Jump to content

Build Theme!
  •  

Photo

Lost Internet after running Malwarebytes


  • This topic is locked This topic is locked
3 replies to this topic

#1 NowxorxNever14

NowxorxNever14

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 14 February 2011 - 01:37 PM

]Hey guys, first post here and I'm having a problem with my internet connection. I ran MBAM and it deleted 2 items, since that time my internet hasn't worked properly. When I load IE sometimes it will just say "INTERNET EXPLORER CANNOT DISPLAY THE WEBPAGE" other times it will partially load my homepage (google.com) albeit very slowly and only about 50% of it will load before the same page then loads stating "INTERNET EXPLORER CANNOT DISPLAY THE WEBPAGE". When I try loading Firefox, the same things happen. When I open the control panel and look at my network connection it says that it is connected at a speed of 100.0 MBPS.



The log of what MBAM deleted is here:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/11/2011 9:24:10 AM

mbam-log-2011-02-11 (09-24-10).txt

Scan type: Full scan (C:\|)

Objects scanned: 806672

Time elapsed: 10 hour(s), 58 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\VRZJ8K91NT (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\system volume information\_restore{0ede882f-f77c-471a-87a1-8bcdc29f3a36}\RP487\A0073155.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.





I checked to make sure that I wasn't set to connect to a proxy server, and I tried some other things that I have basic knowledge of to repair the problem but to no avail. I also tried to repair the problem with a system restore, but no such luck in re-establishing a fully-functional internet connection. I then ran a Windows XP Networks Diagnostics check, but didn't save the first log. So I just ran another one and copied the log. The log is here:



Last diagnostic run time: 02/14/11 12:26:20 HTTP, HTTPS, FTP Diagnostic

HTTP, HTTPS, FTP connectivity

warn FTP (Passive): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved

warn HTTPS: Error 12029 connecting to www.microsoft.com: A connection with the server could not be established

warn FTP (Active): Error 12031 connecting to ftp.microsoft.com: The connection with the server was reset

warn HTTP: Error 12029 connecting to www.microsoft.com: A connection with the server could not be established

warn HTTP: Error 12002 connecting to www.hotmail.com: The operation timed out

warn HTTPS: Error 12002 connecting to www.passport.net: The operation timed out

error Could not make an HTTP connection.

error Could not make an HTTPS connection.

error Could not make an FTP connection.

info Redirecting user to support call





DNS Client Diagnostic

DNS - Not a home user scenario

info Using Web Proxy: no

info Resolving name ok for (www.microsoft.com): yes

No DNS servers

DNS failure





Gateway Diagnostic

Gateway

info The following proxy configuration is being used by IE: Automatically Detect Settings:Enabled Automatic Configuration Script: Proxy Server: Proxy Bypass list:

info Could not get proxy settings via the Automatic Proxy Configuration mechanism

info This computer has the following default gateway entry(ies): 192.168.1.1

info This computer has the following IP address(es): 192.168.1.100

info The default gateway is in the same subnet as this computer

info The default gateway entry is a valid unicast address

warn The default gateway address could not be resolved via ARP

action Automated repair: Renew IP address

action Releasing the current IP address...

action Successfully released the current IP address

action Renewing the IP address...

action Successfully renewed the current IP address

info This computer has the following default gateway entry(ies): 192.168.1.1

info This computer has the following IP address(es): 192.168.1.100

info The default gateway is in the same subnet as this computer

info The default gateway entry is a valid unicast address

info The default gateway address was resolved via ARP in 1 try(ies)

info The default gateway was reached via ICMP Ping in 1 try(ies)

info TCP port 80 on host 65.55.12.249 was successfully reached

info The Internet host www.microsoft.com was successfully reached

info The default gateway is OK





IP Layer Diagnostic

Corrupted IP routing table

info The default route is valid

info The loopback route is valid

info The local host route is valid

info The local subnet route is valid

Invalid ARP cache entries

action The ARP cache has been flushed





IP Configuration Diagnostic

Invalid IP address

info Valid IP address detected: 192.168.1.100





Wireless Diagnostic

Wireless - Service disabled

Wireless - User SSID

Wireless - First time setup

Wireless - Radio off

Wireless - Out of range

Wireless - Hardware issue

Wireless - Novice user

Wireless - Ad-hoc network

Wireless - Less preferred

Wireless - 802.1x enabled

Wireless - Configuration mismatch

Wireless - Low SNR





WinSock Diagnostic

WinSock status

info All base service provider entries are present in the Winsock catalog.

info The Winsock Service provider chains are valid.

info Provider entry MSAFD Tcpip [TCP/IP] passed the loopback communication test.

info Provider entry MSAFD Tcpip [UDP/IP] passed the loopback communication test.

info Provider entry RSVP UDP Service Provider passed the loopback communication test.

info Provider entry RSVP TCP Service Provider passed the loopback communication test.

info Connectivity is valid for all Winsock service providers.





Network Adapter Diagnostic

Network location detection

info Using home Internet connection

Network adapter identification

info Network connection: Name=Local Area Connection, Device=Intel® PRO/100 VE Network Connection, MediaType=LAN, SubMediaType=LAN

info Ethernet connection selected

Network adapter status

info Network connection status: Connected





HTTP, HTTPS, FTP Diagnostic

HTTP, HTTPS, FTP connectivity

warn FTP (Passive): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved

warn HTTP: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved

warn HTTPS: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved

warn FTP (Active): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved

warn HTTPS: Error 12007 connecting to www.passport.net: The server name or address could not be resolved

warn HTTP: Error 12007 connecting to www.hotmail.com: The server name or address could not be resolved

error Could not make an HTTP connection.

error Could not make an HTTPS connection.

error Could not make an FTP connection.



I also took a screen shot of the Network Diagnostics window at the completion of the scan as it stated things of which I have no understanding of. Picture here: Posted Image



I then tried ComboFix at the recommendation of a friend and that log is here:

ComboFix 11-02-13.04 - Jamie 02/14/2011 10:36:45.8.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.261 [GMT -5:00]

Running from: F:\ComboFix.exe

AV: Kaspersky Anti-Virus *Disabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2011-01-14 to 2011-02-14 )))))))))))))))))))))))))))))))

.

2011-02-11 16:38 . 2011-02-11 16:38 -------- d-----w- c:\windows\system32\wbem\Repository

2011-02-11 16:35 . 2011-02-11 16:35 -------- d-----w- c:\program files\Security Task Manager

2011-01-25 18:45 . 2011-01-25 18:45 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Google

2011-01-25 18:40 . 2011-01-25 18:41 -------- d-----w- c:\documents and settings\Jamie.JAMIE-J7B6FZLLT\Local Settings\Application Data\Temp

2011-01-25 18:40 . 2011-01-25 18:40 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Google

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-20 12:55 . 2009-04-23 22:33 385024 ----a-w- c:\windows\system32\html.iec

2010-11-18 18:12 . 2009-04-20 21:10 81920 ----a-w- c:\windows\system32\isign32.dll

2010-02-28 23:39 . 2010-02-28 23:14 1228288 -c--a-w- c:\program files\ADBEILSTCS4_LS1.exe

2009-05-13 00:08 . 2009-05-13 00:07 7526856 -c--a-w- c:\program files\Firefox Setup 3.0.10.exe

2009-05-01 21:02 . 2009-05-01 21:02 1044480 -c--a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 -c--a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((( SnapShot_2010-12-27_06.19.11 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-02-11 17:14 . 2011-02-11 17:14 16384 c:\windows\temp\Perflib_Perfdata_74c.dat

+ 2011-02-11 17:14 . 2011-02-11 17:14 16384 c:\windows\temp\Perflib_Perfdata_648.dat

+ 2010-08-13 16:33 . 2010-12-27 06:31 97859 c:\windows\system32\drivers\klick.dat

+ 2011-01-25 18:40 . 2011-01-25 18:40 21504 c:\windows\Installer\4174b6c3.msi

+ 2011-01-25 18:42 . 2011-01-25 18:42 25214 c:\windows\Installer\{C768790F-04FB-11E0-9B2C-001AA037B01E}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe

+ 2011-01-12 11:46 . 2010-02-22 14:23 26488 c:\windows\$hf_mig$\KB2419632\update\spcustom.dll

+ 2011-01-12 11:46 . 2010-02-22 14:23 17272 c:\windows\$hf_mig$\KB2419632\spmsg.dll

+ 2002-08-29 12:00 . 2010-11-06 00:26 916480 c:\windows\system32\wininet(3).dll

+ 2002-08-29 12:00 . 2008-04-14 00:12 438272 c:\windows\system32\shimgvw(2).dll

+ 2010-01-26 05:05 . 2011-02-11 16:40 651052 c:\windows\system32\Restore\rstrlog.dat

- 2002-08-29 12:00 . 2008-04-14 00:12 249856 c:\windows\system32\odbc32.dll

+ 2002-08-29 12:00 . 2010-11-09 14:52 249856 c:\windows\system32\odbc32.dll

+ 2002-08-29 12:00 . 2009-06-25 08:25 301568 c:\windows\system32\kerberos(3).dll

+ 2010-08-13 16:33 . 2010-12-27 06:31 114243 c:\windows\system32\drivers\klin.dat

+ 2010-11-09 14:52 . 2010-11-09 14:52 249856 c:\windows\system32\dllcache\odbc32.dll

- 2009-04-14 22:07 . 2008-04-14 00:12 102400 c:\windows\system32\dllcache\msjro.dll

+ 2009-04-14 22:07 . 2010-11-09 14:52 102400 c:\windows\system32\dllcache\msjro.dll

+ 2009-04-14 22:07 . 2010-11-09 14:52 200704 c:\windows\system32\dllcache\msadox.dll

- 2009-04-14 22:07 . 2008-04-14 00:11 200704 c:\windows\system32\dllcache\msadox.dll

- 2009-04-14 22:07 . 2008-04-14 00:11 180224 c:\windows\system32\dllcache\msadomd.dll

+ 2009-04-14 22:07 . 2010-11-09 14:52 180224 c:\windows\system32\dllcache\msadomd.dll

- 2009-04-14 22:07 . 2008-04-14 00:11 536576 c:\windows\system32\dllcache\msado15.dll

+ 2009-04-14 22:07 . 2010-11-09 14:52 536576 c:\windows\system32\dllcache\msado15.dll

- 2009-04-14 22:07 . 2008-04-14 00:11 143360 c:\windows\system32\dllcache\msadco.dll

+ 2009-04-14 22:07 . 2010-11-09 14:52 143360 c:\windows\system32\dllcache\msadco.dll

+ 2002-08-29 12:00 . 2010-10-28 13:13 290048 c:\windows\system32\atmfd(3).dll

+ 2011-01-12 11:46 . 2010-02-22 14:23 382840 c:\windows\$NtUninstallKB2419632$\spuninst\updspapi.dll

+ 2011-01-12 11:46 . 2010-02-22 14:23 231288 c:\windows\$NtUninstallKB2419632$\spuninst\spuninst.exe

+ 2011-01-12 11:46 . 2008-04-14 00:12 249856 c:\windows\$NtUninstallKB2419632$\odbc32.dll

+ 2011-01-12 11:46 . 2008-04-14 00:12 102400 c:\windows\$NtUninstallKB2419632$\msjro.dll

+ 2011-01-12 11:46 . 2008-04-14 00:11 200704 c:\windows\$NtUninstallKB2419632$\msadox.dll

+ 2011-01-12 11:46 . 2008-04-14 00:11 180224 c:\windows\$NtUninstallKB2419632$\msadomd.dll

+ 2011-01-12 11:46 . 2008-04-14 00:11 536576 c:\windows\$NtUninstallKB2419632$\msado15.dll

+ 2011-01-12 11:46 . 2008-04-14 00:11 143360 c:\windows\$NtUninstallKB2419632$\msadco.dll

+ 2011-01-12 11:46 . 2010-02-22 14:23 382840 c:\windows\$hf_mig$\KB2419632\update\updspapi.dll

+ 2011-01-12 11:46 . 2010-02-22 14:23 755576 c:\windows\$hf_mig$\KB2419632\update\update.exe

+ 2011-01-12 11:46 . 2010-02-22 14:23 231288 c:\windows\$hf_mig$\KB2419632\spuninst.exe

+ 2010-11-09 14:50 . 2010-11-09 14:50 253952 c:\windows\$hf_mig$\KB2419632\SP3QFE\odbc32.dll

+ 2010-11-09 14:50 . 2010-11-09 14:50 102400 c:\windows\$hf_mig$\KB2419632\SP3QFE\msjro.dll

+ 2010-11-09 14:50 . 2010-11-09 14:50 200704 c:\windows\$hf_mig$\KB2419632\SP3QFE\msadox.dll

+ 2010-11-09 14:50 . 2010-11-09 14:50 180224 c:\windows\$hf_mig$\KB2419632\SP3QFE\msadomd.dll

+ 2010-11-09 14:50 . 2010-11-09 14:50 565248 c:\windows\$hf_mig$\KB2419632\SP3QFE\msado15.dll

+ 2010-11-09 14:50 . 2010-11-09 14:50 143360 c:\windows\$hf_mig$\KB2419632\SP3QFE\msadco.dll

+ 2002-08-29 12:00 . 2010-11-06 00:26 1210880 c:\windows\system32\urlmon(3).dll

+ 2002-08-29 12:00 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32(3).dll

+ 2009-04-20 16:38 . 2011-02-11 16:41 2010696 c:\windows\system32\FNTCACHE.DAT

- 2009-04-20 16:38 . 2010-12-15 08:41 2010696 c:\windows\system32\FNTCACHE.DAT

+ 2009-05-05 15:50 . 2011-01-12 11:46 37403080 c:\windows\system32\MRT.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]

"avp"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2010-09-09 340520]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-09-24 06:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

2009-03-15 10:15 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-09-08 15:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-01-29 07:44 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

2010-01-13 22:44 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 8:18 PM 36880]

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/29/2002 7:00 AM 14336]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 1:42 PM 32272]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 6:39 PM 19472]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/25/2011 1:40 PM 136176]

S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [9/21/2009 3:34 PM 11264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Akamai REG_MULTI_SZ Akamai

.

Contents of the 'Scheduled Tasks' folder

2011-02-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2011-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-25 18:40]

2011-02-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-25 18:40]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:5643

uInternet Settings,ProxyOverride = *.local;<local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &SHOUTcast Search - c:\documents and settings\All Users.WINDOWS\Application Data\SHOUTcast Radio Toolbar\ieToolbar\resources\en-US\local\search.html

Trusted Zone: sprint.com\mysprint

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {C53BDC3D-19A0-4062-BF34-0897A4E6A6A2} - hxxp://www.wildpockets.com/common/WildPocketsLoader-11994.cab

FF - ProfilePath - c:\documents and settings\Jamie.JAMIE-J7B6FZLLT\Application Data\Mozilla\Firefox\Profiles\swpg81rz.default\

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: XULRunner: {12AF9789-BCF4-4495-BAA6-26AC23D076E0} - c:\documents and settings\Jamie.JAMIE-J7B6FZLLT\Local Settings\Application Data\{12AF9789-BCF4-4495-BAA6-26AC23D076E0}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-14 10:48

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(132)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2011-02-14 10:54:18

ComboFix-quarantined-files.txt 2011-02-14 15:54

ComboFix2.txt 2010-12-27 06:22

ComboFix3.txt 2010-12-13 22:08

ComboFix4.txt 2010-11-29 20:48

ComboFix5.txt 2011-02-14 15:31

Pre-Run: 1,536,020,480 bytes free

Post-Run: 1,756,291,072 bytes free

- - End Of File - - 63948A44CA2889B94621C999E450895B





After that I ran ComboFix again with this;



FCopy::

C:\WINDOWS\ServicePackFiles\i386\netbt.sys | C:\WINDOWS\system32\drivers\netbt.sys



I saved it as CFScript.txt and dragged it into ComboFix which caused CF to reboot again. That log is here:

ComboFix 11-02-13.04 - Jamie 02/14/2011 11:17:38.9.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.209 [GMT -5:00]

Running from: c:\documents and settings\Jamie.JAMIE-J7B6FZLLT\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Jamie.JAMIE-J7B6FZLLT\Desktop\CFScript.txt

AV: Kaspersky Anti-Virus *Disabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\netbt.sys --> c:\windows\system32\drivers\netbt.sys

.

((((((((((((((((((((((((( Files Created from 2011-01-14 to 2011-02-14 )))))))))))))))))))))))))))))))

.

2011-02-11 16:38 . 2011-02-11 16:38 -------- d-----w- c:\windows\system32\wbem\Repository

2011-02-11 16:35 . 2011-02-11 16:35 -------- d-----w- c:\program files\Security Task Manager

2011-01-25 18:45 . 2011-01-25 18:45 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Google

2011-01-25 18:40 . 2011-01-25 18:41 -------- d-----w- c:\documents and settings\Jamie.JAMIE-J7B6FZLLT\Local Settings\Application Data\Temp

2011-01-25 18:40 . 2011-01-25 18:40 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Google

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-20 12:55 . 2009-04-23 22:33 385024 ----a-w- c:\windows\system32\html.iec

2010-11-18 18:12 . 2009-04-20 21:10 81920 ----a-w- c:\windows\system32\isign32.dll

2010-02-28 23:39 . 2010-02-28 23:14 1228288 -c--a-w- c:\program files\ADBEILSTCS4_LS1.exe

2009-05-13 00:08 . 2009-05-13 00:07 7526856 -c--a-w- c:\program files\Firefox Setup 3.0.10.exe

2009-05-01 21:02 . 2009-05-01 21:02 1044480 -c--a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 -c--a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((( SnapShot_2010-12-27_06.19.11 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-02-11 17:14 . 2011-02-11 17:14 16384 c:\windows\temp\Perflib_Perfdata_74c.dat

+ 2011-02-11 17:14 . 2011-02-11 17:14 16384 c:\windows\temp\Perflib_Perfdata_648.dat

+ 2010-08-13 16:33 . 2010-12-27 06:31 97859 c:\windows\system32\drivers\klick.dat

+ 2011-01-25 18:40 . 2011-01-25 18:40 21504 c:\windows\Installer\4174b6c3.msi

+ 2011-01-25 18:42 . 2011-01-25 18:42 25214 c:\windows\Installer\{C768790F-04FB-11E0-9B2C-001AA037B01E}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe

+ 2011-01-12 11:46 . 2010-02-22 14:23 26488 c:\windows\$hf_mig$\KB2419632\update\spcustom.dll

+ 2011-01-12 11:46 . 2010-02-22 14:23 17272 c:\windows\$hf_mig$\KB2419632\spmsg.dll

+ 2002-08-29 12:00 . 2010-11-06 00:26 916480 c:\windows\system32\wininet(3).dll

+ 2002-08-29 12:00 . 2008-04-14 00:12 438272 c:\windows\system32\shimgvw(2).dll

+ 2010-01-26 05:05 . 2011-02-11 16:40 651052 c:\windows\system32\Restore\rstrlog.dat

- 2002-08-29 12:00 . 2008-04-14 00:12 249856 c:\windows\system32\odbc32.dll

+ 2002-08-29 12:00 . 2010-11-09 14:52 249856 c:\windows\system32\odbc32.dll

+ 2002-08-29 12:00 . 2009-06-25 08:25 301568 c:\windows\system32\kerberos(3).dll

+ 2010-08-13 16:33 . 2010-12-27 06:31 114243 c:\windows\system32\drivers\klin.dat

+ 2010-11-09 14:52 . 2010-11-09 14:52 249856 c:\windows\system32\dllcache\odbc32.dll

+ 2002-08-29 12:00 . 2008-04-13 19:21 162816 c:\windows\system32\dllcache\netbt.sys

+ 2009-04-14 22:07 . 2010-11-09 14:52 102400 c:\windows\system32\dllcache\msjro.dll

- 2009-04-14 22:07 . 2008-04-14 00:12 102400 c:\windows\system32\dllcache\msjro.dll

+ 2009-04-14 22:07 . 2010-11-09 14:52 200704 c:\windows\system32\dllcache\msadox.dll

- 2009-04-14 22:07 . 2008-04-14 00:11 200704 c:\windows\system32\dllcache\msadox.dll

- 2009-04-14 22:07 . 2008-04-14 00:11 180224 c:\windows\system32\dllcache\msadomd.dll

+ 2009-04-14 22:07 . 2010-11-09 14:52 180224 c:\windows\system32\dllcache\msadomd.dll

- 2009-04-14 22:07 . 2008-04-14 00:11 536576 c:\windows\system32\dllcache\msado15.dll

+ 2009-04-14 22:07 . 2010-11-09 14:52 536576 c:\windows\system32\dllcache\msado15.dll

+ 2009-04-14 22:07 . 2010-11-09 14:52 143360 c:\windows\system32\dllcache\msadco.dll

- 2009-04-14 22:07 . 2008-04-14 00:11 143360 c:\windows\system32\dllcache\msadco.dll

+ 2002-08-29 12:00 . 2010-10-28 13:13 290048 c:\windows\system32\atmfd(3).dll

+ 2011-01-12 11:46 . 2010-02-22 14:23 382840 c:\windows\$NtUninstallKB2419632$\spuninst\updspapi.dll

+ 2011-01-12 11:46 . 2010-02-22 14:23 231288 c:\windows\$NtUninstallKB2419632$\spuninst\spuninst.exe

+ 2011-01-12 11:46 . 2008-04-14 00:12 249856 c:\windows\$NtUninstallKB2419632$\odbc32.dll

+ 2011-01-12 11:46 . 2008-04-14 00:12 102400 c:\windows\$NtUninstallKB2419632$\msjro.dll

+ 2011-01-12 11:46 . 2008-04-14 00:11 200704 c:\windows\$NtUninstallKB2419632$\msadox.dll

+ 2011-01-12 11:46 . 2008-04-14 00:11 180224 c:\windows\$NtUninstallKB2419632$\msadomd.dll

+ 2011-01-12 11:46 . 2008-04-14 00:11 536576 c:\windows\$NtUninstallKB2419632$\msado15.dll

+ 2011-01-12 11:46 . 2008-04-14 00:11 143360 c:\windows\$NtUninstallKB2419632$\msadco.dll

+ 2011-01-12 11:46 . 2010-02-22 14:23 382840 c:\windows\$hf_mig$\KB2419632\update\updspapi.dll

+ 2011-01-12 11:46 . 2010-02-22 14:23 755576 c:\windows\$hf_mig$\KB2419632\update\update.exe

+ 2011-01-12 11:46 . 2010-02-22 14:23 231288 c:\windows\$hf_mig$\KB2419632\spuninst.exe

+ 2010-11-09 14:50 . 2010-11-09 14:50 253952 c:\windows\$hf_mig$\KB2419632\SP3QFE\odbc32.dll

+ 2010-11-09 14:50 . 2010-11-09 14:50 102400 c:\windows\$hf_mig$\KB2419632\SP3QFE\msjro.dll

+ 2010-11-09 14:50 . 2010-11-09 14:50 200704 c:\windows\$hf_mig$\KB2419632\SP3QFE\msadox.dll

+ 2010-11-09 14:50 . 2010-11-09 14:50 180224 c:\windows\$hf_mig$\KB2419632\SP3QFE\msadomd.dll

+ 2010-11-09 14:50 . 2010-11-09 14:50 565248 c:\windows\$hf_mig$\KB2419632\SP3QFE\msado15.dll

+ 2010-11-09 14:50 . 2010-11-09 14:50 143360 c:\windows\$hf_mig$\KB2419632\SP3QFE\msadco.dll

+ 2002-08-29 12:00 . 2010-11-06 00:26 1210880 c:\windows\system32\urlmon(3).dll

+ 2002-08-29 12:00 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32(3).dll

+ 2009-04-20 16:38 . 2011-02-11 16:41 2010696 c:\windows\system32\FNTCACHE.DAT

- 2009-04-20 16:38 . 2010-12-15 08:41 2010696 c:\windows\system32\FNTCACHE.DAT

+ 2009-05-05 15:50 . 2011-01-12 11:46 37403080 c:\windows\system32\MRT.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]

"avp"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2010-09-09 340520]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-09-24 06:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

2009-03-15 10:15 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-09-08 15:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-01-29 07:44 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

2010-01-13 22:44 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 8:18 PM 36880]

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/29/2002 7:00 AM 14336]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 1:42 PM 32272]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 6:39 PM 19472]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/25/2011 1:40 PM 136176]

S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [9/21/2009 3:34 PM 11264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Akamai REG_MULTI_SZ Akamai

.

Contents of the 'Scheduled Tasks' folder

2011-02-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2011-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-25 18:40]

2011-02-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-25 18:40]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:5643

uInternet Settings,ProxyOverride = *.local;<local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &SHOUTcast Search - c:\documents and settings\All Users.WINDOWS\Application Data\SHOUTcast Radio Toolbar\ieToolbar\resources\en-US\local\search.html

Trusted Zone: sprint.com\mysprint

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {C53BDC3D-19A0-4062-BF34-0897A4E6A6A2} - hxxp://www.wildpockets.com/common/WildPocketsLoader-11994.cab

FF - ProfilePath - c:\documents and settings\Jamie.JAMIE-J7B6FZLLT\Application Data\Mozilla\Firefox\Profiles\swpg81rz.default\

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: XULRunner: {12AF9789-BCF4-4495-BAA6-26AC23D076E0} - c:\documents and settings\Jamie.JAMIE-J7B6FZLLT\Local Settings\Application Data\{12AF9789-BCF4-4495-BAA6-26AC23D076E0}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-14 11:29

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2011-02-14 11:33:40

ComboFix-quarantined-files.txt 2011-02-14 16:33

ComboFix2.txt 2011-02-14 15:54

ComboFix3.txt 2010-12-27 06:22

ComboFix4.txt 2010-12-13 22:08

ComboFix5.txt 2011-02-14 16:16

Pre-Run: 1,759,457,280 bytes free

Post-Run: 1,748,299,776 bytes free

- - End Of File - - C6E7FB35EA683E6FC73CACF3EC9BD27B



After that I ran an IPCONFIG, log is here:



Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.


C:\Documents and Settings\Jamie.JAMIE-J7B6FZLLT>IPCONFIG /ALL

Windows IP Configuration

Host Name . . . . . . . . . . . . : jamie-j7b6fzllt
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : hsd1.ct.comcast.net.

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : hsd1.ct.comcast.net.
Description . . . . . . . . . . . : Intel® PRO/100 VE Network Connecti
on
Physical Address. . . . . . . . . : 00-07-E9-71-AD-89
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 68.87.71.230
68.87.73.246
Lease Obtained. . . . . . . . . . : Monday, February 14, 2011 11:40:33 A
M
Lease Expires . . . . . . . . . . : Tuesday, February 15, 2011 11:40:33
AM





And finally I pinged Google.com and the log of that is here:



Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Jamie.JAMIE-J7B6FZLLT>ping google.com

Pinging google.com [74.125.226.113] with 32 bytes of data:

Request timed out.
Request timed out.
Reply from 74.125.226.113: bytes=32 time=25ms TTL=52
Reply from 74.125.226.113: bytes=32 time=25ms TTL=52

Ping statistics for 74.125.226.113:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:

Minimum = 25ms, Maximum = 25ms, Average = 25ms


I also just ran WinsockxpFix, but that didn't help either.


On certain forums I was on trying to find info on repairing my problem, all these different steps were recommended which is why I did all these scans and such. I figured the more info I had available to someone helping me with this dilemna, the better off I'd be. I am by no means a computer whiz, and don't understand 3/4 of what is contained in all these logs. But hopefully someone here can help me out...



Thank you very much for any assistance,

Jamie

Similar Topics: Lost Internet after running Malwarebytes     x


#2 Tomk

Tomk

    White Board Moderator

  • Malware Team
  • 18,174 posts
  • MVP

Posted 14 February 2011 - 02:35 PM

Hi NowxorxNever14,

:welcome:

My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. Logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Please don't run any more tools or fixes without guidance.

Please open Notepad

  • Click Start , then Run
  • Type notepad.exe in the Run Box.
    Copy and Paste everything from the Quote box into Notepad:

    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "ProxyServer" = -
    "ProxyOverride"="*.local"


    Make sure there are NO blank lines before REGEDIT4
    Make sure there IS one blank line at the end of the file.

    Go to File > Save As
    Save File name as Fix.reg
    Change Save as Type to All Files and save the file to your desktop.

    Close Notepad, and double-click Fix.reg on your Desktop. When it asks if you want to merge the info to the registry, hit YES/OK. Reboot the computer.

This should restore your internet access.

Then...

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

#3 NowxorxNever14

NowxorxNever14

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 14 February 2011 - 03:37 PM

Thank you for the reply, Tomk. Unfortunately trying that didn't fix my internet. Any other suggestions?

#4 LDTate

LDTate

    Forum God

  • Root Admin
  • 56,550 posts
  • MVP

Posted 14 February 2011 - 03:41 PM

Being helped here:
http://forums.malwar...showtopic=75445




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users