Solved

Computer with only access internet by ip address and not by web address

Posted on 2010-09-03
26
691 Views
Last Modified: 2013-12-08
I have 4 computers on my network.  All connect fine except one desktop that became infected with some type of malware.  I have removed the malware, but I can not get the computer to browse the internet by web address.  You can access by ip address. I have ran winsock and reset DNS through command prompt.  I checked my IE settings and reset to default.  Firefox nor IE will access internet via web address.  Outlook does not connect as well.  Problem computer will access all of my other computers fine.  No issues there, the issue has to be in the DNS.  Problem computer has the same settings as other computers.  I also ran the norton removal tool, but did not help.  Operating system is Windows XP Pro.  Any help would be greatly appreciated.
0
Comment
Question by:alliart
  • 11
  • 5
  • 4
  • +6
26 Comments
 
LVL 2

Expert Comment

by:dgenerosa
Comment Utility
Confirm the malware has not added a proxy to your internet options.

Control panel --> internet Options --> Connections --> lan Settings.  make sure not proxy is set (other than than those you know should be there).
0
 
LVL 4

Expert Comment

by:Amnonm
Comment Utility
Can you describe your network design in short
and also i do not deny the possibility of infection but also maybe something else was changing without you noticing cause it sound to me like DNS problem Or NAT configuration  
0
 
LVL 23

Expert Comment

by:Dr. Klahn
Comment Utility
Look in C:\Windows\system32\drivers\etc for the files "hosts" and "lmhosts".  There should not be an "lmhosts" file.  If there is, delete it.

Open the "hosts" file with Notepad.  On a normal system, it should contain exactly one data line:

   127.0.0.1       localhost

If this is not the case, delete all other data lines.  Then reboot the system, open a command window, and type this command:

nslookup google.com

The response should contain:

   Non-authoritative answer:
   Name:  google.com
   Addresses:  209.85.225.(something), 209.85.225.(something else), ...

If this works, the problem should be solved.  If not, get back to us with the results and any further information.



0
 
LVL 2

Expert Comment

by:renov8r
Comment Utility
You ought to be able to enter hard coded DNS server IP addresses in

Local Area Connection Properties -> Internet Protocal (TCP/IP) Properties -> "Use the following DNS server addresses".

If you currently rely on the DNS server of your ISP  I would recommend using OpenDNS or Google Public DNS

http://code.google.com/speed/public-dns/docs/using.html

http://www.opendns.com/compare-opendns-vs-google-dns
0
 
LVL 6

Expert Comment

by:ahdfx
Comment Utility
redirect virus is still present.  You need to use a root kit remover.
http://support.kaspersky.com/viruses/solutions?qid=208280684
0
 

Author Comment

by:alliart
Comment Utility
Follow up:  dgenerosa: Proxy is not checked.

DrKlahn: There was a file lmshosts.sam in there that I deleted.  The host.bak file has one line just as you indicated.  The nslookup google.com returned:

 Non-authoritative answer:
   Name:  google.com
   Addresses:  74.125.47.104, 74.125.47.99,

Same as my other computers.

There is a lmhosts file located in C:\I386 and a lmhosts located in C:\Recycler\

I rebotted computer but did not correct issue.
0
 

Author Comment

by:alliart
Comment Utility
Follow up: renov8r:  Changing the DNS and setting the manually to open DNS settings does not correct the situation.
0
 
LVL 8

Expert Comment

by:moonie42
Comment Utility
As mentioned above, check to see if the malware inserted a proxy server, and then try the tools mentioned above....I also like Malwarebytes, Super AntiSpyware, and ComboFix.  One tip:  Make sure that you turn System Restore OFF prior to running the scans.

You may also wish to verify your ISP-provided (or corporate) DNS servers, and maybe even try using OpenDNS (http://www.opendns.com/start/).  Their DNS addresses are 208.67.222.222 and 208.67.220.220.

Also, if after all that you are still having issues, try flushing and renewing your DNS Cache:
at the command prompt type  (without the quotes) "IPCONFIG /FLUSHDNS" and hit ENTER.
After that completes, renew your DNS with "IPCONFIG /REGISTERDNS" and hit ENTER.
You can can review your DNS cache with "IPCONFIG /DISPLAYDNS"

0
 

Author Comment

by:alliart
Comment Utility
Follow up: ahdfx:  I ran the program you suggested and it found no threats or issues.
0
 
LVL 4

Expert Comment

by:Amnonm
Comment Utility
First this is a good tool for removal
http://www.avast.com/tur/avast-virus-cleaner.html

second:
can you post what you see when you go to start---->run(type cmd) and enter ------> type ipconfig /all
0
 

Author Comment

by:alliart
Comment Utility
ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : Office
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
        Physical Address. . . . . . . . . : 00-16-35-AD-53-FB
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.0.187
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.0.1
        DHCP Server . . . . . . . . . . . : 192.168.0.1
        DNS Servers . . . . . . . . . . . : 192.168.0.1
        Lease Obtained. . . . . . . . . . : Friday, September 03, 2010 6:38:55 PM
        Lease Expires . . . . . . . . . . : Saturday, September 04, 2010 6:38:55 PM
0
 

Author Comment

by:alliart
Comment Utility
I have run all of the programs Malwarebytes, Super AntiSpyware, and ComboFix with the system restore point off and it did nto correct the problem.  I got all of the malware off the computer but the internet browsing problem is there.  The problem malware was never fully loaded on the computer.  the malware was the Malware Doctor program, but I never downloaded the program on anything.  It got on this one computer, but I was able to use the programs to get it off; however, something is blocking me for using the internet.
0
 
LVL 4

Expert Comment

by:Amnonm
Comment Utility
Just one thing if you post it again you need to hide the MAC address

are you using router to connect to the internet you need to go and check the router configuration NAT, and WAN ip address.
what kind of router you have and if you do what type of firmware (regular or some WRT firmware)
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:alliart
Comment Utility
Ammonm:  Thanks for the mac address tip.  I am using a dlink dir-655. Firmware is version 1.21 (I assume regular).

There are no issues with my other computers through this router.  I have 3 computers working fine, 2 xboxs,  1 Wii, and 3 Directtv receivers all going through the router with no issue.  I have the computer connected hard line via ethernet as will as a wireless connection and each connection produces the same result no matter which one I am using.
0
 

Author Comment

by:alliart
Comment Utility
Amnonm:  I ran the virus removal tool from the link you suggested and it did not find anything.  I have ran MGTools and have the logs.  Should I post the logs?
0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
Can you post Combofix's logfile.
Also run Lsp fix. If Lsp fix notes anything to fix, fix it, otherwise leave the other entries along which are standard entries.
http://www.cexx.org/LSPFix.exe
0
 
LVL 4

Expert Comment

by:Amnonm
Comment Utility
In this stage i really think that the fastest solution will be to try to recover backwards using System restore
if you have a close restore point give it a try.
 
0
 

Author Comment

by:alliart
Comment Utility
ComboFIx File:

ComboFix 10-07-23.02 - Administrator 07/27/2010  15:06:22.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1015.478 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\driVERs\ardkwoud.sys

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ardkwoud
-------\Service_ardkwoud


(((((((((((((((((((((((((   Files Created from 2010-06-27 to 2010-07-27  )))))))))))))))))))))))))))))))
.

2010-07-27 18:12 . 2010-07-27 18:12      --------      d-----w-      c:\program files\CCleaner
2010-07-27 18:02 . 2010-07-27 18:03      151674      ----a-w-      C:\MGlogs.zip
2010-07-27 18:01 . 2010-07-27 18:03      --------      d-----w-      C:\MGTools
2010-07-24 13:24 . 2010-07-24 13:24      0      ----a-w-      c:\documents and settings\Administrator\settings.dat
2010-07-24 04:09 . 2010-07-24 04:09      63488      ----a-w-      c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-24 04:09 . 2010-07-24 04:09      52224      ----a-w-      c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-24 04:09 . 2010-07-24 04:09      117760      ----a-w-      c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-24 04:08 . 2010-07-24 04:08      --------      d-----w-      c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-24 04:08 . 2010-07-24 04:08      --------      d-----w-      c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-07-24 04:08 . 2010-07-24 04:09      --------      d-----w-      c:\program files\SUPERAntiSpyware
2010-07-24 00:20 . 2010-07-24 00:20      --------      d-----w-      c:\documents and settings\Administrator\Application Data\Office Genuine Advantage
2010-07-16 01:53 . 2010-07-16 01:53      --------      d-sh--w-      c:\documents and settings\Administrator\IECompatCache
2010-07-16 01:52 . 2010-07-16 01:52      --------      d-sh--w-      c:\documents and settings\Administrator\PrivacIE
2010-07-15 18:22 . 2010-07-15 18:22      --------      d-----w-      c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-15 18:22 . 2010-04-29 20:39      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-15 18:22 . 2010-07-15 18:22      --------      d-----w-      c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-15 18:22 . 2010-07-24 12:50      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2010-07-15 18:22 . 2010-04-29 20:39      20952      ----a-w-      c:\windows\system32\drivers\mbam.sys
2010-07-15 13:30 . 2010-07-15 13:30      --------      d-----w-      c:\windows\system32\MpEngineStore
2010-07-15 02:36 . 2010-07-15 12:56      2832      ----a-w-      c:\windows\Uvamelikolakefu.dat
2010-07-15 02:36 . 2010-07-15 02:36      0      ----a-w-      c:\windows\Jqebo.bin
2010-07-15 02:36 . 2010-07-15 02:36      --------      d-----w-      c:\documents and settings\Administrator\Local Settings\Application Data\{D63C63B0-FF54-4122-B682-F27907883E68}
2010-07-15 02:34 . 2010-07-24 05:04      --------      d-----w-      c:\documents and settings\Administrator\Local Settings\Application Data\yombnsntk
2010-07-15 01:17 . 2010-06-14 14:31      744448      ------w-      c:\windows\system32\dllcache\helpsvc.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-27 18:10 . 2007-03-26 17:39      --------      d-----w-      c:\program files\WebEx
2010-07-27 18:09 . 2006-07-06 18:51      --------      d--h--w-      c:\program files\InstallShield Installation Information
2010-07-27 18:09 . 2010-04-30 18:23      36864      ----a-w-      c:\documents and settings\All Users\Application Data\TEMP\{479F8C12-576B-4A58-AB78-4B70F7012AA8}\PostBuild.exe
2010-07-26 03:07 . 2008-02-02 01:41      --------      d-----w-      c:\documents and settings\All Users\Application Data\Google Updater
2010-07-24 12:59 . 2006-12-11 16:26      --------      d-----w-      c:\program files\Common Files\Symantec Shared
2010-07-24 12:59 . 2006-12-11 16:26      --------      d-----w-      c:\program files\Symantec
2010-07-24 12:59 . 2006-12-11 16:26      --------      d-----w-      c:\documents and settings\All Users\Application Data\Symantec
2010-07-24 00:18 . 2009-01-28 22:09      --------      d---a-w-      c:\documents and settings\All Users\Application Data\TEMP
2010-06-26 16:22 . 2010-06-26 16:18      --------      d-----w-      c:\documents and settings\Administrator\Application Data\Leawo
2010-06-26 16:21 . 2010-06-26 16:15      --------      d-----w-      c:\program files\Leawo
2010-06-26 16:16 . 2010-06-26 16:16      --------      d-----w-      c:\program files\K-Lite Codec Pack
2010-06-22 21:12 . 2010-06-22 21:12      501936      ----a-w-      c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb12A.tmp.exe
2010-06-14 14:31 . 2004-08-04 08:00      744448      ----a-w-      c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-06 07:39 . 2010-05-12 00:37      --------      d-----w-      c:\program files\Microsoft Silverlight
2010-05-29 01:42 . 2010-05-29 01:42      --------      d-----w-      c:\program files\FlashFXP
2010-05-29 01:42 . 2010-05-29 01:42      --------      d-----w-      c:\documents and settings\All Users\Application Data\FlashFXP
2010-05-19 02:03 . 2006-12-11 16:24      75712      -c--a-w-      c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 05:22 . 2004-08-04 08:00      1851264      ----a-w-      c:\windows\system32\win32k.sys
2007-04-19 20:31 . 2007-04-19 20:31      258      -c--a-w-      c:\program files\Altir?
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-19 2403568]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-21 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-17 198160]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"RTHDCPL"="RTHDCPL.EXE" [2005-03-08 13924864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"PTHOSTTR"="c:\program files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2005-10-04 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-11-12 245760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Wireless Connection Manager.lnk - c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe [2009-1-13 29290496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21      548352      ----a-w-      c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      REG_MULTI_SZ         msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sonic CinePlayer Quick Launch.lnk]
backup=c:\windows\pss\Sonic CinePlayer Quick Launch.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [1/13/2009 9:15 AM 57344]
S1 CCDevice;CCDevice; [x]
S1 MpKslc71944a3;MpKslc71944a3;c:\windows\system32\MpEngineStore\MpKslc71944a3.sys [7/15/2010 8:30 AM 28752]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 3:43 PM 135664]
S3 HPPLSBULK;HPPLSBULK;c:\windows\system32\drivers\hpplsbulk.sys [2/2/2005 6:29 PM 9344]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\jswpsapi.exe [1/13/2009 9:15 AM 356434]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\00000a79.nmc\nse\bin\ndiskio.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\00000a79.nmc\nse\bin\ndiskio.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12      REG_MULTI_SZ         Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt      REG_MULTI_SZ         hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-07-24 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-04 00:12]

2010-07-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 12:19]

2010-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 20:43]

2010-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 20:43]

2010-07-26 c:\windows\Tasks\Norton Security Scan for Administrator.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-12 05:51]

2010-07-27 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: intuit.com\ttlc
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-27 15:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1420395772-2482697492-3800826051-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,6f,19,2f,26,cb,66,48,9f,78,8c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,6f,19,2f,26,cb,66,48,9f,78,8c,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,6f,19,2f,26,cb,66,48,9f,78,8c,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,6f,19,2f,26,cb,66,48,9f,78,8c,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,6f,19,2f,26,cb,66,48,9f,78,8c,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\windows\WlanGINA\Version\1.0.4.0\WlanGINA.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(3660)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\progra~1\MICROS~2\OFFICE11\MCPS.DLL
c:\program files\Microsoft Silverlight\xapauthenticodesip.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\progra~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
.
**************************************************************************
.
Completion time: 2010-07-27  15:19:38 - machine was rebooted
ComboFix-quarantined-files.txt  2010-07-27 20:19
ComboFix2.txt  2010-07-26 21:25
ComboFix3.txt  2010-07-26 03:58
ComboFix4.txt  2010-07-24 13:22

Pre-Run: 2,742,358,016 bytes free
Post-Run: 2,721,361,920 bytes free

- - End Of File - - 412170CE76128B7F86EABF7FE264E05E
0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
The recovery console is not installed and Combofix won't attempt to remove some files without it installed.
Could you download a fresh copy of Combofix and also the recovery console to manually install RC and post new log

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix#manual_recovery
0
 

Author Comment

by:alliart
Comment Utility
Sorry for the delay.  I ran it as you requested and here are the results from Combofix:

ComboFix 10-09-03.02 - Administrator 09/06/2010  12:51:56.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1015.485 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
 * Created a new restore point
.

(((((((((((((((((((((((((   Files Created from 2010-08-06 to 2010-09-06  )))))))))))))))))))))))))))))))
.

2010-09-04 15:35 . 2010-09-04 15:35      --------      d-----w-      c:\windows\LastGood
2010-09-04 00:55 . 2010-09-04 00:55      --------      d-----w-      C:\RootRepeal
2010-08-11 07:54 . 2010-08-11 07:54      --------      d-sh--w-      c:\documents and settings\Hugh\PrivacIE
2010-08-11 07:53 . 2010-08-11 07:53      --------      d-----w-      c:\documents and settings\Hugh\Local Settings\Application Data\Mozilla

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-04 01:01 . 2010-07-27 18:02      167198      ----a-w-      C:\MGlogs.zip
2010-09-03 20:33 . 2010-07-24 04:09      63488      ----a-w-      c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-03 20:33 . 2010-07-24 04:09      117760      ----a-w-      c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-11 23:01 . 2009-01-28 22:09      --------      d---a-w-      c:\documents and settings\All Users\Application Data\TEMP
2010-08-11 07:52 . 2010-08-11 07:52      75712      ----a-w-      c:\documents and settings\Hugh\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-11 07:52 . 2010-08-11 07:52      127      ----a-w-      c:\documents and settings\Hugh\Local Settings\Application Data\fusioncache.dat
2010-08-10 17:27 . 2006-07-06 18:52      --------      d-----w-      c:\program files\Google
2010-07-28 18:22 . 2010-07-28 18:22      0      ----a-w-      c:\windows\nsreg.dat
2010-07-28 13:36 . 2009-12-12 00:02      --------      d-----w-      c:\program files\Norton Security Scan
2010-07-28 13:36 . 2009-08-06 18:55      --------      d-----w-      c:\documents and settings\All Users\Application Data\Norton
2010-07-27 18:12 . 2010-07-27 18:12      --------      d-----w-      c:\program files\CCleaner
2010-07-27 18:10 . 2007-03-26 17:39      --------      d-----w-      c:\program files\WebEx
2010-07-27 18:09 . 2006-07-06 18:51      --------      d--h--w-      c:\program files\InstallShield Installation Information
2010-07-27 18:09 . 2010-04-30 18:23      36864      ----a-w-      c:\documents and settings\All Users\Application Data\TEMP\{479F8C12-576B-4A58-AB78-4B70F7012AA8}\PostBuild.exe
2010-07-24 13:24 . 2010-07-24 13:24      0      ----a-w-      c:\documents and settings\Administrator\settings.dat
2010-07-24 04:09 . 2010-07-24 04:09      52224      ----a-w-      c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-24 04:09 . 2010-07-24 04:08      --------      d-----w-      c:\program files\SUPERAntiSpyware
2010-07-24 04:08 . 2010-07-24 04:08      --------      d-----w-      c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-24 04:08 . 2010-07-24 04:08      --------      d-----w-      c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-07-24 00:20 . 2010-07-24 00:20      --------      d-----w-      c:\documents and settings\Administrator\Application Data\Office Genuine Advantage
2010-07-15 18:22 . 2010-07-15 18:22      --------      d-----w-      c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-15 18:22 . 2010-07-15 18:22      --------      d-----w-      c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-15 12:56 . 2010-07-15 02:36      2832      ----a-w-      c:\windows\Uvamelikolakefu.dat
2010-07-15 02:36 . 2010-07-15 02:36      0      ----a-w-      c:\windows\Jqebo.bin
2010-06-22 21:12 . 2010-06-22 21:12      501936      ----a-w-      c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb12A.tmp.exe
2010-06-14 14:31 . 2004-08-04 08:00      744448      ----a-w-      c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2007-04-19 20:31 . 2007-04-19 20:31      258      -c--a-w-      c:\program files\Altir?
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-19 2403568]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 68856]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-21 149280]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Wireless Connection Manager.lnk - c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe [2009-1-13 29290496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21      548352      ----a-w-      c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      REG_MULTI_SZ         msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sonic CinePlayer Quick Launch.lnk]
backup=c:\windows\pss\Sonic CinePlayer Quick Launch.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [1/13/2009 9:15 AM 57344]
S1 CCDevice;CCDevice; [x]
S1 MpKslc71944a3;MpKslc71944a3;\??\c:\windows\system32\MpEngineStore\MpKslc71944a3.sys --> c:\windows\system32\MpEngineStore\MpKslc71944a3.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 3:43 PM 135664]
S3 HPPLSBULK;HPPLSBULK;c:\windows\system32\drivers\hpplsbulk.sys [2/2/2005 6:29 PM 9344]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\jswpsapi.exe [1/13/2009 9:15 AM 356434]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\00000b09.nmc\nse\bin\ndiskio.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\00000b09.nmc\nse\bin\ndiskio.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SYSMONLOG

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12      REG_MULTI_SZ         Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt      REG_MULTI_SZ         hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: intuit.com\ttlc
TCP: {E84BA61E-5CC0-423B-9B8B-01745FC72B9C} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dbqyfs32.default\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-06 12:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1420395772-2482697492-3800826051-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,6f,19,2f,26,cb,66,48,9f,78,8c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,6f,19,2f,26,cb,66,48,9f,78,8c,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,6f,19,2f,26,cb,66,48,9f,78,8c,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,6f,19,2f,26,cb,66,48,9f,78,8c,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,6f,19,2f,26,cb,66,48,9f,78,8c,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1092)
c:\windows\WlanGINA\Version\1.0.4.0\WlanGINA.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(4040)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-09-06  12:58:25
ComboFix-quarantined-files.txt  2010-09-06 17:58
ComboFix2.txt  2010-07-27 20:19
ComboFix3.txt  2010-07-26 21:25
ComboFix4.txt  2010-07-26 03:58
ComboFix5.txt  2010-09-04 21:17

Pre-Run: 3,839,053,824 bytes free
Post-Run: 3,863,236,608 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 3E195BD2C57B4C42092932525D526F65
0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
Hi. Cf didn't detect anything else.

Could you check these files(in bold below) out at virustotal as they don't look right but unsure.
Post back link to results.
Show hidden files and folders first.
 http://www.bleepingcomputer.com/tutorials/tutorial62.html
http://www.virustotal.com/

c:\windows\Uvamelikolakefu.datc:\windows\system32\MpEngineStore\MpKslc71944a3.sys



0
 

Author Comment

by:alliart
Comment Utility
the second file could not be found.  I did a search, but the search produce no results.  I looked where it is supposed to be but it is not there.  The first file was there and I did the scan.  Results are posted below and it definitely is a bad file as the date is the same as the date when the computer was infected.

File name:
Submission date:
Current status:
Result:
VT Community Sign in  Languages 
Virustotal is a service that analyzes suspicious
files and URLs and facilitates the quick
detection of viruses, worms, trojans, and all kinds
of malware detected by antivirus engines. More
information...
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community
user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
file-1231688_dll
2010-07-16 20:51:08 (UTC)
finished
8 /42 (19.0%)
VT Community
not reviewed
Safety score: -
Print results
Antivirus Version Last Update Result
a-squared 5.0.0.31 2010.07.16 Trojan.Fakeav!IK
AhnLab-V3 2010.07.16.00 2010.07.15 -
AntiVir 8.2.4.12 2010.07.16 -
Antiy-AVL 2.0.3.7 2010.07.15 -
Authentium 5.2.0.5 2010.07.16 -
Avast 4.8.1351.0 2010.07.16 -
Avast5 5.0.332.0 2010.07.16 -
AVG 9.0.0.836 2010.07.16 -
BitDefender 7.2 2010.07.16 Trojan.FakeAV.KZQ
CAT-QuickHeal 11.00 2010.07.16 -
ClamAV 0.96.0.3-git 2010.07.16 -
Comodo 5448 2010.07.16 -
DrWeb 5.0.2.03300 2010.07.16 -
eSafe 7.0.17.0 2010.07.15 -
eTrust-Vet 36.1.7715 2010.07.16 HTML/FakeAlert.BHB
F-Prot 4.6.1.107 2010.07.16 -
F-Secure 9.0.15370.0 2010.07.16 Trojan.FakeAV.KZQ
Fortinet 4.1.143.0 2010.07.16 -
GData 21 2010.07.16 Trojan.FakeAV.KZQ
Ikarus T3.1.1.84.0 2010.07.16 Trojan.Fakeav
Jiangmin 13.0.900 2010.07.16 -
Kaspersky 7.0.0.125 2010.07.16 -
McAfee 5.400.0.1158 2010.07.16 -
Compact
VirusTotal - Free Online Virus, Malware and URL Scanner Page 1 of 3
http://www.virustotal.com/file-scan/report.html?id=f589616f5345be0a8fb362a07eb323120... 9/7/2010
Additional information Show all
McAfee-GW-Edition 2010.1 2010.07.16 -
Microsoft 1.6004 2010.07.16 -
NOD32 5285 2010.07.16 -
Norman 6.05.11 2010.07.16 -
nProtect 2010-07-16.01 2010.07.16 Trojan.FakeAV.KZQ
Panda 10.0.2.7 2010.07.16 -
PCTools 7.0.3.5 2010.07.16 -
Prevx 3.0 2010.07.16 -
Rising 22.56.04.04 2010.07.16 -
Sophos 4.55.0 2010.07.16 Mal/FakeAvHm-A
Sunbelt 6593 2010.07.16 -
SUPERAntiSpyware 4.40.0.1006 2010.07.16 -
Symantec 20101.1.1.7 2010.07.16 -
TheHacker 6.5.2.1.318 2010.07.16 -
TrendMicro 9.120.0.1004 2010.07.16 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.16 -
VBA32 3.12.12.6 2010.07.16 -
ViRobot 2010.7.12.3932 2010.07.16 -
VirusBuster 5.0.27.0 2010.07.16 -
MD5 : ccad642c7feb556572183c1de378d2bb
SHA1 : 3ee069a5fc061df44397fa962eef7065bb5789c9
SHA256: f589616f5345be0a8fb362a07eb32312093293cf518a865ec460700f52c89cf2
VT Community
This file has never been reviewed by any VT Community member. Be the first one to comment on it!
VirusTotal Team
VirusTotal - Free Online Virus, Malware and URL Scanner Page 2 of 3
http://www.virustotal.com/file-scan/report.html?id=f589616f5345be0a8fb362a07eb323120... 9/7/2010
Goodware Malware Spam attachment/link
P2P download Propagating via IM Network worm
Drive-by-download
Preview comment Post comment
Add your comment... Remember that when you write comments as an anonymous user they receive the lowest possible
reputation. So if you have not signed in yet don't forget to do so. How to markup your comments?
ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the
availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is
far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file.
Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
VirusTotal © Hispasec Sistemas - Blog - Twitter - Contact: info@virustotal.com- Terms of Service & Privacy Policy
VirusTotal - Free Online Virus, Malware and URL Scanner Page 3 of 3
http://www.virustotal.com/file-scan/report.html?id=f589616f5345be0a8fb362a07eb323120... 9/7/2010

0
 
LVL 22

Accepted Solution

by:
optoma earned 500 total points
Comment Utility
Ok. That other file dosn't look right so we will go ahead and remove them:

1. Open Notepad
2. Copy + paste all bolded text only between lines below into Notepad window
==================================================
Driver::CCDeviceMpKslc71944a3File::c:\windows\Uvamelikolakefu.datc:\windows\system32\MpEngineStore\MpKslc71944a3.sys

==================================================
3. Now Save as CFScript.txt on your desktop/same location as Combofix.exe
4. Then drag the CFScript.txt into ComboFix.exe
0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
After that post new log and scan with Hitmanpro to make sure nothing bad is left :)
http://www.surfright.nl/en/hitmanpro
0
 

Author Comment

by:alliart
Comment Utility
Thanks everyone for their help.  I am finally been able to resolve the issue.  I was about to do a reinstall and decided to remove the SP3 service pack jsut to see if that corrected the issue, and believe it or not that resolved the problem.  Everyone was so helpful with suggestions.  I really appreciated everyone's help.
0
 

Expert Comment

by:gtl-work
Comment Utility
Try this,, sounds obviously like DNS issue..

Run this in CMD

ipconfig /flushdns
ipconfig /registerdns
netsh int ip reset c:/log.txt
netsh winsock reset
shutdown -r -f -t 0

always worked for me
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

I had to do a bit of research to find the answer to this question so I thought I'd share my results.  Due to our outdated mainframe systems, we need to downgrade IE9 to IE8 in order to stay compatible.  We also needed to downgrade Java.  In order to…
How can this article save you time AND money?  In just a few minutes you may discover something you didn't know existed that is easy enough for you to fix yourself!
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now