Port 80 is blocked. I have internet access except for port 80 connections
This is a fairly complicated story that I will not be able to entirely share with you right now (it would take too long). But I suspect a virus problem is at the root. I will be glad to fill you in as you have questions. I have conferred with my fellow IT Admins and they agree. They have made a number of recommendations which I have followed but my problem has not gone away. I am impressed with what I have seen with the experts on this site and finally am seeking expert help.
Note I am having to post this from another computer but have my laptop next to me.
Background: About 6 weeks ago I suddenly found that any attempt to reach a website via Firefox 3 failed. When I tried with IE7 a number of "linked to" urls were spawned and completely overtook IE such that only by turning off the computer completely was I able to stop this. I use Spybot and Adaware on occasion but now I downloaded a number of extra anti spy and anti malware programs and ran them, even purchased PC Spyware Doctor (normally I have just used Symantec AntiVirus). Various things were found, quarantined and/or removed. One possible factor, this happened around the time I made my last ZoneAlarm update. Don't have any direct correlation, but turning off ZoneAlarm does not make any difference.
When I forced open port 80 in Windows firewall I was able get to http sites in firefox but not MSIE7.
Current situation: after trying virtually every suggestion I found on this site and other similar ones, I can ping, reach sites via https, ftp, use VPN, Remote desktop, Email, etc. Just can't open a web page using a browser on port 80. A big problem is that I cannot update AV apps that use port 80 for their updates such as Malwarebytes.
Most recently I went into the Recovery Console and ran fixmbr. After this I was able in Safemode with networking to update all my anti spy and malware programs and ran complete scans and removed all problems that I was alerted to and then was able to visit an http site or two. Rebooted into XP and ran PC Spyware Doctor (which wanted to run only in full XP mode). But once again, found that I had no access to sites via port 80.
Note I am having to post this from another computer but have my laptop next to me.
Background: About 6 weeks ago I suddenly found that any attempt to reach a website via Firefox 3 failed. When I tried with IE7 a number of "linked to" urls were spawned and completely overtook IE such that only by turning off the computer completely was I able to stop this. I use Spybot and Adaware on occasion but now I downloaded a number of extra anti spy and anti malware programs and ran them, even purchased PC Spyware Doctor (normally I have just used Symantec AntiVirus). Various things were found, quarantined and/or removed. One possible factor, this happened around the time I made my last ZoneAlarm update. Don't have any direct correlation, but turning off ZoneAlarm does not make any difference.
When I forced open port 80 in Windows firewall I was able get to http sites in firefox but not MSIE7.
Current situation: after trying virtually every suggestion I found on this site and other similar ones, I can ping, reach sites via https, ftp, use VPN, Remote desktop, Email, etc. Just can't open a web page using a browser on port 80. A big problem is that I cannot update AV apps that use port 80 for their updates such as Malwarebytes.
Most recently I went into the Recovery Console and ran fixmbr. After this I was able in Safemode with networking to update all my anti spy and malware programs and ran complete scans and removed all problems that I was alerted to and then was able to visit an http site or two. Rebooted into XP and ran PC Spyware Doctor (which wanted to run only in full XP mode). But once again, found that I had no access to sites via port 80.
NerdsOfTech
post your hijackthis report if possible
run malwarebytes in safe mode first; fix all errors
read:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
download and run combofix:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
read:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
download and run combofix:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
As already suggested, run MalwareBytes and also Combofix but run them in normal mode as these tools are designed to be run in normal mode.
Scanning in safe mode is only necessary IF the pc doesn't boot in normal mode..
It the tools won't run at first time, then re-download but rename before saving the file to your desktop.
Please show us the logfiles.
Scanning in safe mode is only necessary IF the pc doesn't boot in normal mode..
It the tools won't run at first time, then re-download but rename before saving the file to your desktop.
Please show us the logfiles.
ASKER
Thanks for the above suggestions. As mentioned above, in June I ran full scans with Malwarebytes, PC SpyDoctor, Symantec AV, & SpyBot, in normal XP mode removing all 'infections' found. I then ran Combofix as instructed by info found on bleepingcomputer.com (though they warn you against doing this unless it is done under the guidance of an 'expert'). Nothing changed, no http (port 80) access.
Then again on July 10 I ran Malwarebytes with July 10 data files. In normal XP mode it froze upon catching an infected object. When I ran it in XP safe mode it completed the scan finding a 'setupsv.exe' rogue installer. I then ran PC SpyDoctor in normal XP mode. All the infections it found appear to be tied to Combofix. It is not clear that the setupsv.exe was not also tied to Combofix but I had MWB remove it anyway.
Attached is today's HijackThis log and I am running a full set of scans again and will let you know the results in a few hours.
hijackthis.log
Then again on July 10 I ran Malwarebytes with July 10 data files. In normal XP mode it froze upon catching an infected object. When I ran it in XP safe mode it completed the scan finding a 'setupsv.exe' rogue installer. I then ran PC SpyDoctor in normal XP mode. All the infections it found appear to be tied to Combofix. It is not clear that the setupsv.exe was not also tied to Combofix but I had MWB remove it anyway.
Attached is today's HijackThis log and I am running a full set of scans again and will let you know the results in a few hours.
hijackthis.log
You likely have a rootkit infection ... entry 020
HiJackThis Fixes:
R0 - HKCU\Software\Microsoft\In
F2 - REG:system.ini: UserInit=C:\WINDOWS\system
O1 - Hosts: # Copyright (c) 1993-1999 Microsoft Corp.
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DL
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCt
O20 - Winlogon Notify: kwinhook - C:\WINDOWS\SYSTEM32\kwinho
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.ex
O23 - Service: MySQL51 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEX
questionable:
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O15 - Trusted Zone: http://fpg.unc.edu
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorS
HiJackThis Fixes:
R0 - HKCU\Software\Microsoft\In
F2 - REG:system.ini: UserInit=C:\WINDOWS\system
O1 - Hosts: # Copyright (c) 1993-1999 Microsoft Corp.
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DL
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCt
O20 - Winlogon Notify: kwinhook - C:\WINDOWS\SYSTEM32\kwinho
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.ex
O23 - Service: MySQL51 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEX
questionable:
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O15 - Trusted Zone: http://fpg.unc.edu
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorS
rename hijackthis to "1.exe" and run executable; fix all problems found above.
rename malware bytes to "2.exe" and run executable; fix all problems,
rename combofix to "3.exe" and run executable,
rename malware bytes to "2.exe" and run executable; fix all problems,
rename combofix to "3.exe" and run executable,
Correction
In Safe Mode:
rename hijackthis to "1.exe" and run executable; fix all problems found above.
use hijackthis misc tools and delete this file on reboot function:
C:\WINDOWS\SYSTEM32\kwinho
rename malware bytes to "2.exe"
rename combofix to "3.exe"
In Normal Mode:
run malwarebytes (2.exe); fix all problems,
run combofix (3.exe) executable,
=NerdsOfTech
In Safe Mode:
rename hijackthis to "1.exe" and run executable; fix all problems found above.
use hijackthis misc tools and delete this file on reboot function:
C:\WINDOWS\SYSTEM32\kwinho
rename malware bytes to "2.exe"
rename combofix to "3.exe"
In Normal Mode:
run malwarebytes (2.exe); fix all problems,
run combofix (3.exe) executable,
=NerdsOfTech
ASKER
Very encouraging, I like where this is going. Please clarify your statement:
use hijackthis misc tools and delete this file on reboot function:
C:\WINDOWS\SYSTEM32\kwinho
What are the hijackthis misc tools that I am to use. All I have know of Hijackthis is that it produces a report. And what is the reboot function I am to use to delete this dll, i.e., how do I go about this? Do I reboot into some special mode like console only?
Thanks
use hijackthis misc tools and delete this file on reboot function:
C:\WINDOWS\SYSTEM32\kwinho
What are the hijackthis misc tools that I am to use. All I have know of Hijackthis is that it produces a report. And what is the reboot function I am to use to delete this dll, i.e., how do I go about this? Do I reboot into some special mode like console only?
Thanks
When hijackthis is open
click the button "Open the Misc Tools section"
click "Delete file on reboot..." button
copy and paste :
C:\WINDOWS\SYSTEM32\kwinho
as filename.
reboot computer.
=NerdsOfTech
click the button "Open the Misc Tools section"
click "Delete file on reboot..." button
copy and paste :
C:\WINDOWS\SYSTEM32\kwinho
as filename.
reboot computer.
=NerdsOfTech
Correction:
1. Open HiJackThis
2. click the "Open the Misc Tools section" button
3. click "Delete file on reboot..." button
4. copy and paste :
C:\WINDOWS\SYSTEM32\kwinho
in filename textbox. click open.
5. click restart now to reboot computer when prompted.
=NerdsOfTech
1. Open HiJackThis
2. click the "Open the Misc Tools section" button
3. click "Delete file on reboot..." button
4. copy and paste :
C:\WINDOWS\SYSTEM32\kwinho
in filename textbox. click open.
5. click restart now to reboot computer when prompted.
=NerdsOfTech
ASKER
One more thing. You wrote - HiJackThis Fixes:
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCt
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEX
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
The above are all Lenovo Thinkpad utilities and/or services installed upon build. Are they really suspect? Will I lose any important functionality like the TPShocks which is supposed to help protect the harddrive? Or can I just reinstall them again later if needed? (This computer was initially a university 'build' so I don't know what a lot of these "Run" apps do and have been reluctant to remove them.
Again, much thanks for your help.
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCt
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEX
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
The above are all Lenovo Thinkpad utilities and/or services installed upon build. Are they really suspect? Will I lose any important functionality like the TPShocks which is supposed to help protect the harddrive? Or can I just reinstall them again later if needed? (This computer was initially a university 'build' so I don't know what a lot of these "Run" apps do and have been reluctant to remove them.
Again, much thanks for your help.
You are correct please IGNORE and do not fix:
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCt
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEX
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCt
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEX
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
Also IGNORE deletion of:
if KBOX is used
C:\WINDOWS\SYSTEM32\kwinho
if KBOX is used
C:\WINDOWS\SYSTEM32\kwinho
Strange question but do you have any server running like apache on this computer?
Otherwise, your ip/tcp stack or lsp may be messed up... try running:
http://download.cnet.com/XP-TCP-IP-Repair/3000-2094_4-10410929.html
See if you can get a connection and report back.
Thanks!
Otherwise, your ip/tcp stack or lsp may be messed up... try running:
http://download.cnet.com/XP-TCP-IP-Repair/3000-2094_4-10410929.html
See if you can get a connection and report back.
Thanks!
ASKER
Not a strange question. Yes, Kbox is in use. And yes many 'server' environments have been tested on this computer including Plone, MySQL 5, IIS (personal), and New Atlanta's Bluedragon .NET server (none active at this time). Never Apache.
Question: Should I try fixing the ip/tcp stack as suggested above before I go forward with the Hijackthis + cleanup routines?
Thanks
Question: Should I try fixing the ip/tcp stack as suggested above before I go forward with the Hijackthis + cleanup routines?
Thanks
NerdsOf Tech may I know what's your reason for disabling those entries?
It's okay to fix the 04 entries because that doesn't affect the program but fixing the 020 and 023 entries stop the program from working and any programs that are dependent on those 023 service to run will also stop working.
C:\WINDOWS\SYSTEM32\kwinho
The above 020 file belongs to KBox System Deployment it should be left alone if the user use it.
It's okay to fix the 04 entries because that doesn't affect the program but fixing the 020 and 023 entries stop the program from working and any programs that are dependent on those 023 service to run will also stop working.
C:\WINDOWS\SYSTEM32\kwinho
The above 020 file belongs to KBox System Deployment it should be left alone if the user use it.
Bobster311,
You mentioned that you already run Combofix, can we look at the logfile?
You mentioned that you already run Combofix, can we look at the logfile?
ASKER
rpggamergirl, thanks but NerdsOf Tech commented on this:
"Also IGNORE deletion of:
if KBOX is used
C:\WINDOWS\SYSTEM32\kwinho
and I did not remove this entry which I understood to be:
O20 - Winlogon Notify: kwinhook - C:\WINDOWS\SYSTEM32\kwinho
I am needing to download a newer version of combofix. My version is less than a month old but apparently is not valid. I will run this and get back with you all.
Thanks
"Also IGNORE deletion of:
if KBOX is used
C:\WINDOWS\SYSTEM32\kwinho
and I did not remove this entry which I understood to be:
O20 - Winlogon Notify: kwinhook - C:\WINDOWS\SYSTEM32\kwinho
I am needing to download a newer version of combofix. My version is less than a month old but apparently is not valid. I will run this and get back with you all.
Thanks
ASKER
Followed the instruction verbatim. Combofix log attached:
A single trojan found in both MSAM and Superantispyware ran before I started the above fixes suggested, none found after these scans in MSAM or combofix, i.e., no change in http: (port 80) availability (can't even do an MSAM update). Everything else appears ok.
Attached is the combofix log
Planning to try the tcp/ip stack fix unless told not to in the next 12 hours. It sounds like it could cause trouble, just don't know what the actual risks are [not spelled out clearly in any of the documentation but I am getting rather desperate].
combolog.txt
A single trojan found in both MSAM and Superantispyware ran before I started the above fixes suggested, none found after these scans in MSAM or combofix, i.e., no change in http: (port 80) availability (can't even do an MSAM update). Everything else appears ok.
Attached is the combofix log
Planning to try the tcp/ip stack fix unless told not to in the next 12 hours. It sounds like it could cause trouble, just don't know what the actual risks are [not spelled out clearly in any of the documentation but I am getting rather desperate].
combolog.txt
ASKER
NerdsOf Tech, et. al.
I ran the tcpip stack repair program suggested above and still no http (port 80) connection.
Another question; does it matter which user account I run these various scans (especially Combofix) as long as the user account has Administrator rights and privileges?
Thanks
I ran the tcpip stack repair program suggested above and still no http (port 80) connection.
Another question; does it matter which user account I run these various scans (especially Combofix) as long as the user account has Administrator rights and privileges?
Thanks
It doesn't matter as long as you have admin rights.
Do you have a web server running on port 80?
Try shutting down both zonealarm and windows firewall and attempt internet access.
Have you considered backup and clean OS reinstall?
Do you have a web server running on port 80?
Try shutting down both zonealarm and windows firewall and attempt internet access.
Have you considered backup and clean OS reinstall?
Try to use TCPView from Sysinternals and see what application is using the port 80. It can be downloaded from:
http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
Hope it helps.
http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
Hope it helps.
ASKER
Nerds of Tech
Do you have a web server running on port 80?
No. IIS is disabled
Try shutting down both zonealarm and windows firewall and attempt internet access.
Makes no difference
Have you considered backup and clean OS reinstall?
Have considered it, but only as a last resort which looks like where I am heading }:-{
Warturtle
Try to use TCPView from Sysinternals and see what application is using the port 80.
It shows nothing using port 80.
What besides a virus (rootkit) could simply lock down port 80?? Again, if I force this port open in MS Internet firewall I can get through, and I can get to many sites using port 443 (https). Really curious.
Thanks for your efforts
Do you have a web server running on port 80?
No. IIS is disabled
Try shutting down both zonealarm and windows firewall and attempt internet access.
Makes no difference
Have you considered backup and clean OS reinstall?
Have considered it, but only as a last resort which looks like where I am heading }:-{
Warturtle
Try to use TCPView from Sysinternals and see what application is using the port 80.
It shows nothing using port 80.
What besides a virus (rootkit) could simply lock down port 80?? Again, if I force this port open in MS Internet firewall I can get through, and I can get to many sites using port 443 (https). Really curious.
Thanks for your efforts
If you don't already have SuperAntiSpyware installed on your PC, I suggest that you download it from www.superantispyware.com and install it. After the installation is done, then open the main screen->Preferences->Repai
Have you restarted your computer after doing the Winsock LSP Fix (that you did before)? If not, then that is surely recommended.
Try doing the Internet Security Zone Reset and Intenet Explorer Policy Restrictions Reset.
Have you restarted your computer after doing the Winsock LSP Fix (that you did before)? If not, then that is surely recommended.
Try doing the Internet Security Zone Reset and Intenet Explorer Policy Restrictions Reset.
LSPFix may do the trick
It sounds like corrupted LSP if your port scanner didn't detect 80 used
http://www.bleepingcomputer.com/files/lspfix.php
It sounds like corrupted LSP if your port scanner didn't detect 80 used
http://www.bleepingcomputer.com/files/lspfix.php
ASKER
Warturtle:
I have already downloaded and run superantispyware (it took 4 hours!!) yesterday, found nothing.
Nerds of Tech:
I ran Lspfix and it only told me that that 'no problems found.'
After multiple runs of at least 10 recommended anti-virus and anti-malware apps along with Combofix, following all your instructions, none are finding any problems at this point (except for things related to Combofix). All attempts to fix the tcp/ip stack + have made no difference. I am ready to give up the ghost, throw in the towel. Rootkit problems are hard to get rid of I know, but I have been successful before.
I just don't understand why port 80 is so completely blocked and won't let up (except for that brief time after doing a mbrfix and then restarting in Safe mode with networking (wired) on a university network. Combofix has cleared this problem up before. Could it be something that ZoneAlarm did when I installed the new free version in June?
In the end, my computer runs fine except for getting out on Port 80. I will use remote desktop until I have time to start over. Looks like I am going to have to hand it over to the university to wipe it clean and start over (gag me with a spoon).
I will award points because you guys (gals) have done it by the book, everything you have suggested follows/matches the protocol that other experts have recommended on other forums. But it looks like this story does not have a happy ending.
Thanks for all your help (unless you have something else to suggest). want to see any other logs? I have plenty. (;- )
I have already downloaded and run superantispyware (it took 4 hours!!) yesterday, found nothing.
Nerds of Tech:
I ran Lspfix and it only told me that that 'no problems found.'
After multiple runs of at least 10 recommended anti-virus and anti-malware apps along with Combofix, following all your instructions, none are finding any problems at this point (except for things related to Combofix). All attempts to fix the tcp/ip stack + have made no difference. I am ready to give up the ghost, throw in the towel. Rootkit problems are hard to get rid of I know, but I have been successful before.
I just don't understand why port 80 is so completely blocked and won't let up (except for that brief time after doing a mbrfix and then restarting in Safe mode with networking (wired) on a university network. Combofix has cleared this problem up before. Could it be something that ZoneAlarm did when I installed the new free version in June?
In the end, my computer runs fine except for getting out on Port 80. I will use remote desktop until I have time to start over. Looks like I am going to have to hand it over to the university to wipe it clean and start over (gag me with a spoon).
I will award points because you guys (gals) have done it by the book, everything you have suggested follows/matches the protocol that other experts have recommended on other forums. But it looks like this story does not have a happy ending.
Thanks for all your help (unless you have something else to suggest). want to see any other logs? I have plenty. (;- )
Did you play around with the Repairs in SuperAntiSpyware?? Scanning with SuperAntiSpyware is for removing malware, but the repair tools could be helpful in resolving the problem.
Thanks for your patience!
Sorry we could not get it solved. If you are to redo the OS do you want to try and remove that hooked program for experimentation?:
C:\WINDOWS\SYSTEM32\kwinho
O20 - Winlogon Notify: kwinhook - C:\WINDOWS\SYSTEM32\kwinho
=NerdsOfTech
Sorry we could not get it solved. If you are to redo the OS do you want to try and remove that hooked program for experimentation?:
C:\WINDOWS\SYSTEM32\kwinho
O20 - Winlogon Notify: kwinhook - C:\WINDOWS\SYSTEM32\kwinho
=NerdsOfTech
Try this -
Start Internet Explorer.
On the Tools menu, click Manage Add-ons.
Click the name of the add-on.
Use one of the following methods:
click Disable, and then click OK.
You may have to restart Internet Explorer for the changes to take effect after you enable or disable an add-on.
Start Internet Explorer.
On the Tools menu, click Manage Add-ons.
Click the name of the add-on.
Use one of the following methods:
click Disable, and then click OK.
You may have to restart Internet Explorer for the changes to take effect after you enable or disable an add-on.
ASKER
Note: This thread is not completely finished. It is just that I am preparing for a vacation. I will be back in touch in the next day or so to conclude with comments on your suggestions above.
Thanks again for your help.
Thanks again for your help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
NerdsofTech and Warturtle both responded with good ideas and new tests to run. If it was easier to do I would give Warturtle 100 of these points.
None of their solutions actually fixed my problem but I appreciated their thoroughness and knowledge regarding the testing protocols for this kind of deep virus infection and learned alot [probably as NerdsofTech said early on, a rootkit infection]. I know these to be difficult to clean out. I will be wiping the machine and starting over. However, I really would like to better understand how port 80 can be so thoroughly blocked and no other signs of infection are present. Multiple scanners say I am clean.
Thanks for all your efforts.
None of their solutions actually fixed my problem but I appreciated their thoroughness and knowledge regarding the testing protocols for this kind of deep virus infection and learned alot [probably as NerdsofTech said early on, a rootkit infection]. I know these to be difficult to clean out. I will be wiping the machine and starting over. However, I really would like to better understand how port 80 can be so thoroughly blocked and no other signs of infection are present. Multiple scanners say I am clean.
Thanks for all your efforts.
sound very similar to an issue i had with a senior staff member's laptop -- basically your Winsock stack is knackered, and although there are programs out there to fix it, and allow port 80 (web access) to work again, it only lasts for a few hours, and then reverts back, in the end we had to rebuild the system. that laptop used Firefox as its primary browser, so not sure if the previously posted IE fix would have made any difference.
everything else worked OWA over SSL, secure HTTPS and VPN all worked, even Skype.
everything else worked OWA over SSL, secure HTTPS and VPN all worked, even Skype.