a-w	c:\windows\system32\dllcache\EXCH_aqadmin.dll
2009-05-03 04:29 . 2004-08-04 10:00	19456	-c--a-w	c:\windows\system32\dllcache\agt0804.dll
2009-05-03 04:29 . 2004-08-04 10:00	19456	-c--a-w	c:\windows\system32\dllcache\agt0412.dll
2009-05-03 04:29 . 2004-08-04 10:00	19456	-c--a-w	c:\windows\system32\dllcache\agt0411.dll
2009-05-03 04:29 . 2004-08-04 10:00	19456	-c--a-w	c:\windows\system32\dllcache\agt040d.dll
2009-05-03 04:29 . 2004-08-04 10:00	19456	-c--a-w	c:\windows\system32\dllcache\agt0404.dll
2009-05-03 04:29 . 2004-08-04 10:00	19456	-c--a-w	c:\windows\system32\dllcache\agt0401.dll
2009-05-03 04:29 . 2001-08-18 04:36	5632	-c--a-w	c:\windows\system32\dllcache\EXCH_adsiisex.dll
2009-05-03 04:21 . 2004-08-04 10:00	16384	-c--a-w	c:\windows\system32\dllcache\isignup.exe
2009-05-03 04:21 . 2004-08-04 10:00	32768	-c--a-w	c:\windows\system32\dllcache\icwdl.dll
2009-05-03 04:21 . 2004-08-04 10:00	20480	-c--a-w	c:\windows\system32\dllcache\inetwiz.exe
2009-05-03 04:21 . 2004-08-04 10:00	86016	-c--a-w	c:\windows\system32\dllcache\icwconn2.exe
2009-05-03 04:21 . 2004-08-04 10:00	214528	-c--a-w	c:\windows\system32\dllcache\icwconn1.exe
2009-05-03 03:50 . 2009-05-03 04:42	--------	d-----w	c:\windows\LastGood
2009-05-03 03:50 . 2004-08-04 10:00	13312	-c--a-w	c:\windows\system32\dllcache\irclass.dll
2009-05-03 03:50 . 2004-08-04 10:00	13312	----a-w	c:\windows\system32\irclass.dll
2009-05-03 03:50 . 2004-08-04 10:00	24661	-c--a-w	c:\windows\system32\dllcache\spxcoins.dll
2009-05-03 03:50 . 2004-08-04 10:00	24661	----a-w	c:\windows\system32\spxcoins.dll
2009-05-03 01:19 . 2009-05-03 01:19	--------	d-----w	c:\documents and settings\Sue Binder\Application Data\Malwarebytes
2009-05-02 23:49 . 2009-05-02 23:48	102664	----a-w	c:\windows\system32\drivers\tmcomm.sys
2009-05-02 23:35 . 2009-05-03 00:53	--------	d-----w	c:\documents and settings\Administrator\.housecall6.6
2009-05-02 22:36 . 2009-05-02 22:36	--------	d-----w	c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-02 22:36 . 2009-04-06 21:32	15504	----a-w	c:\windows\system32\drivers\mbam.sys
2009-05-02 22:36 . 2009-04-06 21:32	38496	----a-w	c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-02 22:36 . 2009-05-02 22:36	--------	d-----w	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-02 22:36 . 2009-05-02 22:36	--------	d-----w	c:\program files\Malwarebytes' Anti-Malware
2009-05-02 22:31 . 2009-05-02 22:33	--------	d-----w	c:\documents and settings\Administrator\Application Data\AVG7
2009-05-02 22:31 . 2009-05-02 22:31	--------	d-----w	c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-02 21:39 . 2009-05-02 21:39	--------	d-----w	c:\windows\dell
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 17:36 . 2004-08-10 18:08	6	---ha-w	c:\windows\Tasks\SA.DAT
2009-05-03 14:54 . 2005-08-02 22:32	374	----a-w	c:\windows\Tasks\Symantec NetDetect.job
2009-05-03 04:24 . 2004-08-10 17:50	67	--sha-w	c:\windows\Fonts\desktop.ini
2009-05-03 04:19 . 2004-08-10 18:02	23444	----a-w	c:\windows\system32\emptyregdb.dat
2009-03-25 23:35 . 2005-08-08 19:31	--------	d-----w	c:\program files\Dl_cats
2009-03-21 02:17 . 2005-08-08 19:22	558	----a-w	c:\windows\Tasks\Norton AntiVirus - Scan my computer - Sue Binder.job
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-11 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2004-12-07 69632]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-25 590848]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\STSYSTRA.EXE [2005-03-23 339968]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-09 219136]
 
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^Sue Binder^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\Sue Binder\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=2 (0x2)
"SBService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Adobe\\Acrobat 6.0\\Reader\\AcroRd32.exe"=
 
--- Other Services/Drivers In Memory ---
 
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - ASCTRM
*Deregistered* - Ati HotKey Poller
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Automatic LiveUpdate Scheduler
*Deregistered* - Avg7Alrt
*Deregistered* - Avg7Core
*Deregistered* - Avg7RsW
*Deregistered* - Avg7RsXP
*Deregistered* - Avg7UpdSvc
*Deregistered* - AvgClean
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - drvnddm
*Deregistered* - dsunidrv
*Deregistered* - eeCtrl
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fastfat
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fax
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTP
*Deregistered* - i2omgmt
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - ISSVC
*Deregistered* - Kbdclass
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LiveUpdate
*Deregistered* - LmHosts
*Deregistered* - MDM
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - navapsvc
*Deregistered* - NAVENG
*Deregistered* - NAVEX15
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - omci
*Deregistered* - PartMgr
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RetroExp Helper
*Deregistered* - RetroExpLauncher
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SAVRT
*Deregistered* - SAVRTPEL
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - ssrtln
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - SYMDNS
*Deregistered* - SymEvent
*Deregistered* - SYMFW
*Deregistered* - SYMIDS
*Deregistered* - SYMIDSCO
*Deregistered* - symlcbrd
*Deregistered* - SYMNDIS
*Deregistered* - SYMREDRV
*Deregistered* - SYMTDI
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermService
*Deregistered* - tfsnboio
*Deregistered* - tfsncofs
*Deregistered* - tfsndrct
*Deregistered* - tfsndres
*Deregistered* - tfsnifs
*Deregistered* - tfsnopio
*Deregistered* - tfsnpool
*Deregistered* - tfsnudf
*Deregistered* - tfsnudfa
*Deregistered* - Themes
*Deregistered* - tmcomm
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - w32time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44dbfca2-960d-11dc-980c-001a70ac7f20}]
\Shell\AutoRun\command - I:\Imageviewer.exe
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{733f54a7-acef-11dc-9810-001a70ac7f20}]
\Shell\AutoRun\command - I:\Imageviewer.exe
.
Contents of the 'Scheduled Tasks' folder
 
2009-03-21 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Sue Binder.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-03-15 21:47]
.
- - - - ORPHANS REMOVED - - - -
 
SSODL-CDBurn-{fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll
 
 
.
------- Supplementary Scan -------
.
uStart Page = hxxp://by110w.bay110.mail.live.com/mail/InboxLight.aspx?n=455197355
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\Messenger\msmsgs.exe
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Sue Binder\Application Data\Mozilla\Firefox\Profiles\oo48gn3p.default\
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
 
**************************************************************************
 
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 11:39
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ... 
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  DLBXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? 
 
scanning hidden files ...  
 
scan completed successfully
hidden files: 0
 
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
 
- - - - - - - > 'explorer.exe'(1160)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
c:\progra~1\Dantz\RETROS~1\retrorun.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
.
**************************************************************************
.
Completion time: 2009-05-03 11:45 - machine was rebooted
ComboFix-quarantined-files.txt  2009-05-03 17:45
 
Pre-Run: 63,126,392,832 bytes free
Post-Run: 64,147,849,216 bytes free
 
335	--- E O F ---	2009-03-16 09:03

Open in new window

0
Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24295279
Combofix had deleted a lot of bad files.
 Run Hijackthis again and we'll see what entries left to be fixed.
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 24300122
Here is the new HJT log file.

ALSO,  there is still no connection to the internet after Combofix.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:52:17 PM, on 5/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\explorer.exe
C:\ReNamedHijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by110w.bay110.mail.live.com/mail/InboxLight.aspx?n=455197355
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
 
--
End of file - 6724 bytes

Open in new window

0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 24311210
There are no malicious entries showing in your Hijackthis log.
The log shows that you have 2 antivirus installed (AVG and Norton), you only need one resident antivirus, having 2 will not double your protection quite the opposite as they conflict with each other and also resulting inefficiency in protection.

So you need to uninstall one of them.
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 24311561
Any idea on why there is no internet connection still?
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 500 total points
ID: 24311719
No connection still?
Have you uninstalled one of your antivirus and which one?

Have you also tried using WinsockFix tool:
http://www.softpedia.com/progDownload/WinSockFix-Download-15337.html 

OR, the netsh winsock reset catalog command from this link:
http://windowsxp.mvps.org/winsock.htm
0
 
LVL 4

Expert Comment

by:BGTSLLC
ID: 24489160
Download Dial A Fix to verify the winsock issue.

Also, I would do the following:

1. Start - Run - type CMD.
Ping www.yahoo.com
What are the results?

Sometimes Spyware jacks DNS and if you can ping it; but not get to it; uninstall IE first [or you may have to uninstall SP3 then IE 7] then reinstall SP3 first; then IE and that will take care of it as well.
0
 
LVL 3

Expert Comment

by:eSouth
ID: 26568271
If you still do not have Internet, there are only 2 things I've seen cause that in the past:

FOR ALL PCS: It is possible the virus broke the Layered Service Provider. It is fairly common that this get broken. CEXX has the most popular repair tool:

http://cexx.org/lspfix.htm

FOR PCS WITH NORTON/SYMANTIC INSTALLED: It is possible that the firewall component has become corrupted and is blocking Internet access. This can happen even if you've never used the Norton firewall or not. Even disabling or uninstalling the software will not necessarily correct this probelm. Download the Norton Removal Tool:

http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Any legit software/apps that uses the ransomware extensions 7 152
Regedit Register where from, why everyday need to clean them  ? 13 85
PCAnywhere 2 123
Is this virus ? 6 41
PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question