Unable to access internet - safe mode access is ok, network is ok, Computer was infected then cleaned Options

[Doctor Spaceman]

Hi all, thanks for taking the time to help. I have a laptop (Dell E1505 running Windows XP Media Center edition) from a friend who asked me to take a look at it for her. She knows she caught a virus from a P2P network (I know, I know, P2Ps are bad news). I've cleaned several viruses off using MB's Antimalware and Spybot S&D - both programs now give a clean bill of health. But, I'm still unable to access the internet when booting into Windows normally. Safe mode internet access is OK, so I'm thinking something is getting loaded during the normal boot process that's causing network problems. I can ping my router, and I can resolve DNS (example pinging www.cox.com is ok). I've tried accessing the net with both Safari and IE with no luck. Turning off browser extensions and resetting settings to default in IE makes no difference. Also, don't know if this is related but logging into Windows takes a while, probably about 5 minutes from clicking OK on the login screen to bring up the desktop and icons. Any suggestions? HJT logs available on request. Thanks again for any help.

[nigglesnush85]

Hello,

The event viewer may give some more information.

1. Click Start select run
2. Type eventvwr.exe
3. Press enter
4. Search through the groups for errors and warnings.
5. Double click on each error and or warning.
6. Locate the copy to clipboard button, (under the two arrows)
7. Let us know what you find. (paste the results)

You could also try getting a second opinion in the form of some free online virus scanners.

1.Eset
2.Kaspersky
3.Bitdefender
4.Panda
5.McAfee

[Doctor Spaceman]

Ok, so I took your advice and ran Eset in Safe Mode which found 4 additional viruses the other scans missed. These were (hopefully) removed. Details below.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSenekartk.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\WINDOWS\system32\ap1394.sys Win32/Rootkit.Agent.NKK trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\Iasv32.dll a variant of Win32/Agent.OYO trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\96a5526e.sys a variant of Win32/Rustock.NIH trojan cleaned by deleting - quarantined

After that I rebooted normally and checked through the event logs - some System errors and a few Application warnings. There were several, but I only copied the ones from the last reboot cycle. Here they are:

System Errors

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 5/31/2009
Time: 11:08:54 PM
User: N/A
Computer: SEASON
Description:
The Automatic Updates service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 5/31/2009
Time: 11:08:54 PM
User: N/A
Computer: SEASON
Description:
The ias service terminated with the following error:
The specified module could not be found.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 5/31/2009
Time: 11:08:54 PM
User: N/A
Computer: SEASON
Description:
The Background Intelligent Transfer Service service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 5/31/2009
Time: 11:04:47 PM
User: NT AUTHORITY\SYSTEM
Computer: SEASON
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 5/31/2009
Time: 11:03:46 PM
User: SEASON\Reason
Computer: SEASON
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Application Warnings

Event Type: Warning
Event Source: MSSQL$MICROSOFTSMLBIZ
Event Category: (8)
Event ID: 19011
Date: 5/31/2009
Time: 11:08:46 PM
User: N/A
Computer: SEASON
Description:
The description for Event ID ( 19011 ) in Source ( MSSQL$MICROSOFTSMLBIZ ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: (SpnRegister) : Error 1355.


Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 5/31/2009
Time: 9:19:16 PM
User: NT AUTHORITY\SYSTEM
Computer: SEASON
Description:
Windows saved user SEASON\Reason registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Thanks

Attached File(s)

 Event_Logs.txt ( 3.35k ) Number of downloads: 1

 

[nigglesnush85]

There are ways to repair some of the damage to the operating system, but until we are 100% sure that all the malware is gone it would be counter productive to go through these steps now. I would recommend that you follow the instructions at http://www.bleepingcomputer.com/forums/topic34773.html

Once the system is completely clean then we can start repairing the damage the malware has done.

[Doctor Spaceman]

Ok, good thinking. I'm posting the logs here since I'm not sure if this machine is infected. If necessary I guess I'll move to the malware removal forum.

Here's the DDS log, and the "Attach" file is attached:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Reason at 19:40:05.35 on Mon 06/01/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.151 [GMT -4:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Safari\Safari.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Reason\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://hotmail.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2061014
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 4.0\aoltb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 4.0\aoltb.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 4.0\aoltb.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-us\local\search.html
IE: Add To Kaboodle - http://www.kaboodle.com/zg/addToKaboodle.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 4.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Jewel%20Quest%203/Images/stg_drm.ocx
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Mystery%20Case%20Files%20-%20Madame%20Fate/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll, c:\progra~1\google\google~1\goec62~1.dll,c:\windows\system32\vetidika.dll c:\progra~1\google\google~1\GOEC62~1.DLL
LSA: Authentication Packages = msv1_0 nwprovau
LSA: Notification Packages = scecli c:\windows\system32\vetidika.dll

============= SERVICES / DRIVERS ===============

R?2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-1-10 108648]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-26 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090303.003\NAVENG.SYS [2009-3-4 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090303.003\NAVEX15.SYS [2009-3-4 876144]
S1 96a5526e;96a5526e;c:\windows\system32\drivers\96a5526e.sys --> c:\windows\system32\drivers\96a5526e.sys [?]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-1-10 108648]
S2 ias;Ias;c:\windows\system32\svchost.exe -k netsvcs [2005-8-16 14336]
S3 ap1394;ap1394;\??\c:\windows\system32\ap1394.sys --> c:\windows\system32\ap1394.sys [?]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-8-27 1251720]

=============== Created Last 30 ================

2009-05-30 13:31 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-30 13:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-30 12:43 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-30 08:22 24,576 a------- c:\windows\system32\wsupdater.exe
2009-05-30 08:22 24,576 a------- c:\windows\system32\userinit.exe
2009-05-29 20:19 <DIR> --d----- c:\docume~1\reason\applic~1\Malwarebytes
2009-05-29 20:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-29 20:19 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-29 20:19 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-29 20:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-05-30 15:36 420,864 a------- c:\windows\system32\ntvdm.exe
2009-05-30 15:36 420,864 a------- c:\windows\system32\dllcache\ntvdm.exe
2009-03-04 00:00 104,960 a------- c:\windows\system32\dllcache\userinit.exe
2007-01-21 01:49 88 ---shr-- c:\windows\system32\640328C5A8.sys
2007-01-21 01:49 3,766 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 19:40:43.59 ===============


Thanks

Attached File(s)

 Attach.zip ( 3.56k ) Number of downloads: 0

 

[garmanma]

I have moved your Topic that included a HijackThis log to the Misplaced Logs sub-forum. You posted your log in a forum not intended for HijackThis logs analysis. We can only allow topics with such logs in the HijackThis Logs and Malware Removal forum. This restriction is to ensure you get the best help available, from those who specialize in malware anlaysis and removal. It also should prevent you from receiving ineffective or even potentially dangerous advice, whether well meaning or not.

We understand that dealing with malware issues and getting help can be frustrating but improperly posting a log usually happens if you missed the directions we provide to those who require malware removal assistance. Prior to posting a log, we ask that you please read and follow all instructions in the pinned topic titled Preparation Guide For Use Before Posting A Hijackthis Log. Following the steps in this Guide will allow the HJT Team to quickly help you with specific fixes for what may remain on your system.

Please complete all the steps in the Guide. If you can't perform a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have completed those steps, start a new topic in the HijackThis Logs and Malware Removal forum as directed in the Prep Guide to post a new log.

Please DO NOT post any more logs to this topic, or post a log again in the wrong forum.

The Misplaced HJT Logs forum is strictly a holding area where the BC Staff can assist you with preparations for and to properly post your log. If you have a question or encounter a problem in the Prep Guide, please do post back to this topic; that is what it is here for.

When your new DDS/HJT log is posted in the proper forum, please reply to this topic with a link to your new topic. Once that is done, a Member of the HJT Team will analyze your log and assist you with step by step instructions to clean your computer or otherwise advise what needs to be done.

Thanks for your cooperation and good luck.
The BC Staff

[Doctor Spaceman]

Moved to HJT forum:

http://www.bleepingcomputer.com/forums/topic231154.html

[Orange Blossom]

Hello

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

The BC Staff