32 replies to this topic

[uneekname]

I recently had a ton of spyware and trojans. I finally got rid of all of them and now I cannot get on the internet. I use cable and have released and renewed IP and still nothing. It seems as a DNS problem but is not.. I can ping a website but cannot use IP address on browser to get on internet.. I need help really bad with this....

['KotaGuy]

Hi uneekname.

You may want to try one of these depending on your Operating System: WinSockFix2KXP or WinSockFixWin9xME.

Hope this helps!

[uneekname]

I did the winsock and it said there were no problems

['KotaGuy]

Download HijackThis. Extract it to its own folder(eg: C:\Program Files\HijackThis\HijackThis.exe). This is extremely important as HijackThis cannot create the necessary backup files if run from a Temp folder, zip/rar archive, CD, etc.

Run and scan with HijackThis. Don't fix anything yet. Copy and paste the complete log into a reply here.

[uneekname]

hijack this didnt do anything either. only one thing to remove but still I cannot get on the net and spybot still shows websearch tool bar...

['KotaGuy]

Umm... what do you mean by HijackThis "didn't do anything"? Run the program, click the "Do a System scan and save the log file" button. When the text document opens up, copy and paste the results into a reply here please.

[uneekname]

This is an updated log. The one before had one thing wrong(so I was told by an expert) so I removed it and this is the new one.. By the way thanks for helping me and anyone else that does.


Logfile of HijackThis v1.99.1
Scan saved at 10:35:39 PM, on 4/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sbc.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_0_8_6.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_0_8_6.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] "C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe"
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\JetCar.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\JetCar.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\PROGRA~1\Yahoo!\PARENT~1\YPCSER~1.EXE

Edited by uneekname, 08 April 2005 - 11:51 PM.

['KotaGuy]

Ok... log is clean. Strange. So you can, for instance, open a command prompt, ping www.microsoft.com successfully, but if you put www.microsoft.com in the url field of the browser you get... nothing? No error messages, time out messages.. just nothing? Do you remember, more or less, what your machine was infected with and how you wen t about cleaning it? Also, can you let me know what exaclty(filename/location) Spybot is detecting please.

[uneekname]

well on the internet I get a "page cannot be displayed." and yes I can ping in command prompt but will not get with site in URL. spy sweeper keeps finding something called web search toolbar. I know it has that and Win tool. I cant get rid of either of these. On win tool location is: C:\documentsandsettings\hurleylocalsettings\temp~496. the number on the end just keeps changing there's 507 683 710 so on and so on..On spybot there is a lot of entries one is HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy.tbpssvc\0000 ll class HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy.tbpssvc\0000 ll classguid HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy.tbpssvc\0000 ll configflags HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy.tbpssvc\0000 ll devicedesc HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy.tbpssvc HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc\0000 HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc ll nextinstance HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc\0000 ll service HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc\0000 ll legacy HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc\0000 ll configflags HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc\0000 ll class HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc\0000 ll classguid HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc\0000 ll devicedesc HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy.tbpssvc\0000 HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy.tbpssvc ll nextinstance HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy.tbpssvc\0000 ll service

[uneekname]

And it will not let me uninstall nortons firewall. It is accessing ports when I try to get on the internet..here are ports that it opensTCP135,139,445,1025,1026,1029,1033,5000,9150. for UDP 123,137,138,445,500,1027,1039,1900,10714. I know I am trying to use a removal tool but for some odd reason it wont let me open any files on my floppies. It will let me see what's on it but will not open any files on it.. It will just sit there and try and try.

['KotaGuy]

Download CCleaner

Open up a new text document.

Copy/paste the following qoute box into it.

REGEDIT4
[HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root]
"legacy.tbpssvc"=-
"legacy_wintoolssvc"=-

Save as: fixme.reg
File Type: All

Save it on your desktop. Right click on fixme.reg, choose Merge, when Windows asks if you are sure, proceed with merging it into the registry. Reboot into Safe Mode.

Run CCleaner, under the Windows tab check Internet Explorer, Windows Explorer, and System. Then click Run Cleaner. Browse to the C:\WINDOWS\Prefecth folder and delete all the files inside it(not the Prefecth folder itself). Empty your Recycle Bin.

Reboot windows normally, do a Spybot scan and let me know if it finds anything.

As for the Ports being open...

TCP Port 135 = Microsoft Remote Procedure Call (RPC) service
TCP Port 139 = Netbios Session Service is used for resource sharing on Windows 9x, ME and NT. This is the port that is used to connect file shares for example.
TCP Port 445 = The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT / 2000. In Windows NT it ran on top of NBT (NetBIOS over TCP/IP), which used the famous ports 137, 138 (UDP) and 139 (TCP). In Windows 2000, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NBT. For this they use TCP port 445.
TCP Port 1025 = Microsoft Remote Procedure Call (RPC) service.
TCP Port 1033 = local netinfo port(this post can also at times be use by the NetSpy Trojan but I didn't see it in your log)
TCP Port 5000 = Windows Universal plug and play service (UPNP).
TCP Port 9150 = ? I, unfortunately wasn't able to find much about the designation of this port so I'm not sure why it is open.

UDP Port 123 = Network Time Protocol
UDP Ports 137 & 138 = NetBIOS over TCP/IP
UDP Port 445 = Related to the TCP Port 445 entry
UDP Port 500 = Internet Security Association and Key Management Protocol (ISAKMP)
UDP Port 1027 = could possibly be services.exe on this port(servcies.exe is dynamically assigned a port at startup, these are ususally UDP 1024-1035).
UDP Port 1039 = unassigned a common function as of yet
UDP Port 1900 = ssdppsrv - This component provides the Simple Service Discovery Protocol sevice used in WinMe for for Universal Plug and Play. It also provides General Event Notification Architecture (GENA) service.
UDP Port 10714 = unassigned as well

As for your Norton problem... see if this page helps you any. Has a tool called SymNRT that can be used to uninstall Norton products if Add/Remove Programs wont work. Note that this is only for Norton products labelled 2004/2005. If you are using a Norton product labelled 2003 or earlier go here.

Also, could you download and run these tools please: Stinger, FixWelch, and FixBlast.

Let me know how things are going after you run the tools.

Edited by 'KotaGuy, 09 April 2005 - 10:18 AM.

[uneekname]

On the Quote for registry to merge into directory there is not a merge when you right click the fixme.reg text document

[uneekname]

I really appreciate your help too Kotaguy... I did everything you said with the exception of save the fixme.reg cause merge was not there when I right clicked... However spysweeper says: "Adware found: WebSearch Toolbar". Spybot does not have anything.. but still cannot access net...Now on the REGEDIT4 adding all those already exist in registry!!! WOW!!!!! This is to much... Oh ya, on all the fix tools(blaster, etc) they found nothing.. I have even tried CW Shreddar and nothing.. I think I am just about to reformat.... Looks like it would have been alot quicker.. again thanks..

Edited by uneekname, 09 April 2005 - 02:35 PM.

[uneekname]

I have read what another guy had similar to this and this is what he did but I have no idea what to do with all that..... =2E We= < never discovered which virus attacked the machine=2E We had to= < use a Mepis Linux LiveCD to boot from and delete the infected= < disk partition=2E Boot floppies booted fine but the keyboard= < would not work so fdisk/format were not available that way, so= < we had to use the Linux CD=2E Even it did not completely destroy= < the partition data but it did kill the MBR=2E Then we used a= < BART_PE Windows custom boot CD to actually kill, recreate and= < format the full partition=2E We had to do this because just= < putting in the WinXP install disk did not allow us to install=2E = < The trojan blocked the use of the keyboard so we could not hit= < the 'Enter' key when asked if we wanted to boot from the CD=2E = < Further, putting the XP CD in with the bad Windows loaded we= < were not allowed to install from there either (it gave an error= < that said we could not install because the copy on the hard disk= < was newer and the option to 'Continue' anyway was greyed out)=2E < < Finally, after using the Mepis LiveCD to kill the MBR, and the= < BART_PE LiveCD to remove, recreate and format the partition the= < XP install CD worked flawlessly=2E The system is now back online= < and virus-free (for now anyway)=2E < < This one was about as ugly as it gets, folks=2E I hope no one else= < comes across it 'cuz it ain't pretty=2E Thanks again for all your= < suggestions and assistance=2E <

['KotaGuy]

If you aren't getting an option to merge the regfix when you right click it, double click the file after you have saved it... it should do the same thing. And what this is doing is not adding the entries into the registry, this will remove the entries from the registry. So if you could, please try the regfix again, make sure you save it as "All File Types", and double click it instead of right clicking. Answer to proceed when it asks you if you want to do it, and reboot. Then do the scans. As for having to reformat.... I'm not ready to give up on this yet Let me know how it goes.

Edited by 'KotaGuy, 09 April 2005 - 05:45 PM.