3 replies to this topic

[kamkam1]

Hi,

I was sent to this forum section by the Forum God LDTate. He thinks that you guys might be able to help me, since my Hijack This and ComboFix logs, thanks to his help, are now clean but my problem is still present.
If you want to have a look at the most recent logs anyway, here is a link to view the logs:

Combo Fix and Hijack This
Gmer report is available at the end of this post
Link to my previous post


Here's what's wrong:
I've got a problem with my ASUS F7E notebook running on Win XP HE SP3. I cannot browse any web pages, both by IE and Firefox. The connection is being resetted while negotiation (this is what firefox says). Alle the other services work fine (windows updates, ICQ, ping etc.). It's just the HTTP, HTTPS and FTP that I can not use (ports 80 and 21). The Windows Network Diagnosis Tool has also detected problems with ony these three services.

This problem is not present when the system is being run in an emergency mode. Than I can browse the Web as normal both in IE and Firefox.

WHAT HAPPENED:
The notebook was infected by the Win32:Monga (Trj). I used Norton Internet Security 2007 and online scanner (Polish MKS_Vir) to get rid of the infection. It deleted the infected files, but did not undo the changes made in the system. Therefore I could not open any local disc drives by My Computer (no matter what I selected - Open, Explore, Autorun- the system tried to use infected e.com file to perform the instruction), see any hidden or system files, regardless of windows settings. I've heared that ComboFix solves these problems.

After downloading ComboFix I disconnected the network cable form the laptop, uninstalled Norton Internet Security (since I had 5 days of subscription left) and reboot the computer. Than I started ComboFix. At the end of the program (while generating the log file) several errors of Catchme.tmp occured (the one with Send a report/Don't send). Nevertheless, after a while the program closed properly, the log file was generated. (These errors of catchme.tmp occur each time I run ComboFix) I restarted the computer, uninstalled combofix (Run -> ComboFix /u) and deleted the QooBox folder. I installed Avast antivirus, run Trojan Remover and ATF Cleaner. Updated the system from SP2 to SP3. All the problems caused by Monga were fixed.

However, a new one appeared. The one with browsing the web... I've tried everything. Checekd all the network settings, browsers settings, turned off windows firewall (afted uninstalling Norton IS this is the only one left in the system), tried installing new browser (Opera), tried another network (WiFi). I still can't open any web pages. I think of reinstalling network drivers and IE. Do you think it might help?

I did all of these actions (except for uninstalling Norton IS) on my other notebook (Toshinba Satellite S2450-S203), also infected by Monga and everything is OK on this one. The problems were fixed and the network works fine.

Please help me... I will try to provide you with all the necessary info about the system. I'd rather not format hdd and reinstall the system.

Edited by kamkam1, 06 October 2008 - 03:34 AM.

[tallin]

KamKam1,

I noticed your post last evening my time. I did not welcome you at that stage as I was waiting for our experts in Browsers and Internet Email to wake and come by to maybe assist you. I notice they have both looked at your post and have not offered a reply which may mean they have no answer for you.

I am sorry I cannot give you an answer as I do not know it. Others may come by to assist you of course

Sometimes a hands on would be to your advantage as you seem to have tried just about everything to correct your problem. I would advise you to take your system to a qualified tech near to where you live giving them all the details you have attempted to cut the visit short so to speak. We do not like sending members for hands on service, as we pride ourselves to be able among our volunteers to answer all problems offered for attention.

We would appreciate if you do find the answer, for you to post back when your system is repaired to your satisfaction so we can help others in the future. I must commend you for your articulate post with all details.

Again we are sorry we were not able to help you on this occasion.

kind regards,

[Tallon41]

Click Start---all programs----accessories----system tools----system information

When the “system information” window opens, (it will take some seconds for scan to complete,) maximize the window,
Expand “components”, then “network”, then “protocol”
The first two sections should look like this (it may be different if there are Avast entries that’s fine.) if Norton did not remove properly, then ccproxy may appear, which would be the cause of your problem.

Name MSAFD Tcpip [TCP/IP]
Connectionless Service No
Guarantees Delivery Yes
Guarantees Sequencing Yes
Maximum Address Size 16 bytes
Maximum Message Size 0 bytes
Message Oriented No
Minimum Address Size 16 bytes
Pseudo Stream Oriented No
Supports Broadcasting No
Supports Connect Data No
Supports Disconnect Data No
Supports Encryption No
Supports Expedited Data Yes
Supports Graceful Closing Yes
Supports Guaranteed Bandwidth Yes
Supports Multicasting No

Name MSAFD Tcpip [UDP/IP]
Connectionless Service Yes
Guarantees Delivery No
Guarantees Sequencing No
Maximum Address Size 16 bytes
Maximum Message Size 63.93 KB (65,467 bytes)
Message Oriented Yes
Minimum Address Size 16 bytes
Pseudo Stream Oriented No
Supports Broadcasting Yes
Supports Connect Data No
Supports Disconnect Data No
Supports Encryption No
Supports Expedited Data No
Supports Graceful Closing No
Supports Guaranteed Bandwidth Yes
Supports Multicasting Yes

The Symantec Network dispatch driver is ccProxy and as you saw in the Gmer, it is still loading.

Locate and remove the SYMTDI.SYS file, or run LSPfix http://www.cexx.org/lspfix.htm and see if it will remove it.

Tallon41

[kamkam1]

Thank you for your answers, but the owner of the notebook decided to format hdd and reinstall windows yesterday. That should do the job;)